Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exe

Overview

General Information

Sample name:SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exe
Analysis ID:1538279
MD5:f937d31f13fcd8a8ad2bf6b231f2702f
SHA1:048c894872b31484b39ffc86f38705baa80be950
SHA256:ee559187bda33c1d7b223fae61887d5c527ed413e788d3f377a5d6e76d53c220
Tags:exe
Infos:

Detection

Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to create an SMB header
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found decision node followed by non-executed suspicious APIs
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
One or more processes crash
Uses Microsoft's Enhanced Cryptographic Provider
Uses taskkill to terminate processes

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exe (PID: 7548 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exe" MD5: F937D31F13FCD8A8AD2BF6B231F2702F)
    • conhost.exe (PID: 7556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 7366FBEFE66BA0F1F5304F7D6FEF09FE)
    • cmd.exe (PID: 7640 cmdline: C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • taskkill.exe (PID: 7656 cmdline: taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
    • cmd.exe (PID: 7684 cmdline: C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • taskkill.exe (PID: 7700 cmdline: taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
    • cmd.exe (PID: 7732 cmdline: C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • taskkill.exe (PID: 7748 cmdline: taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
    • cmd.exe (PID: 7776 cmdline: C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • sc.exe (PID: 7792 cmdline: sc stop HTTPDebuggerPro MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
    • cmd.exe (PID: 7808 cmdline: C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • sc.exe (PID: 7824 cmdline: sc stop HTTPDebuggerProSdk MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
    • cmd.exe (PID: 7836 cmdline: C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • cmd.exe (PID: 7852 cmdline: C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • taskkill.exe (PID: 7868 cmdline: taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
    • cmd.exe (PID: 7920 cmdline: C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • taskkill.exe (PID: 7940 cmdline: taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
    • cmd.exe (PID: 7980 cmdline: C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • taskkill.exe (PID: 7996 cmdline: taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
    • cmd.exe (PID: 8028 cmdline: C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • sc.exe (PID: 8044 cmdline: sc stop HTTPDebuggerPro MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
    • cmd.exe (PID: 8060 cmdline: C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • sc.exe (PID: 8072 cmdline: sc stop HTTPDebuggerProSdk MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
    • cmd.exe (PID: 8092 cmdline: C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • cmd.exe (PID: 8140 cmdline: C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • taskkill.exe (PID: 8156 cmdline: taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
    • cmd.exe (PID: 8184 cmdline: C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • taskkill.exe (PID: 7184 cmdline: taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
    • cmd.exe (PID: 7260 cmdline: C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • taskkill.exe (PID: 7304 cmdline: taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
    • cmd.exe (PID: 7384 cmdline: C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • sc.exe (PID: 7044 cmdline: sc stop HTTPDebuggerPro MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
    • cmd.exe (PID: 524 cmdline: C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • sc.exe (PID: 4444 cmdline: sc stop HTTPDebuggerProSdk MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
    • cmd.exe (PID: 5636 cmdline: C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • WerFault.exe (PID: 5436 cmdline: C:\Windows\system32\WerFault.exe -u -p 7548 -s 996 MD5: 59550DE0393B1CDD584A1467D6D734E7)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeReversingLabs: Detection: 50%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 97.5% probability
Machine Learning detection for sample
Source: SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: 0_2_00007FF73AD2BCDD strtol,strchr,strchr,strncmp,strncmp,strncmp,strncmp,strncmp,strncmp,strncmp,strncmp,strchr,_strdup,CertOpenStore,GetLastError,free,free,CryptStringToBinaryA,CertFindCertificateInStore,fopen,fseek,ftell,fseek,malloc,fread,fclose,malloc,MultiByteToWideChar,PFXImportCertStore,free,free,GetLastError,CertFindCertificateInStore,GetLastError,CertCloseStore,CertCloseStore,calloc,CertFreeCertificateContext,fclose,free,CertFreeCertificateContext,free,calloc,0_2_00007FF73AD2BCDD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: 0_2_00007FF73AD4EBE0 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,0_2_00007FF73AD4EBE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: 0_2_00007FF73AD50CD0 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,0_2_00007FF73AD50CD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: 0_2_00007FF73AD2DFC0 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,0_2_00007FF73AD2DFC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: 0_2_00007FF73AD2AFD0 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext,0_2_00007FF73AD2AFD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: 0_2_00007FF73AD2DFB0 CryptHashData,0_2_00007FF73AD2DFB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: 0_2_00007FF73AD2DF60 CryptAcquireContextA,CryptCreateHash,0_2_00007FF73AD2DF60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: 0_2_00007FF73AD2B0A0 memset,CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,0_2_00007FF73AD2B0A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: 0_2_00007FF73AD48190 GetLastError,CreateFileA,GetLastError,GetFileSizeEx,GetLastError,malloc,ReadFile,strstr,strstr,CryptQueryObject,CertAddCertificateContextToStore,CertFreeCertificateContext,GetLastError,GetLastError,GetLastError,CloseHandle,free,0_2_00007FF73AD48190
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: 0_2_00007FF73AD47870 CertOpenStore,GetLastError,CertCreateCertificateChainEngine,GetLastError,CertGetCertificateChain,GetLastError,CertGetNameStringA,malloc,CertFindExtension,CryptDecodeObjectEx,CertGetNameStringA,CertFindExtension,CryptDecodeObjectEx,CertFreeCertificateChainEngine,CertCloseStore,CertFreeCertificateChain,CertFreeCertificateContext,0_2_00007FF73AD47870
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: -----BEGIN PUBLIC KEY-----0_2_00007FF73AD10E80
Source: SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeBinary or memory string: -----BEGIN PUBLIC KEY-----
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: mov dword ptr [rbp+04h], 424D53FFh0_2_00007FF73AD3A8A0
Source: unknownHTTPS traffic detected: 172.67.72.57:443 -> 192.168.2.3:63891 version: TLS 1.2
Source: SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Fivem Cheat e Spoofer C++\Auth Fivem C++\x64\Release\EpicGames.pdb source: SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exe
Source: global trafficHTTP traffic detected: POST /api/1.1/ HTTP/1.1Host: keyauth.winAccept: */*Content-Length: 47Content-Type: application/x-www-form-urlencoded
Source: Joe Sandbox ViewIP Address: 172.67.72.57 172.67.72.57
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: 0_2_00007FF73AD07B60 malloc,recv,free,0_2_00007FF73AD07B60
Source: global trafficDNS traffic detected: DNS query: keyauth.win
Source: unknownHTTP traffic detected: POST /api/1.1/ HTTP/1.1Host: keyauth.winAccept: */*Content-Length: 47Content-Type: application/x-www-form-urlencoded
Source: SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeString found in binary or memory: http://185.101.104.122/Runtimess.exe
Source: SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeString found in binary or memory: http://185.101.104.122/Runtimess.exeC:
Source: Amcache.hve.38.drString found in binary or memory: http://upx.sf.net
Source: SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html#
Source: SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exe, 00000000.00000002.1589581590.0000016CC830C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://keyauth.win/api/1.1/
Source: SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exe, 00000000.00000002.1589581590.0000016CC830C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://keyauth.win/api/1.1/Micro
Source: SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exe, 00000000.00000002.1589581590.0000016CC830C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://keyauth.win/api/1.1/pace
Source: SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exe, SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exe, 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exe, 00000000.00000002.1589581590.0000016CC830C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://keyauth.win/api/1.2/
Source: SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exe, 00000000.00000002.1589581590.0000016CC830C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://keyauth.win/api/1.2/Commo
Source: SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exe, 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://keyauth.win/api/1.2/fivem
Source: unknownNetwork traffic detected: HTTP traffic on port 63891 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 63891
Source: unknownHTTPS traffic detected: 172.67.72.57:443 -> 192.168.2.3:63891 version: TLS 1.2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: 0_2_00007FF73AD4EBE0 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,0_2_00007FF73AD4EBE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: 0_2_00007FF73AD2BCDD0_2_00007FF73AD2BCDD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: 0_2_00007FF73AD19A600_2_00007FF73AD19A60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: 0_2_00007FF73AD213300_2_00007FF73AD21330
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: 0_2_00007FF73AD1A7200_2_00007FF73AD1A720
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: 0_2_00007FF73AD187200_2_00007FF73AD18720
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: 0_2_00007FF73AD4EBE00_2_00007FF73AD4EBE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: 0_2_00007FF73ACFEB600_2_00007FF73ACFEB60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: 0_2_00007FF73AD50C600_2_00007FF73AD50C60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: 0_2_00007FF73ACFB97D0_2_00007FF73ACFB97D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: 0_2_00007FF73AD29A600_2_00007FF73AD29A60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: 0_2_00007FF73ACF10000_2_00007FF73ACF1000
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: 0_2_00007FF73AD3EFC00_2_00007FF73AD3EFC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: 0_2_00007FF73ACFDFD00_2_00007FF73ACFDFD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: 0_2_00007FF73AD150D00_2_00007FF73AD150D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: 0_2_00007FF73AD2BD9C0_2_00007FF73AD2BD9C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: 0_2_00007FF73AD2BDA50_2_00007FF73AD2BDA5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: 0_2_00007FF73AD123A00_2_00007FF73AD123A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: 0_2_00007FF73AD2E3700_2_00007FF73AD2E370
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: 0_2_00007FF73AD433500_2_00007FF73AD43350
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: 0_2_00007FF73AD423200_2_00007FF73AD42320
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: 0_2_00007FF73ACFA4BB0_2_00007FF73ACFA4BB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: 0_2_00007FF73AD271800_2_00007FF73AD27180
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: 0_2_00007FF73ACFA2DD0_2_00007FF73ACFA2DD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: 0_2_00007FF73AD3B2C00_2_00007FF73AD3B2C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: 0_2_00007FF73AD367900_2_00007FF73AD36790
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: 0_2_00007FF73AD0A7300_2_00007FF73AD0A730
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: 0_2_00007FF73ACFF8F00_2_00007FF73ACFF8F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: 0_2_00007FF73AD478700_2_00007FF73AD47870
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: 0_2_00007FF73AD1B5E00_2_00007FF73AD1B5E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: 0_2_00007FF73AD246300_2_00007FF73AD24630
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: String function: 00007FF73AD52122 appears 47 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: String function: 00007FF73AD1C040 appears 37 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: String function: 00007FF73AD04DD0 appears 49 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: String function: 00007FF73AD17890 appears 324 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: String function: 00007FF73AD1C0D0 appears 33 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: String function: 00007FF73AD1AB50 appears 46 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: String function: 00007FF73AD11FE0 appears 70 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: String function: 00007FF73AD1AC20 appears 36 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: String function: 00007FF73AD1C1B0 appears 34 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: String function: 00007FF73AD17710 appears 380 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7548 -s 996
Source: classification engineClassification label: mal64.evad.winEXE@69/22@1/2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: 0_2_00007FF73AD03BEE FormatMessageA,strchr,_errno,_errno,GetLastError,SetLastError,0_2_00007FF73AD03BEE
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7556:120:WilError_03
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7548
Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\5c308abb-b4bd-4c94-82ac-d3f0ad741560Jump to behavior
Source: SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeReversingLabs: Detection: 50%
Source: SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeString found in binary or memory: iphlpapi.dllif_nametoindexkernel32LoadLibraryExA\/AddDllDirectory0123456789abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ(nil)(nil)I32I64%ld.%ld$@8t
Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerProSdk
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerProSdk
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerProSdk
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7548 -s 996
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerProJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerProSdkJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerProSdk
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerProSdk
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dllJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Fivem Cheat e Spoofer C++\Auth Fivem C++\x64\Release\EpicGames.pdb source: SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exe
Source: SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: 0_2_00007FF73AD1A400 GetModuleHandleA,GetProcAddress,strpbrk,LoadLibraryA,GetProcAddress,LoadLibraryExA,GetSystemDirectoryA,malloc,GetSystemDirectoryA,LoadLibraryA,free,0_2_00007FF73AD1A400
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-48234
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeAPI coverage: 3.9 %
Source: Amcache.hve.38.drBinary or memory string: VMware
Source: Amcache.hve.38.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.38.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.38.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.38.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.38.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.38.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.38.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.38.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.38.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.38.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.38.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.38.drBinary or memory string: vmci.sys
Source: Amcache.hve.38.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.38.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.38.drBinary or memory string: VMware-42 27 9c 31 6b 7d 78 89-be 90 b3 22 a5 ab 1b 52
Source: Amcache.hve.38.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.38.drBinary or memory string: VMware20,1
Source: Amcache.hve.38.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.38.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.38.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.38.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.38.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.38.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.38.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.38.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.38.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.38.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exe, 00000000.00000002.1589581590.0000016CC830C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWbl
Source: Amcache.hve.38.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: 0_2_00007FF73AD51C30 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF73AD51C30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: 0_2_00007FF73AD51FC8 memset,GetLastError,IsDebuggerPresent,OutputDebugStringW,0_2_00007FF73AD51FC8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: 0_2_00007FF73AD1A400 GetModuleHandleA,GetProcAddress,strpbrk,LoadLibraryA,GetProcAddress,LoadLibraryExA,GetSystemDirectoryA,malloc,GetSystemDirectoryA,LoadLibraryA,free,0_2_00007FF73AD1A400
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: 0_2_00007FF73ACF28E0 GetProcessHeap,0_2_00007FF73ACF28E0
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: 0_2_00007FF73AD51C30 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF73AD51C30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: 0_2_00007FF73AD51DD8 SetUnhandledExceptionFilter,0_2_00007FF73AD51DD8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: 0_2_00007FF73AD518C8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF73AD518C8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerProJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerProSdkJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerProSdk
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerProSdk
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: 0_2_00007FF73AD51E44 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF73AD51E44
Source: Amcache.hve.38.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.38.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.38.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.38.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.38.drBinary or memory string: MsMpEng.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: 0_2_00007FF73AD26800 socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,accept,send,recv,memcmp,closesocket,closesocket,closesocket,closesocket,0_2_00007FF73AD26800
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: 0_2_00007FF73AD193D0 memset,strncmp,strncmp,strchr,htons,atoi,htons,htons,bind,htons,bind,getsockname,WSAGetLastError,WSAGetLastError,0_2_00007FF73AD193D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: 0_2_00007FF73AD3D4F0 calloc,calloc,calloc,bind,WSAGetLastError,0_2_00007FF73AD3D4F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: 0_2_00007FF73AD3D2BE calloc,calloc,calloc,bind,WSAGetLastError,0_2_00007FF73AD3D2BE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeCode function: 0_2_00007FF73AD36790 calloc,strchr,strncpy,strchr,strncpy,strchr,strtoul,strchr,strtoul,getsockname,WSAGetLastError,free,WSAGetLastError,memcpy,htons,bind,WSAGetLastError,getsockname,WSAGetLastError,getsockname,WSAGetLastError,listen,WSAGetLastError,htons,free,0_2_00007FF73AD36790

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation		1
Windows Service		1
Windows Service		1
Disable or Modify Tools		OS Credential Dumping1
System Time Discovery		1
Exploitation of Remote Services		12
Archive Collected Data		21
Encrypted Channel		Exfiltration Over Other Network Medium1
Data Encrypted for Impact
CredentialsDomainsDefault Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		11
Process Injection		1
Virtualization/Sandbox Evasion		LSASS Memory51
Security Software Discovery		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Service Execution		Logon Script (Windows)1
DLL Side-Loading		11
Process Injection		Security Account Manager1
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal Accounts1
Native API		Login HookLogin Hook1
Deobfuscate/Decode Files or Information		NTDS3
System Information Discovery		Distributed Component Object ModelInput Capture3
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Obfuscated Files or Information		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1538279 Sample: SecuriteInfo.com.Win64.Drop... Startdate: 20/10/2024 Architecture: WINDOWS Score: 64 33 keyauth.win 2->33 39 Antivirus / Scanner detection for submitted sample 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 Machine Learning detection for sample 2->43 45 AI detected suspicious sample 2->45 8 SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exe 1 2->8         started        signatures3 process4 dnsIp5 35 keyauth.win 172.67.72.57, 443, 63891 CLOUDFLARENETUS United States 8->35 37 127.0.0.1 unknown unknown 8->37 11 cmd.exe 1 8->11         started        13 cmd.exe 1 8->13         started        15 cmd.exe 1 8->15         started        17 17 other processes 8->17 process6 process7 19 taskkill.exe 1 11->19         started        21 sc.exe 1 13->21         started        23 taskkill.exe 1 15->23         started        25 taskkill.exe 1 17->25         started        27 taskkill.exe 1 17->27         started        29 taskkill.exe 1 17->29         started        31 9 other processes 17->31

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exe50%ReversingLabsWin64.Trojan.Generic
SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exe100%AviraHEUR/AGEN.1315669
SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://upx.sf.net0%URL Reputationsafe
https://curl.haxx.se/docs/http-cookies.html0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
keyauth.win
172.67.72.57
truefalse
    		unknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    https://keyauth.win/api/1.1/false
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://upx.sf.netAmcache.hve.38.drfalse
      • URL Reputation: safe
      		unknown
      https://keyauth.win/api/1.1/MicroSecuriteInfo.com.Win64.DropperX-gen.18606.18356.exe, 00000000.00000002.1589581590.0000016CC830C000.00000004.00000020.00020000.00000000.sdmpfalse
        		unknown
        http://185.101.104.122/Runtimess.exeC:SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exefalse
          		unknown
          https://keyauth.win/api/1.1/paceSecuriteInfo.com.Win64.DropperX-gen.18606.18356.exe, 00000000.00000002.1589581590.0000016CC830C000.00000004.00000020.00020000.00000000.sdmpfalse
            		unknown
            http://185.101.104.122/Runtimess.exeSecuriteInfo.com.Win64.DropperX-gen.18606.18356.exefalse
              		unknown
              https://curl.haxx.se/docs/http-cookies.htmlSecuriteInfo.com.Win64.DropperX-gen.18606.18356.exefalse
              • URL Reputation: safe
              		unknown
              https://curl.haxx.se/docs/http-cookies.html#SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exefalse
                		unknown
                https://keyauth.win/api/1.2/SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exe, SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exe, 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exe, 00000000.00000002.1589581590.0000016CC830C000.00000004.00000020.00020000.00000000.sdmpfalse
                  		unknown
                  https://keyauth.win/api/1.2/fivemSecuriteInfo.com.Win64.DropperX-gen.18606.18356.exe, 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpfalse
                    		unknown
                    https://keyauth.win/api/1.2/CommoSecuriteInfo.com.Win64.DropperX-gen.18606.18356.exe, 00000000.00000002.1589581590.0000016CC830C000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      172.67.72.57
                      		keyauth.winUnited States
                      		13335CLOUDFLARENETUSfalse

                      Private

                      IP
                      127.0.0.1

                      General Information

                      Joe Sandbox version:41.0.0 Charoite
                      Analysis ID:1538279
                      Start date and time:2024-10-20 23:23:45 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 6m 8s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:44
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exe
                      Detection:MAL
                      Classification:mal64.evad.winEXE@69/22@1/2
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 98%
                      • Number of executed functions: 42
                      • Number of non-executed functions: 244
                      Cookbook Comments:
                      • Found application associated with file extension: .exe

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                      • Excluded IPs from analysis (whitelisted): 13.89.179.12, 52.168.117.173
                      • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, watson.events.data.microsoft.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollectorcommon.trafficmanager.net, ctldl.windowsupdate.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size exceeded maximum capacity and may have missing disassembly code.
                      • VT rate limit hit for: SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exe

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      17:25:09API Interceptor1x Sleep call for process: WerFault.exe modified

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      172.67.72.57SecuriteInfo.com.Win64.MalwareX-gen.10159.8143.exeGet hashmaliciousUnknownBrowse
                        lvXRlexBnb.exeGet hashmaliciousUnknownBrowse
                          flX5YA1C09.exeGet hashmaliciousUnknownBrowse
                            Iyto7FYCJO.exeGet hashmaliciousUnknownBrowse
                              SecuriteInfo.com.Trojan.GenericKD.74313215.18321.7540.exeGet hashmaliciousUnknownBrowse
                                SecuriteInfo.com.Variant.Tedy.640280.26081.14300.exeGet hashmaliciousUnknownBrowse
                                  fox vanguard bypass.exeGet hashmaliciousUnknownBrowse
                                    SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exeGet hashmaliciousUnknownBrowse
                                      SecuriteInfo.com.W64.GenKryptik.GHEK.tr.28454.21428.exeGet hashmaliciousUnknownBrowse
                                        SecuriteInfo.com.Trojan.MulDrop28.40.18458.1049.exeGet hashmaliciousUnknownBrowse

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          keyauth.winSecuriteInfo.com.Win64.MalwareX-gen.29573.28124.exeGet hashmaliciousUnknownBrowse
                                          • 104.26.0.5
                                          SecuriteInfo.com.Win64.MalwareX-gen.10159.8143.exeGet hashmaliciousUnknownBrowse
                                          • 172.67.72.57
                                          SecuriteInfo.com.Win64.MalwareX-gen.6639.30242.exeGet hashmaliciousUnknownBrowse
                                          • 104.26.0.5
                                          SecuriteInfo.com.FileRepMalware.16016.24947.exeGet hashmaliciousUnknownBrowse
                                          • 104.26.0.5
                                          SecuriteInfo.com.Win64.MalwareX-gen.25010.24037.exeGet hashmaliciousUnknownBrowse
                                          • 104.26.1.5
                                          SecuriteInfo.com.Win64.Evo-gen.20107.17462.exeGet hashmaliciousUnknownBrowse
                                          • 104.26.0.5
                                          lvXRlexBnb.exeGet hashmaliciousUnknownBrowse
                                          • 172.67.72.57
                                          J1un7vGf29.exeGet hashmaliciousUnknownBrowse
                                          • 104.26.0.5
                                          flX5YA1C09.exeGet hashmaliciousUnknownBrowse
                                          • 104.26.0.5
                                          bC7vK74a5a.exeGet hashmaliciousUnknownBrowse
                                          • 104.26.0.5

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          CLOUDFLARENETUSSecuriteInfo.com.Trojan.Generic.36879400.484.7364.exeGet hashmaliciousUnknownBrowse
                                          • 104.26.0.5
                                          SecuriteInfo.com.Win64.MalwareX-gen.29573.28124.exeGet hashmaliciousUnknownBrowse
                                          • 104.26.0.5
                                          SecuriteInfo.com.Win64.MalwareX-gen.10159.8143.exeGet hashmaliciousUnknownBrowse
                                          • 172.67.72.57
                                          SecuriteInfo.com.Win64.MalwareX-gen.6639.30242.exeGet hashmaliciousUnknownBrowse
                                          • 104.26.0.5
                                          SecuriteInfo.com.FileRepMalware.16016.24947.exeGet hashmaliciousUnknownBrowse
                                          • 104.26.0.5
                                          SecuriteInfo.com.Win64.MalwareX-gen.25010.24037.exeGet hashmaliciousUnknownBrowse
                                          • 104.26.1.5
                                          d600758023374f78d58acafbcaf94af66ad203b28e22a.exeGet hashmaliciousQuasarBrowse
                                          • 172.67.74.152
                                          SecuriteInfo.com.Win64.Evo-gen.20107.17462.exeGet hashmaliciousUnknownBrowse
                                          • 104.26.0.5
                                          file.exeGet hashmaliciousLummaCBrowse
                                          • 104.21.53.8
                                          w49A5FG3yg.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                          • 188.114.96.3

                                          JA3 Fingerprints

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          3b5074b1b5d032e5620f69f9f700ff0ed600758023374f78d58acafbcaf94af66ad203b28e22a.exeGet hashmaliciousQuasarBrowse
                                          • 172.67.72.57
                                          lvXRlexBnb.exeGet hashmaliciousUnknownBrowse
                                          • 172.67.72.57
                                          J1un7vGf29.exeGet hashmaliciousUnknownBrowse
                                          • 172.67.72.57
                                          flX5YA1C09.exeGet hashmaliciousUnknownBrowse
                                          • 172.67.72.57
                                          bC7vK74a5a.exeGet hashmaliciousUnknownBrowse
                                          • 172.67.72.57
                                          lvXRlexBnb.exeGet hashmaliciousUnknownBrowse
                                          • 172.67.72.57
                                          J1un7vGf29.exeGet hashmaliciousUnknownBrowse
                                          • 172.67.72.57
                                          flX5YA1C09.exeGet hashmaliciousUnknownBrowse
                                          • 172.67.72.57
                                          bC7vK74a5a.exeGet hashmaliciousUnknownBrowse
                                          • 172.67.72.57
                                          G9e272AEyo.exeGet hashmaliciousUnknownBrowse
                                          • 172.67.72.57

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_9bcc7898be1d4f9191567bd4d21a8cc341545d_d57ade92_b850ab27-e49f-4e0e-82ff-71445e2a72d7\Report.wer

                                          Download File
                                          Process:C:\Windows\System32\WerFault.exe
                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):65536
                                          Entropy (8bit):1.0503684392305133
                                          Encrypted:false
                                          SSDEEP:192:vp77nudBNOv09Wg1s6tjFPzlSuiFoH4lO8ZNT:B7judBNOc9Wge6tjTSuiFoH4lO8ZNT
                                          MD5:8444E73F025A13FE357DF1AD8EC66754
                                          SHA1:9B6B8E1806C5E700578C8FA884DD1F2A71DB6EC0
                                          SHA-256:7E8C606C40ADACCBC2475CEED9D4A7AB6A3E0E991011DEFF2D613DD36FBED60B
                                          SHA-512:C8F2BBEAE788C87A63D7872713DD74DF515EA592B1C8FE572FB2F625AD06D6AA13BEBBD92E718AC87A5AEC3BBFFBE55FEC4EB1F3636FF2D4345BED91F13AA24D
                                          Malicious:false
                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.3.9.3.3.0.9.7.7.0.5.5.2.3.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.3.9.3.3.0.9.8.2.2.1.1.3.9.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.8.5.0.a.b.2.7.-.e.4.9.f.-.4.e.0.e.-.8.2.f.f.-.7.1.4.4.5.e.2.a.7.2.d.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.a.7.5.7.d.8.b.-.2.b.5.7.-.4.7.a.d.-.8.8.f.3.-.8.5.e.d.7.7.d.9.f.e.8.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...W.i.n.6.4...D.r.o.p.p.e.r.X.-.g.e.n...1.8.6.0.6...1.8.3.5.6...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.7.c.-.0.0.0.1.-.0.0.1.5.-.a.0.0.b.-.8.f.7.e.3.6.2.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.b.c.8.f.1.2.5.5.7.b.e.f.2.5.4.4.8.2.d.5.1.8.5.0.8.a.4.2.e.b.9.0.0.0.0.f.f.f.f.!.0.0.0.0.0.4.8.c.8.9.4.8.7.2.b.3.1.4.8.4.b.3.9.f.f.c.8.6.f.3.8.7.0.5.b.a.a.8.0.b.e.9.5.0.!.S.e.c.u.

                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER4798.tmp.dmp

                                          Download File
                                          Process:C:\Windows\System32\WerFault.exe
                                          File Type:Mini DuMP crash report, 14 streams, Sun Oct 20 21:24:57 2024, 0x1205a4 type
                                          Category:dropped
                                          Size (bytes):109686
                                          Entropy (8bit):1.5785979257615157
                                          Encrypted:false
                                          SSDEEP:384:u7BD/mG0/6RuKCl1/6i8bo9NwgG+KEhY9UKrQs/iYhjt:u7BD/mG0yRuKCl1ygGX0XYh
                                          MD5:32F1870D94C403C696467E45B310C87B
                                          SHA1:CFFC1D95659992EB9131B05C0A5035FE66AD2F1C
                                          SHA-256:0491C30BCA69CFF557D99B12A222609C1B207776D415589C00DA2C3B6A3C8760
                                          SHA-512:C073A2CAF198E3AF1FB7525FB3B467E6138038E974BCD12293462603BB76B81A349926FAD59EE4A4205D3B306ABC7EDD5F152B18C6927222422FA85276AEA93C
                                          Malicious:false
                                          Preview:MDMP..a..... .......)u.g............$...............,...........zK..........T.......8...........T...........p'..............< ..........("..............................................................................eJ......."......Lw......................T.......|...!u.g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER4883.tmp.WERInternalMetadata.xml

                                          Download File
                                          Process:C:\Windows\System32\WerFault.exe
                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):10362
                                          Entropy (8bit):3.7188198260631404
                                          Encrypted:false
                                          SSDEEP:192:R6l79RJOQvm6YwZmO7dLgmfzq/plprt89bSf3fJmm:R6lXJOgm6YuJ7dLgmfzq/pCSPfB
                                          MD5:BBD746F5F7F89CA293913D07DA495A46
                                          SHA1:D798FC21870F8850FE89E29988E44C8CD938E55C
                                          SHA-256:DBD111D88A5FD88FE08606560B98A4655A13B24F915A7802F57EC01CABEADCC9
                                          SHA-512:6D613F03A271BB8E9613BF8E94A5001EC1C0C83DA5C3B544D74AEF0B99FE0A2EFA1CDED9BA6F1101A2CA169D306A62DE791CE90B77F78F36CEE7094D3626C14A
                                          Malicious:false
                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...3.4.4.8...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.3.4.4.8.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.4.8.<./.P.i.

                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER48C3.tmp.xml

                                          Download File
                                          Process:C:\Windows\System32\WerFault.exe
                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):4907
                                          Entropy (8bit):4.572930343917319
                                          Encrypted:false
                                          SSDEEP:48:cvIwr7SGl8zsgJgkZ71I9JAlXWpW8VY1Ym8M4J5Rb8LFFqkTyq85dOS22kPYPbd:uIafmh7sAlm7VlJWqkTR240bd
                                          MD5:1081ABD6787AC3A7E97D26694EBFB3B3
                                          SHA1:1747084C1F06EB4574D688FFDA9A48A0FD34E859
                                          SHA-256:02DE1C2B3B25619CB8441AF8B0154564F17BC65B04C485A2E073590CE402F047
                                          SHA-512:D7BD09E3DD9C9F86724651187CE52A8CDAB7447E4FD41194AF90B7955805F5E5B11CBE3B7BA7CF9AB0B6F4E4CF7806A6CE1C8B5C22DC5E838B6958D07A13C277
                                          Malicious:false
                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="3448" />.. <arg nm="verqfe" val="3448" />.. <arg nm="csdbld" val="3448" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="222896057" />.. <arg nm="osinsty" val="2" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="

                                          C:\Windows\appcompat\Programs\Amcache.hve

                                          Download File
                                          Process:C:\Windows\System32\WerFault.exe
                                          File Type:MS Windows registry file, NT/2000 or above
                                          Category:dropped
                                          Size (bytes):1835008
                                          Entropy (8bit):4.327533570170789
                                          Encrypted:false
                                          SSDEEP:6144:zRJufhX4RxLT+y6H4A0WBIIQfTa765q/E5ySvL+ML61VhcRo5d5OWiBe9u:lJQ3BIdBvL+S6cIdYFcu
                                          MD5:046E9A7714D95161855CA438FE561C2E
                                          SHA1:65E1268B6BDC3C2C901AB3A18CAF1477DA71C6F3
                                          SHA-256:4CB949D7A4F09DA193C8C223FEAABBB2B50D1A03E3DFDE61E65B1DAE2F15BBBF
                                          SHA-512:A4B8906EF7E43F1F23E47BA648FAC273044EFB8431B05007EDB72AA777917983CA8605240D2AA9B420D3209CF5F5C4A305688C08E0E2C49D7486853DF5495284
                                          Malicious:false
                                          Preview:regfO...O....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..R.6#..............................................................................................................................................................................................................................................................................................................................................&8F.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          \Device\Null

                                          Download File
                                          Process:C:\Windows\System32\cmd.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):44
                                          Entropy (8bit):4.003997527334849
                                          Encrypted:false
                                          SSDEEP:3:HnRthLK5a6eCMABe:HRoJPO
                                          MD5:DF5DC1ABC0D52F3C9E931E26A7C0065C
                                          SHA1:EE84123D3B3BC440C63DFE65FF5616BE2B0904D5
                                          SHA-256:F7167A2FACDE50428D8D2697A1CDFF075DE809323DD16D62B65CDD103B2A9A6D
                                          SHA-512:9B2253CE41880D22A2DDF4F886BB6CB22FF0C981400CD9D03A1FCA81DE5FAEB86C26B85B66ECEC960816D7BBE9740843890F2FCCD334B6D274295A32A8E6A4E9
                                          Malicious:false
                                          Preview:The system cannot find the file specified...

                                          Static File Info

                                          General

                                          File type:PE32+ executable (console) x86-64, for MS Windows
                                          Entropy (8bit):6.422095119373222
                                          TrID:
                                          • Win64 Executable Console (202006/5) 92.65%
                                          • Win64 Executable (generic) (12005/4) 5.51%
                                          • Generic Win/DOS Executable (2004/3) 0.92%
                                          • DOS Executable Generic (2002/1) 0.92%
                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                          File name:SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exe
                                          File size:519'168 bytes
                                          MD5:f937d31f13fcd8a8ad2bf6b231f2702f
                                          SHA1:048c894872b31484b39ffc86f38705baa80be950
                                          SHA256:ee559187bda33c1d7b223fae61887d5c527ed413e788d3f377a5d6e76d53c220
                                          SHA512:8b02f0c10f7e6e8a996f1e4fe3d0ef175cad9fb190ed3b1373d3d8d44bde1e4623012cb6cd59a7d91213f0a6563924cb49d6a95f1c5eff793e63b37d878dca86
                                          SSDEEP:6144:KpGCzDQatlLMmRyHGq+FYiy3Ax16M6QmXFCgxrTOwt/vnXqPTYmO7wVWwoKn1JX:KpG4DQarqFyYiyk16jX0gxPOmHXqDe6
                                          TLSH:D5B46C56A7B903E9D1A7803C8547C603F7B6B4991311DBDB43A08A7A1F637E16E3B720
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......--..iL..iL..iL..`4:.}L..o.T.aL..o...cL..o...mL..o...KL..o...oL.."4..~L..iL..YM...<...L......kL......hL....V.hL......hL..RichiL.

                                          File Icon

                                          Icon Hash:90cececece8e8eb0

                                          Static PE Info

                                          General

                                          Entrypoint:0x1400617c8
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x140000000
                                          Subsystem:windows cui
                                          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                          Time Stamp:0x6702C563 [Sun Oct 6 17:14:11 2024 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:6
                                          OS Version Minor:0
                                          File Version Major:6
                                          File Version Minor:0
                                          Subsystem Version Major:6
                                          Subsystem Version Minor:0
                                          Import Hash:9ff25bf28f7da212132215c8900cc49a

                                          Entrypoint Preview

                                          Instruction
                                          dec eax
                                          sub esp, 28h
                                          call 00007F38C08200C8h
                                          dec eax
                                          add esp, 28h
                                          jmp 00007F38C081F8C7h
                                          int3
                                          int3
                                          jmp 00007F38C0820384h
                                          int3
                                          int3
                                          int3
                                          inc eax
                                          push ebx
                                          dec eax
                                          sub esp, 20h
                                          dec eax
                                          mov ebx, ecx
                                          dec eax
                                          lea ecx, dword ptr [0001A10Ch]
                                          call dword ptr [00001926h]
                                          mov eax, dword ptr [000198C8h]
                                          dec eax
                                          lea ecx, dword ptr [0001A0F9h]
                                          mov edx, dword ptr [0001A693h]
                                          inc eax
                                          mov dword ptr [000198B3h], eax
                                          mov dword ptr [ebx], eax
                                          dec eax
                                          mov eax, dword ptr [00000058h]
                                          inc ecx
                                          mov ecx, 00000004h
                                          dec esp
                                          mov eax, dword ptr [eax+edx*8]
                                          mov eax, dword ptr [00019898h]
                                          inc ebx
                                          mov dword ptr [ecx+eax], eax
                                          call dword ptr [00001AAEh]
                                          dec eax
                                          lea ecx, dword ptr [0001A0B7h]
                                          dec eax
                                          add esp, 20h
                                          pop ebx
                                          dec eax
                                          jmp dword ptr [000018DBh]
                                          int3
                                          int3
                                          int3
                                          inc eax
                                          push ebx
                                          dec eax
                                          sub esp, 20h
                                          dec eax
                                          mov ebx, ecx
                                          dec eax
                                          lea ecx, dword ptr [0001A0A0h]
                                          call dword ptr [000018BAh]
                                          cmp dword ptr [ebx], 00000000h
                                          jne 00007F38C081FA74h
                                          or dword ptr [ebx], FFFFFFFFh
                                          jmp 00007F38C081FA97h
                                          inc ebp
                                          xor ecx, ecx
                                          dec eax
                                          lea edx, dword ptr [0001A086h]
                                          inc ecx
                                          or eax, FFFFFFFFh
                                          dec eax
                                          lea ecx, dword ptr [0001A073h]
                                          call dword ptr [000018A5h]
                                          jmp 00007F38C081FA2Bh
                                          cmp dword ptr [ebx], FFFFFFFFh

                                          Rich Headers

                                          Programming Language:
                                          • [IMP] VS2008 SP1 build 30729

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x789880x1e0.rdata
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x810000x1e8.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x7c0000x41a0.pdata
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x820000x528.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x720b00x70.rdata
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x721800x28.rdata
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x71f700x140.rdata
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x630000x930.rdata
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x10000x61f840x620002e69b165313b27b00e895f5c26c54794False0.5318030532525511data6.334168359583283IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .rdata0x630000x1792c0x17a00d368d9177cb68044c85474e749b95e22False0.3799499834656085data5.573338132959243IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .data0x7b0000xfa00x400bcad257222a22777a9b3e265f8f2ecabFalse0.294921875data3.616176831061314IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                          .pdata0x7c0000x41a00x42008e7ddc7b9f75621dd6d1bcbb77971801False0.48265861742424243data5.808300552779591IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .rsrc0x810000x1e80x200e73ca378742e6b073379dfc7ae4fd5a2False0.541015625data4.772037401703051IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0x820000x5280x6006e1105187d23ad7a39ec4368153eba6cFalse0.53125data4.981525589219005IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                          RT_MANIFEST0x810600x188XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5892857142857143

                                          Imports

                                          DLLImport
                                          KERNEL32.dllGetFileSizeEx, WideCharToMultiByte, AcquireSRWLockExclusive, WakeAllConditionVariable, SleepConditionVariableSRW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, QueryPerformanceCounter, SetUnhandledExceptionFilter, VerifyVersionInfoA, LoadLibraryA, GetProcAddress, GetModuleHandleA, FreeLibrary, GetSystemDirectoryA, QueryPerformanceFrequency, WaitForMultipleObjects, SleepEx, LeaveCriticalSection, EnterCriticalSection, FormatMessageA, SetLastError, LocalFree, CloseHandle, GetCurrentProcess, GetProcessHeap, DeleteCriticalSection, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetModuleHandleW, GetCurrentProcessId, GetCurrentThreadId, CreateFileA, PeekNamedPipe, ReadFile, GetFileType, GetEnvironmentVariableA, MultiByteToWideChar, WaitForSingleObjectEx, MoveFileExA, VerSetConditionMask, GetSystemTimeAsFileTime, GetTickCount, HeapDestroy, HeapAlloc, HeapReAlloc, GetLastError, Sleep, HeapSize, InitializeCriticalSectionEx, HeapFree, GetConsoleWindow, SetConsoleTitleA, SetConsoleTextAttribute, Beep, UnhandledExceptionFilter, GetStdHandle, ReleaseSRWLockExclusive, InitializeSListHead, OutputDebugStringW
                                          USER32.dllMessageBoxA, ShowWindow, SetLayeredWindowAttributes, GetWindowLongPtrA, SetWindowLongPtrA
                                          ADVAPI32.dllCryptEncrypt, GetTokenInformation, GetLengthSid, OpenProcessToken, IsValidSid, CopySid, ConvertSidToStringSidA, CryptAcquireContextA, CryptReleaseContext, CryptGetHashParam, CryptGenRandom, CryptCreateHash, CryptHashData, CryptDestroyHash, CryptDestroyKey, CryptImportKey
                                          SHELL32.dllShellExecuteA
                                          MSVCP140.dll?id@?$ctype@D@std@@2V0locale@2@A, ?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z, ??0_Lockit@std@@QEAA@H@Z, ??1_Lockit@std@@QEAA@XZ, ?_Xlength_error@std@@YAXPEBD@Z, ??Bid@locale@std@@QEAA_KXZ, ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ, ?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z, ?width@ios_base@std@@QEBA_JXZ, ?width@ios_base@std@@QEAA_J_J@Z, ?getloc@ios_base@std@@QEBA?AVlocale@2@XZ, ?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A, ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ, ?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ, ?_Xbad_function_call@std@@YAXXZ, ?uncaught_exception@std@@YA_NXZ, ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ
                                          urlmon.dllURLDownloadToFileA
                                          Normaliz.dllIdnToAscii
                                          WLDAP32.dll
                                          CRYPT32.dllCertFreeCertificateChain, CertGetCertificateChain, CertFreeCertificateChainEngine, CertCreateCertificateChainEngine, CryptQueryObject, CertGetNameStringA, CertFindExtension, CertAddCertificateContextToStore, CryptDecodeObjectEx, PFXImportCertStore, CryptStringToBinaryA, CertFreeCertificateContext, CertFindCertificateInStore, CertEnumCertificatesInStore, CertOpenStore, CertCloseStore
                                          WS2_32.dllntohl, gethostname, sendto, recvfrom, freeaddrinfo, getaddrinfo, select, __WSAFDIsSet, ioctlsocket, listen, htonl, accept, WSAStartup, WSAIoctl, WSASetLastError, socket, setsockopt, ntohs, htons, getsockopt, getsockname, getpeername, connect, bind, WSAGetLastError, send, recv, closesocket, WSACleanup
                                          USERENV.dllUnloadUserProfile
                                          VCRUNTIME140.dll__std_exception_copy, __std_terminate, _CxxThrowException, memcmp, __std_exception_destroy, memset, __C_specific_handler, strchr, strrchr, __current_exception_context, __current_exception, memchr, memcpy, strstr, memmove
                                          VCRUNTIME140_1.dll__CxxFrameHandler4
                                          api-ms-win-crt-runtime-l1-1-0.dll_resetstkoflw, _invalid_parameter_noinfo_noreturn, _beginthreadex, _invalid_parameter_noinfo, _errno, __sys_nerr, _getpid, exit, system, terminate, _register_thread_local_exe_atexit_callback, _configure_narrow_argv, _initialize_narrow_environment, _initialize_onexit_table, _register_onexit_function, _crt_atexit, _cexit, _seh_filter_exe, _set_app_type, strerror, _c_exit, _initterm, _initterm_e, _exit, __p___argv, __p___argc, _get_initial_narrow_environment
                                          api-ms-win-crt-heap-l1-1-0.dllrealloc, _callnewh, free, calloc, _set_new_mode, malloc
                                          api-ms-win-crt-utility-l1-1-0.dllrand, qsort
                                          api-ms-win-crt-stdio-l1-1-0.dll__stdio_common_vfprintf, fseek, feof, __p__commode, __acrt_iob_func, ftell, fputc, _lseeki64, _read, _write, _close, _open, fflush, __stdio_common_vsscanf, __stdio_common_vsprintf, fread, fputs, fopen, fwrite, fgets, fclose, _set_fmode
                                          api-ms-win-crt-convert-l1-1-0.dllstrtod, atoi, strtoul, strtoull, strtol, strtoll
                                          api-ms-win-crt-locale-l1-1-0.dll_configthreadlocale, localeconv
                                          api-ms-win-crt-time-l1-1-0.dll_time64, _gmtime64
                                          api-ms-win-crt-string-l1-1-0.dllstrcmp, strncmp, isupper, strcspn, strspn, _strdup, strncpy, tolower, strpbrk
                                          api-ms-win-crt-filesystem-l1-1-0.dll_stat64, _unlink, _access, _fstat64
                                          api-ms-win-crt-math-l1-1-0.dll__setusermatherr, _dclass

                                          Possible Origin

                                          Language of compilation systemCountry where language is spokenMap
                                          EnglishUnited States

                                          Network Behavior

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Oct 20, 2024 23:24:53.079811096 CEST63891443192.168.2.3172.67.72.57
                                          Oct 20, 2024 23:24:53.079855919 CEST44363891172.67.72.57192.168.2.3
                                          Oct 20, 2024 23:24:53.079933882 CEST63891443192.168.2.3172.67.72.57
                                          Oct 20, 2024 23:24:53.090677977 CEST63891443192.168.2.3172.67.72.57
                                          Oct 20, 2024 23:24:53.090692043 CEST44363891172.67.72.57192.168.2.3
                                          Oct 20, 2024 23:24:53.867048979 CEST44363891172.67.72.57192.168.2.3
                                          Oct 20, 2024 23:24:53.867212057 CEST63891443192.168.2.3172.67.72.57
                                          Oct 20, 2024 23:24:53.870316982 CEST63891443192.168.2.3172.67.72.57
                                          Oct 20, 2024 23:24:53.870326996 CEST44363891172.67.72.57192.168.2.3
                                          Oct 20, 2024 23:24:53.870754004 CEST44363891172.67.72.57192.168.2.3
                                          Oct 20, 2024 23:24:53.873989105 CEST63891443192.168.2.3172.67.72.57
                                          Oct 20, 2024 23:24:53.919413090 CEST44363891172.67.72.57192.168.2.3
                                          Oct 20, 2024 23:24:54.178067923 CEST44363891172.67.72.57192.168.2.3
                                          Oct 20, 2024 23:24:54.178128004 CEST44363891172.67.72.57192.168.2.3
                                          Oct 20, 2024 23:24:54.178447962 CEST63891443192.168.2.3172.67.72.57
                                          Oct 20, 2024 23:25:10.694904089 CEST63891443192.168.2.3172.67.72.57

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Oct 20, 2024 23:24:53.067389965 CEST6271253192.168.2.31.1.1.1
                                          Oct 20, 2024 23:24:53.075136900 CEST53627121.1.1.1192.168.2.3

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                          Oct 20, 2024 23:24:53.067389965 CEST192.168.2.31.1.1.10x41fbStandard query (0)keyauth.winA (IP address)IN (0x0001)false

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                          Oct 20, 2024 23:24:53.075136900 CEST1.1.1.1192.168.2.30x41fbNo error (0)keyauth.win172.67.72.57A (IP address)IN (0x0001)false
                                          Oct 20, 2024 23:24:53.075136900 CEST1.1.1.1192.168.2.30x41fbNo error (0)keyauth.win104.26.1.5A (IP address)IN (0x0001)false
                                          Oct 20, 2024 23:24:53.075136900 CEST1.1.1.1192.168.2.30x41fbNo error (0)keyauth.win104.26.0.5A (IP address)IN (0x0001)false

                                          HTTP Request Dependency Graph

                                          • keyauth.win

                                          HTTPS Proxied Packets

                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          0192.168.2.363891172.67.72.574437548C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exe
                                          TimestampBytes transferredDirectionData
                                          2024-10-20 21:24:53 UTC128OUTPOST /api/1.1/ HTTP/1.1
                                          Host: keyauth.win
                                          Accept: */*
                                          Content-Length: 47
                                          Content-Type: application/x-www-form-urlencoded
                                          2024-10-20 21:24:53 UTC47OUTData Raw: 74 79 70 65 3d 69 6e 69 74 26 76 65 72 3d 31 2e 30 26 6e 61 6d 65 3d 66 69 76 65 6d 26 6f 77 6e 65 72 69 64 3d 39 57 49 76 54 56 4a 61 39 6d
                                          Data Ascii: type=init&ver=1.0&name=fivem&ownerid=9WIvTVJa9m


                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:17:24:49
                                          Start date:20/10/2024
                                          Path:C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exe"
                                          Imagebase:0x7ff73acf0000
                                          File size:519'168 bytes
                                          MD5 hash:F937D31F13FCD8A8AD2BF6B231F2702F
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:1
                                          Start time:17:24:49
                                          Start date:20/10/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff720030000
                                          File size:873'472 bytes
                                          MD5 hash:7366FBEFE66BA0F1F5304F7D6FEF09FE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:moderate
                                          Has exited:true

                                          General

                                          Target ID:3
                                          Start time:17:24:49
                                          Start date:20/10/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
                                          Imagebase:0x7ff6eed10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:4
                                          Start time:17:24:49
                                          Start date:20/10/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
                                          Imagebase:0x7ff7d6170000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:moderate
                                          Has exited:true

                                          General

                                          Target ID:5
                                          Start time:17:24:50
                                          Start date:20/10/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
                                          Imagebase:0x7ff6eed10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:6
                                          Start time:17:24:50
                                          Start date:20/10/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
                                          Imagebase:0x7ff7d6170000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:moderate
                                          Has exited:true

                                          General

                                          Target ID:7
                                          Start time:17:24:50
                                          Start date:20/10/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
                                          Imagebase:0x7ff6eed10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:8
                                          Start time:17:24:50
                                          Start date:20/10/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
                                          Imagebase:0x7ff7d6170000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:moderate
                                          Has exited:true

                                          General

                                          Target ID:9
                                          Start time:17:24:50
                                          Start date:20/10/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
                                          Imagebase:0x7ff6eed10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:10
                                          Start time:17:24:50
                                          Start date:20/10/2024
                                          Path:C:\Windows\System32\sc.exe
                                          Wow64 process (32bit):false
                                          Commandline:sc stop HTTPDebuggerPro
                                          Imagebase:0x7ff6e35a0000
                                          File size:72'192 bytes
                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:moderate
                                          Has exited:true

                                          General

                                          Target ID:11
                                          Start time:17:24:50
                                          Start date:20/10/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1
                                          Imagebase:0x7ff6eed10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:12
                                          Start time:17:24:50
                                          Start date:20/10/2024
                                          Path:C:\Windows\System32\sc.exe
                                          Wow64 process (32bit):false
                                          Commandline:sc stop HTTPDebuggerProSdk
                                          Imagebase:0x7ff6e35a0000
                                          File size:72'192 bytes
                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:13
                                          Start time:17:24:50
                                          Start date:20/10/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
                                          Imagebase:0x7ff6eed10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:14
                                          Start time:17:24:50
                                          Start date:20/10/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
                                          Imagebase:0x7ff6eed10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:15
                                          Start time:17:24:50
                                          Start date:20/10/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
                                          Imagebase:0x7ff7d6170000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:16
                                          Start time:17:24:51
                                          Start date:20/10/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
                                          Imagebase:0x7ff6eed10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:17
                                          Start time:17:24:51
                                          Start date:20/10/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
                                          Imagebase:0x7ff7d6170000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:18
                                          Start time:17:24:51
                                          Start date:20/10/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
                                          Imagebase:0x7ff6eed10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:19
                                          Start time:17:24:51
                                          Start date:20/10/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
                                          Imagebase:0x7ff7d6170000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:20
                                          Start time:17:24:52
                                          Start date:20/10/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
                                          Imagebase:0x7ff6eed10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:21
                                          Start time:17:24:52
                                          Start date:20/10/2024
                                          Path:C:\Windows\System32\sc.exe
                                          Wow64 process (32bit):false
                                          Commandline:sc stop HTTPDebuggerPro
                                          Imagebase:0x7ff6e35a0000
                                          File size:72'192 bytes
                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:22
                                          Start time:17:24:52
                                          Start date:20/10/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1
                                          Imagebase:0x7ff6eed10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:23
                                          Start time:17:24:52
                                          Start date:20/10/2024
                                          Path:C:\Windows\System32\sc.exe
                                          Wow64 process (32bit):false
                                          Commandline:sc stop HTTPDebuggerProSdk
                                          Imagebase:0x7ff6e35a0000
                                          File size:72'192 bytes
                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:24
                                          Start time:17:24:52
                                          Start date:20/10/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
                                          Imagebase:0x7ff6eed10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:25
                                          Start time:17:24:56
                                          Start date:20/10/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
                                          Imagebase:0x7ff6eed10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:26
                                          Start time:17:24:56
                                          Start date:20/10/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
                                          Imagebase:0x7ff7d6170000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:27
                                          Start time:17:24:56
                                          Start date:20/10/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
                                          Imagebase:0x7ff6eed10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:28
                                          Start time:17:24:56
                                          Start date:20/10/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
                                          Imagebase:0x7ff7d6170000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:29
                                          Start time:17:24:56
                                          Start date:20/10/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
                                          Imagebase:0x7ff6eed10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:30
                                          Start time:17:24:56
                                          Start date:20/10/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
                                          Imagebase:0x7ff7d6170000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:31
                                          Start time:17:24:56
                                          Start date:20/10/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
                                          Imagebase:0x7ff6eed10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:32
                                          Start time:17:24:56
                                          Start date:20/10/2024
                                          Path:C:\Windows\System32\sc.exe
                                          Wow64 process (32bit):false
                                          Commandline:sc stop HTTPDebuggerPro
                                          Imagebase:0x7ff6e35a0000
                                          File size:72'192 bytes
                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:33
                                          Start time:17:24:56
                                          Start date:20/10/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1
                                          Imagebase:0x7ff6eed10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:34
                                          Start time:17:24:57
                                          Start date:20/10/2024
                                          Path:C:\Windows\System32\sc.exe
                                          Wow64 process (32bit):false
                                          Commandline:sc stop HTTPDebuggerProSdk
                                          Imagebase:0x7ff6e35a0000
                                          File size:72'192 bytes
                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:35
                                          Start time:17:24:57
                                          Start date:20/10/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
                                          Imagebase:0x7ff6eed10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:38
                                          Start time:17:24:57
                                          Start date:20/10/2024
                                          Path:C:\Windows\System32\WerFault.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\WerFault.exe -u -p 7548 -s 996
                                          Imagebase:0x7ff68a5d0000
                                          File size:576'896 bytes
                                          MD5 hash:59550DE0393B1CDD584A1467D6D734E7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Disassembly

                                          Reset < >

                                            Execution Graph

                                            Execution Coverage:4.2%
                                            Dynamic/Decrypted Code Coverage:0%
                                            Signature Coverage:23.4%
                                            Total number of Nodes:1938
                                            Total number of Limit Nodes:99
                                            execution_graph 47755 7ff73ad09b98 47756 7ff73ad09bb1 47755->47756 47757 7ff73ad09c3f 47756->47757 47759 7ff73ad09e14 47756->47759 47796 7ff73ad1e2b0 47757->47796 47880 7ff73ad07590 17 API calls 47759->47880 47763 7ff73ad09c64 47764 7ff73ad09d00 47763->47764 47768 7ff73ad09c6e 47763->47768 47769 7ff73ad09c95 47763->47769 47765 7ff73ad09db1 47764->47765 47770 7ff73ad09d08 47764->47770 47793 7ff73ad0901b 47765->47793 47879 7ff73ad07590 17 API calls 47765->47879 47767 7ff73ad0a240 17 API calls 47767->47793 47771 7ff73ad08aa0 292 API calls 47768->47771 47774 7ff73ad08aa0 292 API calls 47769->47774 47770->47769 47775 7ff73ad09d8b free 47770->47775 47776 7ff73ad09d1e 47770->47776 47771->47793 47773 7ff73ad0a0c2 47777 7ff73ad09cb3 47774->47777 47775->47769 47779 7ff73ad09d2b free 47776->47779 47776->47793 47877 7ff73ad1db70 28 API calls 47777->47877 47778 7ff73ad0a0b3 47884 7ff73ad17710 19 API calls 47778->47884 47878 7ff73ad1db70 28 API calls 47779->47878 47783 7ff73ad09d53 free 47786 7ff73ad09d69 47783->47786 47783->47793 47785 7ff73ad09ce4 free 47785->47793 47788 7ff73ad08aa0 292 API calls 47786->47788 47788->47793 47790 7ff73ad09cc2 47790->47785 47791 7ff73ad090be 47792 7ff73ad17710 19 API calls 47791->47792 47791->47793 47792->47791 47793->47767 47793->47773 47793->47778 47793->47791 47835 7ff73ad18f90 47793->47835 47841 7ff73ad17710 19 API calls 47793->47841 47842 7ff73ad08aa0 47793->47842 47881 7ff73ad131d0 90 API calls 47793->47881 47882 7ff73ad077c0 15 API calls 47793->47882 47883 7ff73ad26f80 22 API calls 47793->47883 47797 7ff73ad1e301 47796->47797 47798 7ff73ad1e34f 47797->47798 47885 7ff73ad27d80 47797->47885 47800 7ff73ad1e36d 47798->47800 47801 7ff73ad1e356 47798->47801 47803 7ff73ad1e399 47800->47803 47909 7ff73ad1e9c0 47800->47909 47942 7ff73ad17710 19 API calls 47801->47942 47804 7ff73ad1e3ce 47803->47804 47805 7ff73ad1e3b6 47803->47805 47823 7ff73ad09c53 47803->47823 47944 7ff73ad1f550 47804->47944 47943 7ff73ad1f110 90 API calls 47805->47943 47809 7ff73ad1e3c6 47809->47804 47809->47823 47810 7ff73ad1e448 47957 7ff73ad26f80 22 API calls 47810->47957 47812 7ff73ad1e450 47812->47823 47958 7ff73ad280f0 23 API calls 47812->47958 47814 7ff73ad1e3d8 47814->47810 47947 7ff73ad17890 47814->47947 47815 7ff73ad1e46e 47817 7ff73ad1e482 47815->47817 47815->47823 47824 7ff73ad1e502 47815->47824 47819 7ff73ad18f90 10 API calls 47817->47819 47818 7ff73ad1e569 47963 7ff73ad26f80 22 API calls 47818->47963 47822 7ff73ad1e491 47819->47822 47821 7ff73ad1e540 47821->47818 47827 7ff73ad1e553 47821->47827 47822->47823 47825 7ff73ad1e49a 47822->47825 47823->47763 47876 7ff73ad1e5b0 24 API calls 47823->47876 47824->47818 47824->47821 47826 7ff73ad1e527 47824->47826 47830 7ff73ad1e4ec 47825->47830 47831 7ff73ad1e4d1 47825->47831 47961 7ff73ad17710 19 API calls 47826->47961 47962 7ff73ad17710 19 API calls 47827->47962 47960 7ff73ad17710 19 API calls 47830->47960 47959 7ff73ad17710 19 API calls 47831->47959 47832 7ff73ad1e365 47832->47823 47836 7ff73ad18fda 47835->47836 47837 7ff73ad1f550 2 API calls 47836->47837 47838 7ff73ad18ffa 47836->47838 47837->47838 47839 7ff73ad51370 8 API calls 47838->47839 47840 7ff73ad1908e 47839->47840 47840->47793 47841->47793 47843 7ff73ad08adc 47842->47843 47869 7ff73ad08bb2 47842->47869 48258 7ff73ad0ccf0 47843->48258 47845 7ff73ad51370 8 API calls 47847 7ff73ad08be7 47845->47847 47846 7ff73ad08ae7 free free 47848 7ff73ad08b17 47846->47848 47847->47793 47849 7ff73ad08b55 47848->47849 48286 7ff73ad26a60 22 API calls 47848->48286 48276 7ff73ad0a240 47849->48276 47852 7ff73ad08b6f 47855 7ff73ad08c1c 47852->47855 47852->47869 48287 7ff73ad20c80 free free free free 47852->48287 48280 7ff73ad202c0 47855->48280 47857 7ff73ad08c4b 47858 7ff73ad08c50 free 47857->47858 47858->47858 47859 7ff73ad08c6e 47858->47859 47860 7ff73ad08d9b 47859->47860 47862 7ff73ad08cd7 47859->47862 48291 7ff73ad131d0 90 API calls 47860->48291 47863 7ff73ad1ac20 13 API calls 47862->47863 47865 7ff73ad08d36 47863->47865 47864 7ff73ad08dcd 48292 7ff73ad13350 292 API calls 47864->48292 48288 7ff73ad104e0 92 API calls 47865->48288 47868 7ff73ad08d57 47870 7ff73ad08d5b 47868->47870 47871 7ff73ad08d85 47868->47871 47869->47845 47872 7ff73ad17890 15 API calls 47870->47872 48290 7ff73ad13350 292 API calls 47871->48290 47874 7ff73ad08d76 47872->47874 48289 7ff73ad13350 292 API calls 47874->48289 47876->47763 47877->47790 47878->47783 47879->47793 47880->47793 47881->47793 47882->47793 47883->47793 47884->47773 47886 7ff73ad27dc7 47885->47886 47887 7ff73ad27dfb 47885->47887 47886->47887 47888 7ff73ad27dd1 47886->47888 47892 7ff73ad27f45 47887->47892 47896 7ff73ad27f73 select 47887->47896 47889 7ff73ad27dd8 WSASetLastError 47888->47889 47890 7ff73ad27deb Sleep 47888->47890 47891 7ff73ad27df4 47888->47891 47889->47891 47890->47891 47964 7ff73ad51370 47891->47964 47897 7ff73ad27f53 WSASetLastError 47892->47897 47898 7ff73ad27f66 Sleep 47892->47898 47899 7ff73ad27f4a 47892->47899 47896->47899 47897->47899 47898->47899 47899->47891 47900 7ff73ad2803c 47899->47900 47901 7ff73ad28012 __WSAFDIsSet __WSAFDIsSet 47899->47901 47902 7ff73ad2806b 47900->47902 47903 7ff73ad28044 __WSAFDIsSet 47900->47903 47901->47900 47902->47891 47906 7ff73ad28073 __WSAFDIsSet 47902->47906 47904 7ff73ad28057 47903->47904 47905 7ff73ad2805a __WSAFDIsSet 47903->47905 47904->47905 47905->47902 47907 7ff73ad28089 __WSAFDIsSet 47906->47907 47908 7ff73ad28086 47906->47908 47907->47891 47908->47907 47925 7ff73ad1ea10 47909->47925 47912 7ff73ad1ef4a 47914 7ff73ad17890 15 API calls 47912->47914 47936 7ff73ad1ef63 47912->47936 47913 7ff73ad1f550 2 API calls 47913->47925 47914->47936 47916 7ff73ad1ef27 47916->47912 47918 7ff73ad17890 15 API calls 47916->47918 47917 7ff73ad1eca0 47917->47925 47982 7ff73ad17650 fwrite fwrite 47917->47982 47983 7ff73ad17650 fwrite fwrite 47917->47983 47918->47912 47922 7ff73ad1efe1 47923 7ff73ad1effd 47922->47923 47924 7ff73ad1efe6 47922->47924 47988 7ff73ad17710 19 API calls 47923->47988 47987 7ff73ad17710 19 API calls 47924->47987 47925->47912 47925->47913 47925->47916 47925->47917 47925->47922 47926 7ff73ad1ef4f 47925->47926 47928 7ff73ad17890 15 API calls 47925->47928 47935 7ff73ad1ec7c 47925->47935 47925->47936 47939 7ff73ad17630 23 API calls 47925->47939 47975 7ff73ad17a00 47925->47975 47978 7ff73ad26e30 47925->47978 47981 7ff73ad24630 192 API calls 47925->47981 47984 7ff73ad44330 23 API calls 47925->47984 47985 7ff73ad30e50 23 API calls 47925->47985 47929 7ff73ad1ef57 47926->47929 47930 7ff73ad1ef83 47926->47930 47928->47925 47934 7ff73ad17890 15 API calls 47929->47934 47986 7ff73ad17710 19 API calls 47930->47986 47931 7ff73ad1ef8f 47931->47936 47934->47936 47937 7ff73ad17890 15 API calls 47935->47937 47936->47803 47938 7ff73ad1efa8 47937->47938 47941 7ff73ad17890 15 API calls 47938->47941 47939->47925 47941->47936 47942->47832 47943->47809 47945 7ff73ad1f59d GetTickCount 47944->47945 47946 7ff73ad1f562 QueryPerformanceCounter 47944->47946 47945->47814 47946->47814 47948 7ff73ad17899 47947->47948 47951 7ff73ad179ee 47947->47951 47956 7ff73ad17969 47948->47956 48253 7ff73ad1ad20 13 API calls 47948->48253 47950 7ff73ad51370 8 API calls 47950->47951 47951->47810 47952 7ff73ad17951 47954 7ff73ad1799e fwrite fwrite 47952->47954 47952->47956 47953 7ff73ad178ec 47953->47952 48254 7ff73ad1ac20 47953->48254 47954->47956 47956->47950 47957->47812 47958->47815 47959->47832 47960->47832 47961->47832 47962->47832 47963->47823 47965 7ff73ad51379 47964->47965 47966 7ff73ad280ae 47965->47966 47967 7ff73ad518fc IsProcessorFeaturePresent 47965->47967 47966->47798 47968 7ff73ad51914 47967->47968 47973 7ff73ad51af0 RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 47968->47973 47970 7ff73ad51927 47974 7ff73ad518c8 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 47970->47974 47973->47970 47989 7ff73ad2d360 47975->47989 47979 7ff73ad1f550 2 API calls 47978->47979 47980 7ff73ad26e4a 47979->47980 47980->47925 47981->47925 47982->47917 47983->47925 47984->47925 47985->47925 47986->47931 47987->47931 47988->47931 47990 7ff73ad2d3fe 47989->47990 47991 7ff73ad2d3df 47989->47991 47992 7ff73ad2d422 47990->47992 47993 7ff73ad2d405 47990->47993 47991->47990 47994 7ff73ad2d3e5 47991->47994 47997 7ff73ad2d428 47992->47997 47999 7ff73ad2d441 47992->47999 47996 7ff73ad17890 15 API calls 47993->47996 47995 7ff73ad17890 15 API calls 47994->47995 48001 7ff73ad2d3f4 47995->48001 47996->48001 47998 7ff73ad17890 15 API calls 47997->47998 47998->48001 48000 7ff73ad2d470 realloc 47999->48000 48002 7ff73ad2d4be 47999->48002 48024 7ff73ad2d539 47999->48024 48000->48002 48003 7ff73ad2d49d 48000->48003 48007 7ff73ad2d896 48001->48007 48057 7ff73ad1a5a0 48001->48057 48035 7ff73ad17a90 recv 48002->48035 48038 7ff73ad17710 19 API calls 48003->48038 48004 7ff73ad2d995 memcpy memcpy 48008 7ff73ad2d9db 48004->48008 48007->48004 48007->48008 48012 7ff73ad51370 8 API calls 48008->48012 48009 7ff73ad2d4b4 48009->48001 48011 7ff73ad17890 15 API calls 48011->48024 48014 7ff73ad17a5b 48012->48014 48013 7ff73ad2d507 48016 7ff73ad2d52d 48013->48016 48017 7ff73ad2d6fe 48013->48017 48013->48024 48014->47925 48020 7ff73ad17890 15 API calls 48016->48020 48019 7ff73ad17890 15 API calls 48017->48019 48018 7ff73ad17890 15 API calls 48018->48007 48019->48024 48020->48024 48021 7ff73ad17890 15 API calls 48021->48001 48023 7ff73ad2d8a7 48027 7ff73ad2d81e 48023->48027 48028 7ff73ad2d8d6 48023->48028 48024->48001 48024->48011 48024->48023 48025 7ff73ad2d640 realloc 48024->48025 48024->48027 48030 7ff73ad2d6db memcpy 48024->48030 48032 7ff73ad2d68b memcpy 48024->48032 48039 7ff73ad2b820 48024->48039 48025->48024 48026 7ff73ad2d906 48025->48026 48066 7ff73ad17710 19 API calls 48026->48066 48027->48001 48027->48021 48065 7ff73ad03ab0 22 API calls 48028->48065 48030->48024 48032->48024 48033 7ff73ad2d8ef 48034 7ff73ad17890 15 API calls 48033->48034 48034->48001 48036 7ff73ad17aab WSAGetLastError 48035->48036 48037 7ff73ad17ad2 48035->48037 48036->48013 48037->48013 48038->48009 48040 7ff73ad2b874 48039->48040 48048 7ff73ad2b869 48039->48048 48041 7ff73ad18f90 10 API calls 48040->48041 48054 7ff73ad2b89b 48040->48054 48044 7ff73ad2b887 48041->48044 48042 7ff73ad2b992 48042->48048 48189 7ff73ad2cf80 67 API calls 48042->48189 48043 7ff73ad18f90 10 API calls 48043->48054 48046 7ff73ad2b97c 48044->48046 48067 7ff73ad2ba10 48044->48067 48188 7ff73ad17710 19 API calls 48046->48188 48048->48024 48050 7ff73ad2b975 48050->48048 48051 7ff73ad27d80 19 API calls 48051->48054 48053 7ff73ad2b95d WSAGetLastError 48187 7ff73ad17710 19 API calls 48053->48187 48054->48042 48054->48043 48054->48046 48054->48048 48054->48051 48054->48053 48056 7ff73ad2b94c 48054->48056 48121 7ff73ad2c7f0 48054->48121 48056->48046 48056->48048 48058 7ff73ad1a5cd 48057->48058 48059 7ff73ad1a67f VerSetConditionMask VerSetConditionMask VerSetConditionMask VerSetConditionMask 48058->48059 48060 7ff73ad1a5e5 48058->48060 48061 7ff73ad1a6c2 VerSetConditionMask 48059->48061 48062 7ff73ad1a6d4 VerifyVersionInfoA 48059->48062 48063 7ff73ad51370 8 API calls 48060->48063 48061->48062 48062->48060 48064 7ff73ad1a70b 48063->48064 48064->48007 48064->48018 48065->48033 48066->48009 48068 7ff73ad2ba82 48067->48068 48069 7ff73ad1a5a0 14 API calls 48068->48069 48070 7ff73ad2babe 48069->48070 48071 7ff73ad2bad1 48070->48071 48072 7ff73ad17890 15 API calls 48070->48072 48073 7ff73ad2bada GetModuleHandleA GetProcAddress 48071->48073 48076 7ff73ad2bb18 48071->48076 48072->48071 48074 7ff73ad2bafc 48073->48074 48073->48076 48075 7ff73ad1a5a0 14 API calls 48074->48075 48077 7ff73ad2bb10 48075->48077 48078 7ff73ad1a5a0 14 API calls 48076->48078 48086 7ff73ad2bb75 48076->48086 48077->48076 48079 7ff73ad2bb71 48078->48079 48080 7ff73ad2bb82 48079->48080 48079->48086 48207 7ff73ad17710 19 API calls 48080->48207 48082 7ff73ad2c4a7 48190 7ff73ad296a0 48082->48190 48084 7ff73ad2c4bc 48087 7ff73ad2c4cf 48084->48087 48091 7ff73ad296a0 13 API calls 48084->48091 48085 7ff73ad51370 8 API calls 48088 7ff73ad2c7ac 48085->48088 48086->48082 48090 7ff73ad2bcc3 48086->48090 48089 7ff73ad17890 15 API calls 48087->48089 48094 7ff73ad2c4e2 48087->48094 48088->48054 48089->48094 48208 7ff73ad17710 19 API calls 48090->48208 48091->48087 48093 7ff73ad2c52b 48097 7ff73ad2c58d calloc 48093->48097 48094->48093 48096 7ff73ad17890 15 API calls 48094->48096 48095 7ff73ad2c49e 48095->48082 48098 7ff73ad2c5f6 48095->48098 48096->48093 48099 7ff73ad2c5e7 48097->48099 48100 7ff73ad2c600 48097->48100 48098->48085 48209 7ff73ad17710 19 API calls 48099->48209 48100->48098 48102 7ff73ad2c669 free 48100->48102 48103 7ff73ad2c70c 48100->48103 48104 7ff73ad2c69a 48102->48104 48105 7ff73ad2c6e6 48102->48105 48204 7ff73ad17fd0 48103->48204 48107 7ff73ad2c6a2 48104->48107 48108 7ff73ad2c6c0 48104->48108 48214 7ff73ad03ab0 22 API calls 48105->48214 48210 7ff73ad03ab0 22 API calls 48107->48210 48212 7ff73ad03ab0 22 API calls 48108->48212 48111 7ff73ad2c6f0 48215 7ff73ad17710 19 API calls 48111->48215 48115 7ff73ad2c6a9 48211 7ff73ad17710 19 API calls 48115->48211 48116 7ff73ad2c6ca 48213 7ff73ad17710 19 API calls 48116->48213 48117 7ff73ad2bb91 48117->48098 48123 7ff73ad2c860 48121->48123 48122 7ff73ad2cf5f 48123->48122 48124 7ff73ad2c902 48123->48124 48125 7ff73ad2c8c2 malloc 48123->48125 48126 7ff73ad2c908 malloc 48124->48126 48127 7ff73ad2c953 48124->48127 48125->48122 48125->48124 48126->48122 48126->48127 48128 7ff73ad2c9c0 48127->48128 48129 7ff73ad2c966 realloc 48127->48129 48131 7ff73ad17a90 2 API calls 48128->48131 48133 7ff73ad2ca05 48128->48133 48129->48128 48130 7ff73ad2c982 48129->48130 48238 7ff73ad17710 19 API calls 48130->48238 48131->48133 48134 7ff73ad2ca4a malloc 48133->48134 48136 7ff73ad2cc5a 48133->48136 48144 7ff73ad2c991 48133->48144 48134->48122 48135 7ff73ad2cae7 memcpy 48134->48135 48137 7ff73ad2cb07 free 48135->48137 48135->48144 48239 7ff73ad17710 19 API calls 48136->48239 48143 7ff73ad2cb79 48137->48143 48137->48144 48138 7ff73ad51370 8 API calls 48140 7ff73ad2c9ad 48138->48140 48140->48054 48141 7ff73ad2cc75 48141->48144 48145 7ff73ad2ceec 48143->48145 48147 7ff73ad2cc9d 48143->48147 48152 7ff73ad2cb98 48143->48152 48144->48138 48145->48144 48146 7ff73ad2cefa 48145->48146 48251 7ff73ad03ab0 22 API calls 48146->48251 48150 7ff73ad2cca6 48147->48150 48151 7ff73ad2cce4 48147->48151 48149 7ff73ad2cf0f 48252 7ff73ad17710 19 API calls 48149->48252 48150->48146 48154 7ff73ad2ccb3 48150->48154 48242 7ff73ad03ab0 22 API calls 48151->48242 48156 7ff73ad17fd0 48 API calls 48152->48156 48158 7ff73ad2cc04 48152->48158 48162 7ff73ad2cd12 48152->48162 48240 7ff73ad03ab0 22 API calls 48154->48240 48156->48152 48165 7ff73ad2cc30 memcpy 48158->48165 48167 7ff73ad2cd38 48158->48167 48159 7ff73ad2ccfb 48243 7ff73ad17710 19 API calls 48159->48243 48161 7ff73ad2ccc8 48241 7ff73ad17710 19 API calls 48161->48241 48244 7ff73ad17710 19 API calls 48162->48244 48165->48136 48165->48167 48166 7ff73ad2cec0 48166->48144 48168 7ff73ad2cedb 48166->48168 48167->48144 48167->48166 48170 7ff73ad2ce93 48167->48170 48171 7ff73ad2cde9 48167->48171 48250 7ff73ad47870 91 API calls 48168->48250 48248 7ff73ad03ab0 22 API calls 48170->48248 48173 7ff73ad2ce5b 48171->48173 48177 7ff73ad2cdf7 memset 48171->48177 48175 7ff73ad2ce6a CertFreeCertificateContext 48173->48175 48176 7ff73ad2ce70 48173->48176 48174 7ff73ad2cea7 48249 7ff73ad17710 19 API calls 48174->48249 48175->48176 48176->48166 48179 7ff73ad2ce74 48176->48179 48180 7ff73ad2ce1c 48177->48180 48247 7ff73ad17710 19 API calls 48179->48247 48180->48173 48183 7ff73ad2ce2c 48180->48183 48186 7ff73ad2ce46 48180->48186 48181 7ff73ad2ceb9 48181->48173 48183->48186 48245 7ff73ad10e80 253 API calls 48183->48245 48186->48173 48246 7ff73ad17710 19 API calls 48186->48246 48187->48050 48188->48050 48189->48048 48191 7ff73ad296ac 48190->48191 48200 7ff73ad296d6 48190->48200 48192 7ff73ad296b1 _errno 48191->48192 48198 7ff73ad296c7 48191->48198 48192->48084 48193 7ff73ad29730 strchr 48193->48200 48194 7ff73ad29840 strchr 48196 7ff73ad29860 strchr 48194->48196 48194->48198 48195 7ff73ad51370 8 API calls 48197 7ff73ad299a6 48195->48197 48196->48198 48197->48084 48198->48194 48199 7ff73ad29955 48198->48199 48202 7ff73ad298ed 48198->48202 48199->48202 48217 7ff73ad296f0 strchr 48199->48217 48200->48193 48201 7ff73ad29797 48200->48201 48201->48084 48202->48195 48218 7ff73ad17c70 48204->48218 48207->48117 48208->48095 48209->48098 48210->48115 48211->48117 48212->48116 48213->48117 48214->48111 48215->48117 48216 7ff73ad17710 19 API calls 48216->48098 48217->48202 48219 7ff73ad17d77 send 48218->48219 48220 7ff73ad17cdf 48218->48220 48221 7ff73ad17da4 48219->48221 48222 7ff73ad17d95 WSAGetLastError 48219->48222 48220->48219 48225 7ff73ad27d80 19 API calls 48220->48225 48226 7ff73ad51370 8 API calls 48221->48226 48222->48221 48223 7ff73ad17db0 48222->48223 48236 7ff73ad042a0 27 API calls 48223->48236 48228 7ff73ad17d13 48225->48228 48229 7ff73ad17df7 48226->48229 48227 7ff73ad17dc2 48237 7ff73ad17710 19 API calls 48227->48237 48228->48219 48232 7ff73ad17d1c 48228->48232 48229->48098 48229->48216 48231 7ff73ad17dd4 48231->48221 48233 7ff73ad17d50 recv 48232->48233 48234 7ff73ad17d24 malloc 48232->48234 48233->48219 48235 7ff73ad17d6d 48233->48235 48234->48233 48234->48235 48235->48219 48236->48227 48237->48231 48238->48144 48239->48141 48240->48161 48241->48141 48242->48159 48243->48141 48244->48141 48245->48186 48246->48173 48247->48141 48248->48174 48249->48181 48250->48141 48251->48149 48252->48141 48253->47953 48257 7ff73ad1b5e0 13 API calls 48254->48257 48256 7ff73ad1ac53 48256->47952 48257->48256 48259 7ff73ad0cd17 48258->48259 48260 7ff73ad0cd05 48258->48260 48262 7ff73ad0ce28 EnterCriticalSection LeaveCriticalSection 48259->48262 48263 7ff73ad0ceb4 free 48259->48263 48260->48259 48261 7ff73ad0cd0b 48260->48261 48293 7ff73ad2ab40 WaitForSingleObjectEx CloseHandle 48261->48293 48265 7ff73ad0ce6b 48262->48265 48266 7ff73ad0ce61 CloseHandle 48262->48266 48263->47846 48268 7ff73ad0ce79 48265->48268 48269 7ff73ad0ce71 48265->48269 48271 7ff73ad0ce8c 48266->48271 48267 7ff73ad0cd10 48267->48259 48295 7ff73ad0ced0 7 API calls 48268->48295 48294 7ff73ad2ab40 WaitForSingleObjectEx CloseHandle 48269->48294 48270 7ff73ad0cea1 closesocket 48270->48263 48271->48270 48296 7ff73ad078a0 free 48271->48296 48275 7ff73ad0ce82 free 48275->48271 48277 7ff73ad0a290 48276->48277 48278 7ff73ad0a257 48276->48278 48277->47852 48297 7ff73ad07590 17 API calls 48278->48297 48281 7ff73ad202e1 48280->48281 48285 7ff73ad2033a 48280->48285 48283 7ff73ad20303 _time64 48281->48283 48281->48285 48282 7ff73ad51370 8 API calls 48284 7ff73ad08c2b free 48282->48284 48283->48285 48284->47857 48284->47859 48285->48282 48286->47849 48287->47855 48288->47868 48291->47864 48293->48267 48294->48268 48295->48275 48296->48270 48297->48277 48298 7ff73ad3355d 48299 7ff73ad335d3 48298->48299 48303 7ff73ad335a3 48298->48303 48357 7ff73ad34c00 38 API calls 48299->48357 48301 7ff73ad335d8 48301->48303 48315 7ff73ad336ec 48301->48315 48302 7ff73ad335c3 48303->48302 48320 7ff73ad35da0 65 API calls 48303->48320 48305 7ff73ad33663 48306 7ff73ad33743 48305->48306 48321 7ff73ad4c820 35 API calls 48305->48321 48367 7ff73ad349a0 free free free free 48306->48367 48309 7ff73ad3367e 48310 7ff73ad17890 15 API calls 48309->48310 48311 7ff73ad336a5 48310->48311 48311->48306 48312 7ff73ad336ad 48311->48312 48313 7ff73ad33700 48312->48313 48312->48315 48322 7ff73ad33e50 48312->48322 48313->48315 48366 7ff73ad1e740 17 API calls 48313->48366 48316 7ff73ad336d1 48316->48313 48318 7ff73ad336d7 48316->48318 48318->48315 48358 7ff73ad18370 48318->48358 48320->48305 48321->48309 48323 7ff73ad33e79 48322->48323 48324 7ff73ad33ee0 48322->48324 48326 7ff73ad33e8a 48323->48326 48327 7ff73ad33ea0 48323->48327 48409 7ff73ad1d470 48324->48409 48407 7ff73ad1d370 403 API calls 48326->48407 48368 7ff73ad18720 48327->48368 48331 7ff73ad33eed 48337 7ff73ad33f51 48331->48337 48344 7ff73ad33fca 48331->48344 48429 7ff73ad4c820 35 API calls 48331->48429 48332 7ff73ad33e95 48332->48316 48333 7ff73ad33eb1 48333->48344 48408 7ff73ad34ad0 65 API calls 48333->48408 48335 7ff73ad3407e 48437 7ff73ad1e740 17 API calls 48335->48437 48336 7ff73ad33f82 48338 7ff73ad33fde 48336->48338 48339 7ff73ad33f8e 48336->48339 48337->48335 48337->48336 48337->48344 48342 7ff73ad33fe7 48338->48342 48433 7ff73ad4e8b0 _errno strtoll _errno 48338->48433 48430 7ff73ad347e0 269 API calls 48339->48430 48356 7ff73ad3403e 48342->48356 48435 7ff73ad34b70 72 API calls 48342->48435 48344->48316 48345 7ff73ad33ed5 48345->48316 48347 7ff73ad33f98 48347->48344 48431 7ff73ad34330 26 API calls 48347->48431 48349 7ff73ad34003 48349->48342 48353 7ff73ad34029 48349->48353 48349->48356 48352 7ff73ad33fb3 48352->48344 48432 7ff73ad34720 32 API calls 48352->48432 48434 7ff73ad34b70 72 API calls 48353->48434 48356->48344 48436 7ff73ad4c820 35 API calls 48356->48436 48357->48301 48359 7ff73ad183b0 closesocket 48358->48359 48361 7ff73ad18385 48358->48361 48359->48315 48360 7ff73ad183a1 48545 7ff73ad078a0 free 48360->48545 48361->48360 48362 7ff73ad183c6 48361->48362 48546 7ff73ad078a0 free 48362->48546 48365 7ff73ad183ce 48365->48315 48366->48315 48367->48315 48369 7ff73ad18778 48368->48369 48383 7ff73ad1876f 48368->48383 48370 7ff73ad1f550 2 API calls 48369->48370 48373 7ff73ad18792 48370->48373 48371 7ff73ad51370 8 API calls 48372 7ff73ad18ca5 48371->48372 48372->48324 48372->48333 48374 7ff73ad18809 48373->48374 48375 7ff73ad18822 48373->48375 48459 7ff73ad17710 19 API calls 48374->48459 48376 7ff73ad1882c 48375->48376 48389 7ff73ad18859 48375->48389 48379 7ff73ad198f0 609 API calls 48376->48379 48378 7ff73ad18818 48378->48383 48380 7ff73ad1883a 48379->48380 48380->48383 48384 7ff73ad19a00 51 API calls 48380->48384 48381 7ff73ad27d80 19 API calls 48381->48389 48382 7ff73ad18b35 48382->48383 48461 7ff73ad1a020 614 API calls 48382->48461 48383->48371 48384->48383 48386 7ff73ad18aa4 SleepEx getsockopt 48387 7ff73ad18aec WSAGetLastError 48386->48387 48386->48389 48387->48389 48388 7ff73ad18a46 SleepEx getsockopt 48388->48389 48390 7ff73ad18a8e WSAGetLastError 48388->48390 48389->48381 48389->48382 48389->48386 48389->48388 48391 7ff73ad17890 15 API calls 48389->48391 48393 7ff73ad18b73 48389->48393 48394 7ff73ad18957 WSASetLastError 48389->48394 48406 7ff73ad1a020 614 API calls 48389->48406 48460 7ff73ad042a0 27 API calls 48389->48460 48390->48389 48391->48389 48392 7ff73ad18b67 48462 7ff73ad042a0 27 API calls 48392->48462 48397 7ff73ad18370 2 API calls 48393->48397 48400 7ff73ad18bcb 48393->48400 48394->48389 48395 7ff73ad18b4e 48395->48383 48395->48392 48397->48400 48399 7ff73ad18c47 48463 7ff73ad17710 19 API calls 48399->48463 48438 7ff73ad198f0 48400->48438 48401 7ff73ad18be9 48401->48383 48451 7ff73ad19a00 48401->48451 48404 7ff73ad18c65 48404->48383 48406->48389 48407->48332 48408->48345 48410 7ff73ad1d4bf 48409->48410 48411 7ff73ad1d4a4 48409->48411 48413 7ff73ad1d501 memset 48410->48413 48416 7ff73ad1d4c5 48410->48416 48411->48410 48508 7ff73ad11910 48411->48508 48417 7ff73ad1d533 48413->48417 48414 7ff73ad51370 8 API calls 48415 7ff73ad1d665 48414->48415 48415->48331 48416->48414 48418 7ff73ad1d58e calloc 48417->48418 48419 7ff73ad1d606 48417->48419 48420 7ff73ad1d5bc 48418->48420 48421 7ff73ad1d5a6 48418->48421 48521 7ff73ad1c820 402 API calls 48419->48521 48423 7ff73ad17890 15 API calls 48420->48423 48421->48416 48425 7ff73ad1d5cb 48423->48425 48424 7ff73ad1d616 48426 7ff73ad17890 15 API calls 48424->48426 48427 7ff73ad1d631 48424->48427 48425->48419 48426->48427 48427->48416 48428 7ff73ad1d63b free 48427->48428 48428->48416 48429->48337 48430->48347 48431->48352 48432->48344 48433->48349 48434->48356 48435->48356 48436->48344 48437->48344 48439 7ff73ad199f5 48438->48439 48441 7ff73ad19907 48438->48441 48439->48401 48440 7ff73ad199d7 48466 7ff73ad281e0 581 API calls 48440->48466 48441->48440 48442 7ff73ad199aa 48441->48442 48444 7ff73ad1998c 48441->48444 48465 7ff73ad28830 608 API calls 48442->48465 48444->48442 48447 7ff73ad19991 48444->48447 48446 7ff73ad199f0 48446->48401 48464 7ff73ad17710 19 API calls 48447->48464 48448 7ff73ad199d2 48448->48401 48450 7ff73ad199a0 48450->48401 48452 7ff73ad19a2d 48451->48452 48453 7ff73ad19a20 48451->48453 48467 7ff73ad190a0 48452->48467 48454 7ff73ad26e30 2 API calls 48453->48454 48454->48452 48458 7ff73ad19a45 48458->48383 48459->48378 48460->48389 48461->48395 48462->48399 48463->48404 48464->48450 48465->48448 48466->48446 48468 7ff73ad190d7 48467->48468 48469 7ff73ad192d3 48467->48469 48468->48469 48471 7ff73ad190f1 getpeername 48468->48471 48470 7ff73ad51370 8 API calls 48469->48470 48472 7ff73ad193ba 48470->48472 48473 7ff73ad1914d getsockname 48471->48473 48474 7ff73ad19116 WSAGetLastError 48471->48474 48497 7ff73ad13e40 15 API calls 48472->48497 48476 7ff73ad191d7 48473->48476 48477 7ff73ad191a0 WSAGetLastError 48473->48477 48498 7ff73ad042a0 27 API calls 48474->48498 48502 7ff73ad182d0 19 API calls 48476->48502 48500 7ff73ad042a0 27 API calls 48477->48500 48478 7ff73ad19133 48499 7ff73ad17710 19 API calls 48478->48499 48481 7ff73ad191f9 48484 7ff73ad1923d 48481->48484 48485 7ff73ad191fd _errno _errno 48481->48485 48483 7ff73ad191bd 48501 7ff73ad17710 19 API calls 48483->48501 48505 7ff73ad182d0 19 API calls 48484->48505 48503 7ff73ad042a0 27 API calls 48485->48503 48489 7ff73ad19148 48489->48469 48490 7ff73ad19223 48504 7ff73ad17710 19 API calls 48490->48504 48491 7ff73ad1928f 48491->48469 48493 7ff73ad19293 _errno _errno 48491->48493 48506 7ff73ad042a0 27 API calls 48493->48506 48495 7ff73ad192b9 48507 7ff73ad17710 19 API calls 48495->48507 48497->48458 48498->48478 48499->48489 48500->48483 48501->48489 48502->48481 48503->48490 48504->48489 48505->48491 48506->48495 48507->48489 48509 7ff73ad11937 48508->48509 48510 7ff73ad1193e 48508->48510 48540 7ff73ad122f0 memset 48509->48540 48512 7ff73ad11964 48510->48512 48513 7ff73ad1196d 48510->48513 48517 7ff73ad119a7 48510->48517 48541 7ff73ad17710 19 API calls 48512->48541 48520 7ff73ad2b820 253 API calls 48513->48520 48522 7ff73ad2ab90 48513->48522 48515 7ff73ad119b7 48515->48517 48516 7ff73ad11992 48516->48517 48518 7ff73ad26e30 2 API calls 48516->48518 48517->48410 48518->48517 48520->48516 48521->48424 48523 7ff73ad2b820 48522->48523 48524 7ff73ad18f90 10 API calls 48523->48524 48527 7ff73ad2b869 48523->48527 48536 7ff73ad2b89b 48523->48536 48528 7ff73ad2b887 48524->48528 48525 7ff73ad2b992 48525->48527 48544 7ff73ad2cf80 67 API calls 48525->48544 48526 7ff73ad18f90 10 API calls 48526->48536 48527->48516 48530 7ff73ad2b97c 48528->48530 48532 7ff73ad2ba10 74 API calls 48528->48532 48543 7ff73ad17710 19 API calls 48530->48543 48532->48536 48533 7ff73ad2b975 48533->48527 48534 7ff73ad27d80 19 API calls 48534->48536 48535 7ff73ad2c7f0 252 API calls 48535->48536 48536->48525 48536->48526 48536->48527 48536->48530 48536->48534 48536->48535 48537 7ff73ad2b95d WSAGetLastError 48536->48537 48539 7ff73ad2b94c 48536->48539 48542 7ff73ad17710 19 API calls 48537->48542 48539->48527 48539->48530 48540->48510 48541->48515 48542->48533 48543->48533 48544->48527 48545->48359 48546->48365 48547 7ff73ad0951b 48548 7ff73ad0952e 48547->48548 48549 7ff73ad095e7 48548->48549 48551 7ff73ad1d470 405 API calls 48548->48551 48552 7ff73ad09536 48548->48552 48550 7ff73ad09573 48549->48550 48549->48552 48554 7ff73ad08aa0 292 API calls 48550->48554 48555 7ff73ad0956d 48551->48555 48567 7ff73ad0901b 48552->48567 48589 7ff73ad1d320 free 48552->48589 48554->48567 48555->48549 48555->48550 48555->48552 48570 7ff73ad23070 48555->48570 48556 7ff73ad0a240 17 API calls 48556->48567 48558 7ff73ad0a0c2 48559 7ff73ad0a0b3 48593 7ff73ad17710 19 API calls 48559->48593 48563 7ff73ad18f90 10 API calls 48563->48567 48564 7ff73ad090be 48565 7ff73ad17710 19 API calls 48564->48565 48564->48567 48565->48564 48567->48556 48567->48558 48567->48559 48567->48563 48567->48564 48568 7ff73ad08aa0 292 API calls 48567->48568 48588 7ff73ad17710 19 API calls 48567->48588 48590 7ff73ad131d0 90 API calls 48567->48590 48591 7ff73ad077c0 15 API calls 48567->48591 48592 7ff73ad26f80 22 API calls 48567->48592 48568->48567 48571 7ff73ad2309c 48570->48571 48572 7ff73ad1d470 405 API calls 48571->48572 48575 7ff73ad230a6 48572->48575 48573 7ff73ad51370 8 API calls 48574 7ff73ad23202 48573->48574 48574->48549 48576 7ff73ad231bc 48575->48576 48577 7ff73ad230f7 48575->48577 48580 7ff73ad231d6 48575->48580 48578 7ff73ad11910 253 API calls 48576->48578 48576->48580 48579 7ff73ad1ac20 13 API calls 48577->48579 48578->48580 48581 7ff73ad23168 calloc 48579->48581 48580->48573 48582 7ff73ad23187 48581->48582 48583 7ff73ad23180 48581->48583 48594 7ff73ad23700 48582->48594 48583->48580 48585 7ff73ad23196 48585->48580 48604 7ff73ad234b0 48585->48604 48588->48567 48589->48567 48590->48567 48591->48567 48592->48567 48593->48558 48624 7ff73ad1ac90 15 API calls 48594->48624 48596 7ff73ad23729 48597 7ff73ad2376a 48596->48597 48598 7ff73ad23731 48596->48598 48600 7ff73ad23777 free free 48597->48600 48601 7ff73ad23789 48597->48601 48625 7ff73ad23340 7 API calls 48598->48625 48600->48601 48601->48585 48603 7ff73ad23755 free 48603->48585 48605 7ff73ad23512 48604->48605 48606 7ff73ad2357a 48605->48606 48607 7ff73ad23524 48605->48607 48627 7ff73ad17f60 48606->48627 48626 7ff73ad1de20 malloc 48607->48626 48609 7ff73ad23539 48611 7ff73ad23540 48609->48611 48612 7ff73ad2355f memcpy 48609->48612 48614 7ff73ad23557 48611->48614 48615 7ff73ad23545 free free 48611->48615 48612->48606 48616 7ff73ad231b8 48614->48616 48615->48614 48616->48576 48616->48580 48617 7ff73ad236c9 free free 48617->48616 48618 7ff73ad235dc 48630 7ff73ad17650 fwrite fwrite 48618->48630 48619 7ff73ad2360e 48619->48616 48619->48617 48621 7ff73ad235ed 48622 7ff73ad23606 48621->48622 48631 7ff73ad17650 fwrite fwrite 48621->48631 48622->48619 48624->48596 48625->48603 48626->48609 48632 7ff73ad2da30 48627->48632 48630->48621 48631->48622 48633 7ff73ad2daa9 malloc 48632->48633 48634 7ff73ad2da82 48632->48634 48635 7ff73ad2dae9 48633->48635 48636 7ff73ad2da9c 48633->48636 48634->48633 48634->48636 48637 7ff73ad2db09 memcpy 48635->48637 48638 7ff73ad51370 8 API calls 48636->48638 48647 7ff73ad2db8c 48637->48647 48639 7ff73ad17f90 48638->48639 48639->48618 48639->48619 48640 7ff73ad2dc99 free 48640->48636 48641 7ff73ad18f90 10 API calls 48641->48647 48642 7ff73ad2dc61 48653 7ff73ad17710 19 API calls 48642->48653 48644 7ff73ad27d80 19 API calls 48644->48647 48645 7ff73ad2dc73 48645->48640 48646 7ff73ad2dc3b WSAGetLastError 48652 7ff73ad17710 19 API calls 48646->48652 48647->48640 48647->48641 48647->48642 48647->48644 48647->48646 48649 7ff73ad17fd0 48 API calls 48647->48649 48651 7ff73ad2dc2d 48647->48651 48649->48647 48650 7ff73ad2dc53 48650->48651 48651->48640 48652->48650 48653->48645 48654 7ff73ad091dc 48655 7ff73ad26e30 2 API calls 48654->48655 48656 7ff73ad091e9 48655->48656 48657 7ff73ad09205 48656->48657 48712 7ff73ad07590 17 API calls 48656->48712 48659 7ff73ad09221 48657->48659 48713 7ff73ad07590 17 API calls 48657->48713 48681 7ff73ad12f30 free free 48659->48681 48662 7ff73ad09231 48663 7ff73ad09287 48662->48663 48664 7ff73ad17890 15 API calls 48662->48664 48678 7ff73ad0901b 48662->48678 48663->48678 48714 7ff73ad1d320 free 48663->48714 48665 7ff73ad0927b 48664->48665 48666 7ff73ad0a240 17 API calls 48665->48666 48666->48663 48667 7ff73ad0a240 17 API calls 48667->48678 48670 7ff73ad0a0c2 48671 7ff73ad0a0b3 48718 7ff73ad17710 19 API calls 48671->48718 48675 7ff73ad18f90 10 API calls 48675->48678 48676 7ff73ad17710 19 API calls 48677 7ff73ad090be 48676->48677 48677->48676 48677->48678 48678->48667 48678->48670 48678->48671 48678->48675 48678->48677 48680 7ff73ad08aa0 292 API calls 48678->48680 48711 7ff73ad17710 19 API calls 48678->48711 48715 7ff73ad131d0 90 API calls 48678->48715 48716 7ff73ad077c0 15 API calls 48678->48716 48717 7ff73ad26f80 22 API calls 48678->48717 48680->48678 48719 7ff73ad12d10 48681->48719 48684 7ff73ad12d10 292 API calls 48685 7ff73ad12f96 memset 48684->48685 48752 7ff73ad146c0 48685->48752 48687 7ff73ad1305e 48692 7ff73ad12fdd 48687->48692 48843 7ff73ad131d0 90 API calls 48687->48843 48689 7ff73ad26e30 2 API calls 48691 7ff73ad12fff 48689->48691 48691->48692 48693 7ff73ad1302b free 48691->48693 48694 7ff73ad13052 48691->48694 48692->48662 48842 7ff73ad1ab50 15 API calls 48693->48842 48694->48687 48696 7ff73ad1f550 2 API calls 48694->48696 48697 7ff73ad130a0 48696->48697 48698 7ff73ad130dd 48697->48698 48699 7ff73ad130b4 48697->48699 48701 7ff73ad26e30 2 API calls 48698->48701 48844 7ff73ad18520 48699->48844 48703 7ff73ad130ea 48701->48703 48706 7ff73ad1310d 48703->48706 48707 7ff73ad26e30 2 API calls 48703->48707 48704 7ff73ad13197 48705 7ff73ad1f550 2 API calls 48704->48705 48705->48692 48708 7ff73ad190a0 47 API calls 48706->48708 48707->48706 48709 7ff73ad13127 48708->48709 48709->48704 48710 7ff73ad17890 15 API calls 48709->48710 48710->48704 48711->48678 48712->48657 48713->48659 48714->48678 48715->48678 48716->48678 48717->48678 48718->48670 48720 7ff73ad12f1b 48719->48720 48721 7ff73ad12d1f 48719->48721 48720->48684 48721->48720 48855 7ff73ad077c0 15 API calls 48721->48855 48723 7ff73ad12d3d 48724 7ff73ad12d51 48723->48724 48856 7ff73ad086d0 292 API calls 48723->48856 48727 7ff73ad12d62 48724->48727 48857 7ff73ad083c0 292 API calls 48724->48857 48728 7ff73ad12d93 48727->48728 48729 7ff73ad12d86 free 48727->48729 48858 7ff73ad13350 292 API calls 48728->48858 48729->48728 48753 7ff73ad14705 48752->48753 48841 7ff73ad14729 48753->48841 48859 7ff73ad13ec0 calloc 48753->48859 48755 7ff73ad51370 8 API calls 48757 7ff73ad12fc5 48755->48757 48756 7ff73ad1473b 48756->48841 48874 7ff73ad16330 48756->48874 48757->48687 48757->48689 48757->48692 48760 7ff73ad14772 _strdup 48761 7ff73ad14784 48760->48761 48760->48841 48762 7ff73ad147a2 48761->48762 48763 7ff73ad14790 _strdup 48761->48763 48924 7ff73ad150d0 48762->48924 48763->48762 48763->48841 48767 7ff73ad1ac20 13 API calls 48768 7ff73ad14815 48767->48768 48768->48841 48983 7ff73ad15920 48768->48983 48769 7ff73ad14867 48770 7ff73ad148ac _strdup 48769->48770 48771 7ff73ad148c2 48769->48771 48769->48841 48770->48771 48770->48841 48772 7ff73ad148cc _strdup 48771->48772 48773 7ff73ad148e5 48771->48773 48772->48773 48772->48841 48999 7ff73ad15d90 48773->48999 48778 7ff73ad14932 48780 7ff73ad14954 48778->48780 48781 7ff73ad13460 38 API calls 48778->48781 48778->48841 48779 7ff73ad13460 38 API calls 48779->48778 48782 7ff73ad13460 38 API calls 48780->48782 48783 7ff73ad14976 48780->48783 48780->48841 48781->48780 48782->48783 48784 7ff73ad14b0f 48783->48784 48787 7ff73ad14a74 48783->48787 48783->48841 49021 7ff73ad10c40 48784->49021 48786 7ff73ad14caa 48788 7ff73ad10c40 8 API calls 48786->48788 48786->48841 48790 7ff73ad14aff 48787->48790 48791 7ff73ad14a94 48787->48791 48789 7ff73ad14cc1 48788->48789 48789->48841 49045 7ff73ad167f0 48789->49045 48792 7ff73ad13530 2 API calls 48790->48792 49102 7ff73ad0fb80 17 API calls 48791->49102 48792->48841 48795 7ff73ad14aaa 48797 7ff73ad17260 17 API calls 48795->48797 48795->48841 48802 7ff73ad14abc 48797->48802 48798 7ff73ad14db4 48839 7ff73ad14e61 48798->48839 49106 7ff73ad10120 13 API calls 48798->49106 48799 7ff73ad14ac2 48799->48841 48801 7ff73ad14d19 48801->48798 48803 7ff73ad14d21 48801->48803 48802->48799 49103 7ff73ad1e740 17 API calls 48802->49103 49105 7ff73ad16f10 34 API calls 48803->49105 48804 7ff73ad17890 15 API calls 48808 7ff73ad14e70 48804->48808 49109 7ff73ad14350 44 API calls 48808->49109 48809 7ff73ad14d31 free free 48811 7ff73ad14d58 48809->48811 48814 7ff73ad17890 15 API calls 48811->48814 48812 7ff73ad14e06 48819 7ff73ad14e4b 48812->48819 49107 7ff73ad0fed0 QueryPerformanceCounter GetTickCount 48812->49107 48817 7ff73ad14daf 48814->48817 48815 7ff73ad14eec 49112 7ff73ad0fb80 17 API calls 48815->49112 48816 7ff73ad14e2d 48822 7ff73ad14e4d 48816->48822 48823 7ff73ad14e40 48816->48823 49065 7ff73ad13530 48817->49065 48819->48815 49110 7ff73ad0ffa0 QueryPerformanceCounter GetTickCount 48819->49110 48821 7ff73ad14f21 48821->48817 48836 7ff73ad17890 15 API calls 48821->48836 48828 7ff73ad17890 15 API calls 48822->48828 49108 7ff73ad131d0 90 API calls 48823->49108 48825 7ff73ad14f6b 49069 7ff73ad17260 48825->49069 48826 7ff73ad14efb 48826->48821 48831 7ff73ad17890 15 API calls 48826->48831 48826->48841 48828->48839 48829 7ff73ad14ed5 48832 7ff73ad150bb 48829->48832 48833 7ff73ad14ee1 48829->48833 48831->48821 48835 7ff73ad17890 15 API calls 48832->48835 49111 7ff73ad131d0 90 API calls 48833->49111 48834 7ff73ad14f73 48834->48841 49078 7ff73ad16c90 48834->49078 48835->48839 48840 7ff73ad14f4f 48836->48840 48839->48804 48840->48817 48841->48755 48842->48694 48843->48692 48845 7ff73ad1f550 2 API calls 48844->48845 48846 7ff73ad18543 48845->48846 48847 7ff73ad185bb 48846->48847 48851 7ff73ad185d4 48846->48851 49231 7ff73ad17710 19 API calls 48847->49231 48849 7ff73ad185ca 48850 7ff73ad130ca 48849->48850 48850->48687 48850->48704 48852 7ff73ad186dd 48851->48852 49166 7ff73ad19a60 48851->49166 48852->48850 49232 7ff73ad07590 17 API calls 48852->49232 48855->48723 48856->48724 48857->48727 48860 7ff73ad13ef0 calloc 48859->48860 48861 7ff73ad13ee5 48859->48861 48862 7ff73ad13f1a 48860->48862 48863 7ff73ad14161 free 48860->48863 48861->48756 48864 7ff73ad1f550 2 API calls 48862->48864 48863->48756 48865 7ff73ad13fb1 48864->48865 48866 7ff73ad1f550 2 API calls 48865->48866 48867 7ff73ad13fc5 48866->48867 48868 7ff73ad14127 _strdup 48867->48868 48869 7ff73ad1419d 48867->48869 48868->48869 48870 7ff73ad14139 48868->48870 48871 7ff73ad1f550 2 API calls 48869->48871 48873 7ff73ad14147 free free 48870->48873 48872 7ff73ad141dd 48871->48872 48872->48756 48873->48863 49113 7ff73ad17310 8 API calls 48874->49113 48877 7ff73ad16357 49117 7ff73ad402a0 calloc 48877->49117 48878 7ff73ad16350 49116 7ff73ad402e0 23 API calls 48878->49116 48881 7ff73ad16355 48882 7ff73ad1635c 48881->48882 48887 7ff73ad163d2 48882->48887 48896 7ff73ad1475c 48882->48896 49118 7ff73ad3ff10 tolower 48882->49118 48883 7ff73ad16495 49121 7ff73ad40420 8 API calls 48883->49121 48886 7ff73ad1639f 48886->48887 48888 7ff73ad163b8 48886->48888 48889 7ff73ad163ab free 48886->48889 48887->48883 48887->48896 49120 7ff73ad40420 8 API calls 48887->49120 49119 7ff73ad1ab50 15 API calls 48888->49119 48889->48888 48892 7ff73ad164fc 49122 7ff73ad17710 19 API calls 48892->49122 48894 7ff73ad1647c 48894->48883 48894->48896 48897 7ff73ad16488 free 48894->48897 48895 7ff73ad1650e 48895->48896 48896->48760 48896->48761 48896->48841 48897->48883 48898 7ff73ad164be 48898->48892 48898->48896 48899 7ff73ad16534 48898->48899 49123 7ff73ad40420 8 API calls 48899->49123 48901 7ff73ad1655b 48902 7ff73ad16582 48901->48902 48903 7ff73ad16565 _strdup 48901->48903 48902->48896 49124 7ff73ad40420 8 API calls 48902->49124 48903->48896 48903->48902 48905 7ff73ad165a5 48906 7ff73ad165af _strdup 48905->48906 48907 7ff73ad165c8 48905->48907 48906->48896 48906->48907 48907->48896 49125 7ff73ad40420 8 API calls 48907->49125 48909 7ff73ad165e8 48910 7ff73ad1667d 48909->48910 48911 7ff73ad165f2 _strdup 48909->48911 48910->48896 49126 7ff73ad40420 8 API calls 48910->49126 48911->48896 48911->48910 48913 7ff73ad16698 48913->48896 49127 7ff73ad40420 8 API calls 48913->49127 48915 7ff73ad166cd 48915->48896 49128 7ff73ad40420 8 API calls 48915->49128 48917 7ff73ad16711 48918 7ff73ad16731 strtoul 48917->48918 48919 7ff73ad16715 48917->48919 48918->48919 48919->48896 49129 7ff73ad40420 8 API calls 48919->49129 48921 7ff73ad167ad _strdup 48921->48896 48922 7ff73ad16770 48922->48921 49130 7ff73ad173e0 20 API calls 48922->49130 48925 7ff73ad151ed 48924->48925 48926 7ff73ad1511d memset memset 48924->48926 48927 7ff73ad151f9 _strdup 48925->48927 48928 7ff73ad15220 48925->48928 48929 7ff73ad15168 48926->48929 48930 7ff73ad15150 strncpy 48926->48930 48927->48928 48931 7ff73ad15207 48927->48931 48932 7ff73ad1522c _strdup 48928->48932 48933 7ff73ad1523f 48928->48933 48934 7ff73ad1518f 48929->48934 48935 7ff73ad15174 strncpy 48929->48935 48930->48929 49139 7ff73ad17710 19 API calls 48931->49139 48932->48931 48932->48933 48962 7ff73ad1529e 48933->48962 49140 7ff73ad2dce0 realloc GetEnvironmentVariableA realloc free 48933->49140 49137 7ff73ad2de20 malloc strtoul free 48934->49137 48935->48934 48938 7ff73ad15216 48941 7ff73ad15747 free free 48938->48941 48940 7ff73ad151af 48943 7ff73ad151dc 48940->48943 49138 7ff73ad2de20 malloc strtoul free 48940->49138 48945 7ff73ad51370 8 API calls 48941->48945 48942 7ff73ad15260 48946 7ff73ad1527c 48942->48946 49141 7ff73ad2dce0 realloc GetEnvironmentVariableA realloc free 48942->49141 48943->48925 48943->48941 48944 7ff73ad15501 free 48950 7ff73ad1553e 48944->48950 48951 7ff73ad15511 48944->48951 48949 7ff73ad147b7 48945->48949 48948 7ff73ad17890 15 API calls 48946->48948 48946->48962 48948->48962 48949->48767 48949->48768 48949->48841 48953 7ff73ad15568 48950->48953 48958 7ff73ad15558 free 48950->48958 48951->48950 48957 7ff73ad15532 free 48951->48957 48959 7ff73ad1556d 48953->48959 49146 7ff73ad15fe0 47 API calls 48953->49146 48954 7ff73ad153f6 48954->48944 48955 7ff73ad15449 48954->48955 48960 7ff73ad15430 tolower 48954->48960 49142 7ff73ad2dce0 realloc GetEnvironmentVariableA realloc free 48955->49142 48956 7ff73ad15584 free free free 48967 7ff73ad15577 48956->48967 48957->48950 48958->48953 48959->48967 48975 7ff73ad15621 48959->48975 49147 7ff73ad15fe0 47 API calls 48959->49147 48960->48955 48960->48960 48962->48954 48962->48956 48962->48962 48965 7ff73ad1530e strchr 48962->48965 48979 7ff73ad15327 48962->48979 48964 7ff73ad155cf free 48964->48959 48964->48967 48965->48954 48965->48979 48967->48941 48968 7ff73ad15603 free 48968->48967 48968->48975 48970 7ff73ad17890 15 API calls 48972 7ff73ad154fc 48970->48972 48971 7ff73ad154c8 48978 7ff73ad154df 48971->48978 49145 7ff73ad2dce0 realloc GetEnvironmentVariableA realloc free 48971->49145 48972->48944 48973 7ff73ad15350 strchr 48973->48979 48975->48967 48981 7ff73ad15697 free 48975->48981 48976 7ff73ad15470 48982 7ff73ad154ac 48976->48982 49143 7ff73ad2dce0 realloc GetEnvironmentVariableA realloc free 48976->49143 48977 7ff73ad15380 strchr 48977->48979 48978->48970 48978->48972 48979->48954 48979->48956 48979->48973 48979->48977 48981->48967 48982->48978 49144 7ff73ad2dce0 realloc GetEnvironmentVariableA realloc free 48982->49144 48985 7ff73ad15951 48983->48985 48992 7ff73ad15984 48983->48992 48984 7ff73ad15999 free _strdup 48986 7ff73ad159bb 48984->48986 48997 7ff73ad15ab8 48984->48997 48989 7ff73ad15970 48985->48989 48990 7ff73ad15964 free 48985->48990 48985->48992 48987 7ff73ad159f1 48986->48987 48988 7ff73ad159cf free _strdup 48986->48988 48993 7ff73ad15a05 free _strdup 48987->48993 48995 7ff73ad15a2f 48987->48995 48988->48987 48988->48997 48991 7ff73ad15978 free 48989->48991 48989->48992 48990->48989 48991->48992 48992->48984 48992->48986 48993->48995 48993->48997 48995->48997 49148 7ff73ad421d0 36 API calls 48995->49148 48996 7ff73ad15a9e 48996->48997 48998 7ff73ad17890 15 API calls 48996->48998 48997->48769 48998->48997 49001 7ff73ad15dc0 48999->49001 49000 7ff73ad148f7 49000->48841 49009 7ff73ad13460 49000->49009 49001->49000 49003 7ff73ad15e98 strchr 49001->49003 49006 7ff73ad15f3a free 49001->49006 49007 7ff73ad15e67 free 49001->49007 49008 7ff73ad17890 15 API calls 49001->49008 49149 7ff73ad1ab50 15 API calls 49001->49149 49150 7ff73ad15b90 22 API calls 49001->49150 49003->49001 49004 7ff73ad15ead strtol 49003->49004 49004->49001 49006->49001 49007->49001 49007->49006 49008->49001 49012 7ff73ad13495 49009->49012 49016 7ff73ad134af 49009->49016 49010 7ff73ad51370 8 API calls 49011 7ff73ad134c1 49010->49011 49011->48778 49011->48779 49011->48841 49012->49016 49151 7ff73ad42120 18 API calls 49012->49151 49014 7ff73ad134e8 49015 7ff73ad134fb GetLastError 49014->49015 49014->49016 49152 7ff73ad043e0 21 API calls 49015->49152 49016->49010 49018 7ff73ad13513 49153 7ff73ad17710 19 API calls 49018->49153 49020 7ff73ad13529 49020->49016 49022 7ff73ad10ca5 49021->49022 49023 7ff73ad10c86 _strdup 49021->49023 49025 7ff73ad10cd1 49022->49025 49026 7ff73ad10cb2 _strdup 49022->49026 49023->49022 49024 7ff73ad10c95 49023->49024 49024->48786 49028 7ff73ad10cfd 49025->49028 49029 7ff73ad10cde _strdup 49025->49029 49026->49025 49027 7ff73ad10cc1 49026->49027 49027->48786 49031 7ff73ad10d29 49028->49031 49032 7ff73ad10d0a _strdup 49028->49032 49029->49028 49030 7ff73ad10ced 49029->49030 49030->48786 49034 7ff73ad10d55 49031->49034 49035 7ff73ad10d36 _strdup 49031->49035 49032->49031 49033 7ff73ad10d19 49032->49033 49033->48786 49037 7ff73ad10d81 49034->49037 49038 7ff73ad10d62 _strdup 49034->49038 49035->49034 49036 7ff73ad10d45 49035->49036 49036->48786 49040 7ff73ad10dad 49037->49040 49041 7ff73ad10d8e _strdup 49037->49041 49038->49037 49039 7ff73ad10d71 49038->49039 49039->48786 49043 7ff73ad10dc9 49040->49043 49044 7ff73ad10dba _strdup 49040->49044 49041->49040 49042 7ff73ad10d9d 49041->49042 49042->48786 49043->48786 49044->49043 49046 7ff73ad1f550 2 API calls 49045->49046 49051 7ff73ad16803 49046->49051 49047 7ff73ad14cd7 49047->48798 49104 7ff73ad123a0 15 API calls 49047->49104 49049 7ff73ad202c0 9 API calls 49049->49051 49051->49047 49051->49049 49055 7ff73ad168d7 49051->49055 49154 7ff73ad20c80 free free free free 49051->49154 49155 7ff73ad42ab0 8 API calls 49051->49155 49156 7ff73ad426c0 7 API calls 49051->49156 49053 7ff73ad17890 15 API calls 49053->49055 49055->49053 49056 7ff73ad18370 closesocket free 49055->49056 49057 7ff73ad16976 30 API calls 49055->49057 49157 7ff73ad0c9a0 16 API calls 49055->49157 49056->49055 49158 7ff73ad14640 free free 49057->49158 49059 7ff73ad16bd6 49060 7ff73ad16be4 free 49059->49060 49159 7ff73ad10df0 8 API calls 49060->49159 49062 7ff73ad16c04 49160 7ff73ad10df0 8 API calls 49062->49160 49064 7ff73ad16c10 free free free 49064->49051 49066 7ff73ad1353e 49065->49066 49067 7ff73ad1f550 2 API calls 49066->49067 49068 7ff73ad135a8 49067->49068 49068->48825 49070 7ff73ad1727c 49069->49070 49071 7ff73ad17285 49070->49071 49072 7ff73ad1729e free 49070->49072 49073 7ff73ad172b2 49070->49073 49071->48834 49072->49073 49074 7ff73ad172b7 49073->49074 49075 7ff73ad172c5 _strdup 49073->49075 49161 7ff73ad1ab50 15 API calls 49074->49161 49077 7ff73ad172c3 49075->49077 49077->48834 49079 7ff73ad18f90 10 API calls 49078->49079 49080 7ff73ad16cb5 49079->49080 49081 7ff73ad16cd7 calloc 49080->49081 49082 7ff73ad16d7c 49080->49082 49091 7ff73ad16cc0 49080->49091 49085 7ff73ad16cf7 49081->49085 49086 7ff73ad16cef 49081->49086 49083 7ff73ad16d88 _strdup 49082->49083 49084 7ff73ad16e3d _strdup 49082->49084 49087 7ff73ad16e6a 49083->49087 49098 7ff73ad16dd5 49083->49098 49084->49087 49092 7ff73ad16e80 49084->49092 49162 7ff73ad2a930 6 API calls 49085->49162 49086->49091 49087->48841 49090 7ff73ad16d10 49090->49086 49093 7ff73ad16d63 free 49090->49093 49094 7ff73ad16d33 49090->49094 49091->48841 49092->49091 49097 7ff73ad16eb9 49092->49097 49093->49091 49163 7ff73ad17710 19 API calls 49094->49163 49096 7ff73ad16d45 free 49096->49091 49165 7ff73ad17710 19 API calls 49097->49165 49098->49091 49100 7ff73ad16e0e 49098->49100 49164 7ff73ad17710 19 API calls 49100->49164 49102->48795 49103->48790 49104->48801 49105->48809 49106->48812 49107->48816 49108->48819 49109->48841 49110->48829 49111->48815 49112->48826 49131 7ff73ad402b0 49113->49131 49116->48881 49118->48886 49119->48887 49120->48894 49121->48898 49122->48895 49123->48901 49124->48905 49125->48909 49126->48913 49127->48915 49128->48917 49129->48922 49130->48921 49132 7ff73ad16344 49131->49132 49133 7ff73ad402b5 49131->49133 49132->48877 49132->48878 49136 7ff73ad41290 12 API calls 49133->49136 49137->48940 49138->48943 49139->48938 49140->48942 49141->48946 49142->48976 49143->48982 49144->48971 49145->48978 49146->48964 49147->48968 49148->48996 49149->49001 49150->49001 49151->49014 49152->49018 49153->49020 49154->49051 49157->49055 49158->49059 49159->49062 49160->49064 49161->49077 49162->49090 49163->49096 49164->49086 49165->49086 49167 7ff73ad19acf memcpy 49166->49167 49169 7ff73ad19b38 socket 49167->49169 49172 7ff73ad19b0b 49167->49172 49169->49172 49171 7ff73ad51370 8 API calls 49173 7ff73ad1a00b 49171->49173 49175 7ff73ad19b77 49172->49175 49224 7ff73ad19e94 49172->49224 49253 7ff73ad26a30 ioctlsocket 49172->49253 49173->48851 49174 7ff73ad19f9a _errno _errno _errno 49258 7ff73ad042a0 27 API calls 49174->49258 49175->49174 49233 7ff73ad42f60 49175->49233 49178 7ff73ad19fcb 49259 7ff73ad17710 19 API calls 49178->49259 49179 7ff73ad19bc4 49179->49174 49181 7ff73ad19bcd htons 49179->49181 49183 7ff73ad17890 15 API calls 49181->49183 49182 7ff73ad19fe0 49184 7ff73ad18370 2 API calls 49182->49184 49185 7ff73ad19bee 49183->49185 49186 7ff73ad19e75 49184->49186 49187 7ff73ad19c69 49185->49187 49188 7ff73ad19c0f setsockopt 49185->49188 49186->49224 49193 7ff73ad1a5a0 14 API calls 49187->49193 49197 7ff73ad19ca1 49187->49197 49188->49187 49189 7ff73ad19c3d WSAGetLastError 49188->49189 49254 7ff73ad042a0 27 API calls 49189->49254 49190 7ff73ad19cc2 getsockopt 49194 7ff73ad19ce9 49190->49194 49195 7ff73ad19cf3 setsockopt 49190->49195 49191 7ff73ad19ca5 49199 7ff73ad19d2a setsockopt 49191->49199 49203 7ff73ad19d69 49191->49203 49193->49197 49194->49191 49194->49195 49195->49191 49196 7ff73ad19c57 49200 7ff73ad17890 15 API calls 49196->49200 49197->49190 49197->49191 49198 7ff73ad19e37 49202 7ff73ad19e48 49198->49202 49205 7ff73ad19e9e 49198->49205 49201 7ff73ad19d57 49199->49201 49208 7ff73ad19d6e 49199->49208 49200->49187 49204 7ff73ad17890 15 API calls 49201->49204 49255 7ff73ad193d0 594 API calls 49202->49255 49203->49198 49219 7ff73ad19e89 49203->49219 49204->49203 49252 7ff73ad26a30 ioctlsocket 49205->49252 49207 7ff73ad19eab 49211 7ff73ad1f550 2 API calls 49207->49211 49212 7ff73ad19d9c WSAIoctl 49208->49212 49210 7ff73ad19e64 49210->49205 49213 7ff73ad19e6a 49210->49213 49214 7ff73ad19eb5 49211->49214 49212->49203 49215 7ff73ad19de4 WSAGetLastError 49212->49215 49217 7ff73ad18370 2 API calls 49213->49217 49218 7ff73ad19edf 49214->49218 49256 7ff73ad07590 17 API calls 49214->49256 49216 7ff73ad17890 15 API calls 49215->49216 49216->49203 49217->49186 49222 7ff73ad19f28 WSAGetLastError 49218->49222 49223 7ff73ad19eff connect 49218->49223 49218->49224 49221 7ff73ad18370 2 API calls 49219->49221 49221->49224 49222->49224 49225 7ff73ad19f35 49222->49225 49223->49222 49223->49224 49224->49171 49225->49224 49257 7ff73ad042a0 27 API calls 49225->49257 49227 7ff73ad19f51 49228 7ff73ad17890 15 API calls 49227->49228 49229 7ff73ad19f67 49228->49229 49230 7ff73ad18370 2 API calls 49229->49230 49230->49224 49231->48849 49232->48850 49234 7ff73ad42f99 49233->49234 49235 7ff73ad42f6f 49233->49235 49237 7ff73ad1ac20 13 API calls 49234->49237 49236 7ff73ad42f74 _errno 49235->49236 49243 7ff73ad42f87 49235->49243 49236->49179 49238 7ff73ad43008 49237->49238 49239 7ff73ad43054 _errno 49238->49239 49240 7ff73ad43027 49238->49240 49239->49240 49241 7ff73ad51370 8 API calls 49240->49241 49242 7ff73ad4306f 49241->49242 49242->49179 49244 7ff73ad1ac20 13 API calls 49243->49244 49245 7ff73ad432fa 49243->49245 49249 7ff73ad43280 49243->49249 49244->49243 49260 7ff73ad42fb0 14 API calls 49245->49260 49247 7ff73ad432a9 49250 7ff73ad51370 8 API calls 49247->49250 49248 7ff73ad43313 _errno 49248->49247 49249->49247 49249->49248 49251 7ff73ad432e7 49250->49251 49251->49179 49252->49207 49253->49175 49254->49196 49255->49210 49256->49218 49257->49227 49258->49178 49259->49182 49260->49249 49261 7ff73ad20980 49262 7ff73ad209ce 49261->49262 49295 7ff73ad20cf0 49262->49295 49265 7ff73ad17890 15 API calls 49273 7ff73ad20a07 49265->49273 49266 7ff73ad20b55 49268 7ff73ad51370 8 API calls 49266->49268 49267 7ff73ad296a0 13 API calls 49269 7ff73ad20a86 49267->49269 49270 7ff73ad20b82 49268->49270 49271 7ff73ad20a8a 49269->49271 49272 7ff73ad20aab 49269->49272 49310 7ff73ad2a650 15 API calls 49271->49310 49275 7ff73ad296a0 13 API calls 49272->49275 49273->49266 49273->49267 49276 7ff73ad20abd 49275->49276 49278 7ff73ad20ac1 49276->49278 49285 7ff73ad20ae2 49276->49285 49277 7ff73ad20a9f 49277->49272 49279 7ff73ad20b9a 49277->49279 49311 7ff73ad2a650 15 API calls 49278->49311 49281 7ff73ad20ba4 49279->49281 49315 7ff73ad1ff00 27 API calls 49281->49315 49283 7ff73ad20ad6 49283->49279 49283->49285 49284 7ff73ad20bc6 49286 7ff73ad20b4e 49284->49286 49316 7ff73ad2a420 free free free 49284->49316 49285->49266 49289 7ff73ad20b13 49285->49289 49312 7ff73ad44750 532 API calls 49285->49312 49286->49266 49289->49279 49290 7ff73ad20b30 49289->49290 49290->49266 49291 7ff73ad20b49 49290->49291 49292 7ff73ad20b50 49290->49292 49313 7ff73ad44950 314 API calls 49291->49313 49314 7ff73ad0cba0 51 API calls 49292->49314 49296 7ff73ad20d30 49295->49296 49297 7ff73ad20d6b 49296->49297 49298 7ff73ad20d56 tolower 49296->49298 49299 7ff73ad1ac20 13 API calls 49297->49299 49298->49297 49298->49298 49300 7ff73ad20d82 49299->49300 49302 7ff73ad20dc8 tolower 49300->49302 49308 7ff73ad20e61 49300->49308 49309 7ff73ad20dec 49300->49309 49301 7ff73ad20e26 _time64 49303 7ff73ad20e45 49301->49303 49301->49308 49304 7ff73ad1ac20 13 API calls 49302->49304 49307 7ff73ad17890 15 API calls 49303->49307 49303->49308 49304->49309 49305 7ff73ad51370 8 API calls 49306 7ff73ad209eb 49305->49306 49306->49265 49306->49273 49307->49308 49308->49305 49309->49301 49309->49308 49310->49277 49311->49283 49312->49289 49313->49286 49314->49266 49315->49284 49316->49286 49317 7ff73ad0cf40 49318 7ff73ad1ac20 13 API calls 49317->49318 49319 7ff73ad0cf7f 49318->49319 49336 7ff73ad2a470 getaddrinfo 49319->49336 49322 7ff73ad0cf9b WSAGetLastError 49324 7ff73ad0cfba 49322->49324 49325 7ff73ad0cfa5 WSAGetLastError 49322->49325 49323 7ff73ad0cfbd EnterCriticalSection 49326 7ff73ad0cfe8 49323->49326 49327 7ff73ad0cfcc LeaveCriticalSection 49323->49327 49324->49323 49325->49323 49329 7ff73ad0cff2 send 49326->49329 49330 7ff73ad0d016 LeaveCriticalSection 49326->49330 49354 7ff73ad0ced0 7 API calls 49327->49354 49329->49330 49333 7ff73ad0d00d WSAGetLastError 49329->49333 49331 7ff73ad0d026 49330->49331 49334 7ff73ad51370 8 API calls 49331->49334 49332 7ff73ad0cfdd free 49332->49331 49333->49330 49335 7ff73ad0d035 49334->49335 49339 7ff73ad2a4a3 49336->49339 49349 7ff73ad0cf95 49336->49349 49337 7ff73ad2a614 WSASetLastError 49337->49349 49338 7ff73ad2a58e 49340 7ff73ad2a5d7 49338->49340 49341 7ff73ad2a5d1 freeaddrinfo 49338->49341 49339->49337 49339->49338 49342 7ff73ad2a4f9 malloc 49339->49342 49345 7ff73ad2a5dc 49340->49345 49346 7ff73ad2a60f 49340->49346 49341->49340 49343 7ff73ad2a5bc 49342->49343 49344 7ff73ad2a510 malloc 49342->49344 49343->49338 49347 7ff73ad2a547 memcpy 49344->49347 49348 7ff73ad2a5ab free 49344->49348 49345->49349 49350 7ff73ad2a5e1 free free free 49345->49350 49346->49337 49346->49349 49351 7ff73ad2a56e 49347->49351 49352 7ff73ad2a55f _strdup 49347->49352 49348->49338 49349->49322 49349->49323 49350->49349 49350->49350 49351->49339 49352->49351 49353 7ff73ad2a590 free free 49352->49353 49353->49338 49354->49332 49355 7ff73ad2af80 49358 7ff73ad44220 49355->49358 49359 7ff73ad4422e 49358->49359 49364 7ff73ad2af89 49358->49364 49360 7ff73ad1a5a0 14 API calls 49359->49360 49361 7ff73ad44241 49360->49361 49366 7ff73ad1a400 GetModuleHandleA 49361->49366 49363 7ff73ad4425a 49363->49364 49365 7ff73ad44266 GetProcAddressForCaller 49363->49365 49365->49364 49367 7ff73ad1a42a GetProcAddress strpbrk 49366->49367 49368 7ff73ad1a422 49366->49368 49369 7ff73ad1a457 49367->49369 49370 7ff73ad1a48e 49367->49370 49368->49363 49371 7ff73ad1a478 LoadLibraryA 49369->49371 49372 7ff73ad1a45f 49369->49372 49373 7ff73ad1a493 GetProcAddress 49370->49373 49374 7ff73ad1a4c6 GetSystemDirectoryA 49370->49374 49371->49363 49372->49363 49373->49374 49375 7ff73ad1a4a8 LoadLibraryExA 49373->49375 49376 7ff73ad1a588 49374->49376 49377 7ff73ad1a4e0 malloc 49374->49377 49375->49363 49376->49363 49379 7ff73ad1a57a free 49377->49379 49380 7ff73ad1a50d GetSystemDirectoryA 49377->49380 49379->49376 49380->49379 49381 7ff73ad1a51d 49380->49381 49382 7ff73ad1a571 LoadLibraryA 49381->49382 49383 7ff73ad1a566 49381->49383 49382->49383 49383->49379 49384 7ff73ad2bda5 49385 7ff73ad2bda9 49384->49385 49404 7ff73ad2be77 49385->49404 49413 7ff73ad2be30 strtol 49385->49413 49418 7ff73ad2be52 strchr 49385->49418 49439 7ff73ad2bed7 49385->49439 49490 7ff73ad2b1d0 62 API calls 49385->49490 49386 7ff73ad2c335 calloc 49388 7ff73ad2c35c 49386->49388 49398 7ff73ad2c3d8 49386->49398 49387 7ff73ad2be96 strchr 49389 7ff73ad2beaf strncmp 49387->49389 49411 7ff73ad2bffb 49387->49411 49496 7ff73ad17710 19 API calls 49388->49496 49391 7ff73ad2bef0 strncmp 49389->49391 49396 7ff73ad2becc 49389->49396 49391->49396 49397 7ff73ad2bf12 strncmp 49391->49397 49392 7ff73ad2c10e fopen 49393 7ff73ad2c3bb 49392->49393 49401 7ff73ad2c127 fseek 49392->49401 49498 7ff73ad17710 19 API calls 49393->49498 49394 7ff73ad2c36b 49402 7ff73ad2c379 CertFreeCertificateContext 49394->49402 49487 7ff73ad2c5f6 49394->49487 49395 7ff73ad2bfc9 strchr 49403 7ff73ad2bfe3 _strdup 49395->49403 49395->49411 49396->49395 49397->49396 49406 7ff73ad2bf34 strncmp 49397->49406 49399 7ff73ad2c43a 49398->49399 49400 7ff73ad2c434 CertFreeCertificateContext 49398->49400 49407 7ff73ad2c43e 49399->49407 49408 7ff73ad2c4a3 49399->49408 49400->49399 49409 7ff73ad2c15d 49401->49409 49410 7ff73ad2c151 ftell 49401->49410 49402->49487 49403->49411 49412 7ff73ad2c003 49403->49412 49404->49386 49404->49387 49406->49396 49414 7ff73ad2bf53 strncmp 49406->49414 49499 7ff73ad03ab0 22 API calls 49407->49499 49425 7ff73ad296a0 13 API calls 49408->49425 49416 7ff73ad2c389 fclose 49409->49416 49417 7ff73ad2c16e fseek 49409->49417 49410->49409 49411->49392 49411->49393 49412->49411 49433 7ff73ad2c024 CertOpenStore 49412->49433 49413->49385 49413->49418 49414->49395 49420 7ff73ad2bf6a strncmp 49414->49420 49497 7ff73ad17710 19 API calls 49416->49497 49417->49416 49424 7ff73ad2c18b malloc 49417->49424 49418->49385 49418->49404 49419 7ff73ad51370 8 API calls 49427 7ff73ad2c7ac 49419->49427 49420->49396 49421 7ff73ad2bf89 strncmp 49420->49421 49421->49396 49428 7ff73ad2bfa8 strncmp 49421->49428 49422 7ff73ad2c452 49500 7ff73ad17710 19 API calls 49422->49500 49424->49416 49431 7ff73ad2c1a4 fread 49424->49431 49432 7ff73ad2c4bc 49425->49432 49428->49396 49428->49411 49430 7ff73ad2c3a8 free 49430->49487 49431->49416 49435 7ff73ad2c1c2 fclose 49431->49435 49436 7ff73ad2c4cf 49432->49436 49446 7ff73ad296a0 13 API calls 49432->49446 49437 7ff73ad2c077 free CryptStringToBinaryA 49433->49437 49438 7ff73ad2c047 GetLastError 49433->49438 49434 7ff73ad2c464 free 49434->49487 49489 7ff73ad2bee6 49434->49489 49444 7ff73ad2c1ef malloc 49435->49444 49445 7ff73ad2c1df 49435->49445 49440 7ff73ad17890 15 API calls 49436->49440 49448 7ff73ad2c4e2 49436->49448 49441 7ff73ad2c301 CertCloseStore 49437->49441 49442 7ff73ad2c0c2 CertFindCertificateInStore 49437->49442 49492 7ff73ad17710 19 API calls 49438->49492 49491 7ff73ad17710 19 API calls 49439->49491 49440->49448 49441->49487 49449 7ff73ad2c31a CertCloseStore 49442->49449 49450 7ff73ad2c0f4 49442->49450 49452 7ff73ad2c209 MultiByteToWideChar 49444->49452 49453 7ff73ad2c233 PFXImportCertStore free free 49444->49453 49445->49444 49446->49436 49455 7ff73ad17890 15 API calls 49448->49455 49459 7ff73ad2c52b 49448->49459 49449->49386 49450->49441 49451 7ff73ad2c066 free 49451->49487 49452->49453 49457 7ff73ad2c2ba CertFindCertificateInStore 49453->49457 49458 7ff73ad2c264 GetLastError 49453->49458 49455->49459 49456 7ff73ad2c58d calloc 49460 7ff73ad2c5e7 49456->49460 49461 7ff73ad2c600 49456->49461 49465 7ff73ad2c2e2 GetLastError 49457->49465 49466 7ff73ad2c316 49457->49466 49462 7ff73ad2c279 49458->49462 49463 7ff73ad2c2a1 49458->49463 49459->49456 49501 7ff73ad17710 19 API calls 49460->49501 49470 7ff73ad2c669 free 49461->49470 49471 7ff73ad2c70c 49461->49471 49461->49487 49493 7ff73ad17710 19 API calls 49462->49493 49494 7ff73ad17710 19 API calls 49463->49494 49495 7ff73ad17710 19 API calls 49465->49495 49466->49449 49472 7ff73ad2c69a 49470->49472 49473 7ff73ad2c6e6 49470->49473 49474 7ff73ad17fd0 48 API calls 49471->49474 49475 7ff73ad2c6a2 49472->49475 49476 7ff73ad2c6c0 49472->49476 49506 7ff73ad03ab0 22 API calls 49473->49506 49485 7ff73ad2c72d 49474->49485 49502 7ff73ad03ab0 22 API calls 49475->49502 49504 7ff73ad03ab0 22 API calls 49476->49504 49478 7ff73ad2c6f0 49507 7ff73ad17710 19 API calls 49478->49507 49482 7ff73ad2c6a9 49503 7ff73ad17710 19 API calls 49482->49503 49483 7ff73ad2c6ca 49505 7ff73ad17710 19 API calls 49483->49505 49485->49487 49508 7ff73ad17710 19 API calls 49485->49508 49487->49419 49489->49487 49490->49385 49491->49489 49492->49451 49493->49489 49494->49489 49495->49441 49496->49394 49497->49430 49498->49489 49499->49422 49500->49434 49501->49487 49502->49482 49503->49489 49504->49483 49505->49489 49506->49478 49507->49489 49508->49487 49509 7ff73ad5164c 49510 7ff73ad51665 49509->49510 49511 7ff73ad5166d __scrt_acquire_startup_lock 49510->49511 49512 7ff73ad517a3 49510->49512 49514 7ff73ad517ad 49511->49514 49520 7ff73ad5168b __scrt_release_startup_lock 49511->49520 49580 7ff73ad51c30 9 API calls 49512->49580 49581 7ff73ad51c30 9 API calls 49514->49581 49516 7ff73ad517b8 49518 7ff73ad517c0 _exit 49516->49518 49517 7ff73ad516b0 49519 7ff73ad51736 _get_initial_narrow_environment __p___argv __p___argc 49529 7ff73ad035b0 rand 49519->49529 49520->49517 49520->49519 49523 7ff73ad5172e _register_thread_local_exe_atexit_callback 49520->49523 49523->49519 49582 7ff73acf4aa0 49529->49582 49533 7ff73ad03606 49534 7ff73ad0360e SetConsoleTitleA 49533->49534 49591 7ff73acf4a40 49534->49591 49536 7ff73ad03621 6 API calls 49595 7ff73ad03580 GetStdHandle SetConsoleTextAttribute 49536->49595 49538 7ff73ad03686 49539 7ff73acf2dd0 527 API calls 49538->49539 49540 7ff73ad03692 49539->49540 49541 7ff73ad03810 __acrt_iob_func __stdio_common_vfprintf 49540->49541 49542 7ff73ad0369e 49541->49542 49543 7ff73ad03810 __acrt_iob_func __stdio_common_vfprintf 49542->49543 49544 7ff73ad036aa 49543->49544 49545 7ff73ad03580 GetStdHandle SetConsoleTextAttribute 49544->49545 49546 7ff73ad036b2 49545->49546 49547 7ff73ad03810 __acrt_iob_func __stdio_common_vfprintf 49546->49547 49548 7ff73ad036be 49547->49548 49549 7ff73ad03580 GetStdHandle SetConsoleTextAttribute 49548->49549 49550 7ff73ad036c6 49549->49550 49551 7ff73ad03810 __acrt_iob_func __stdio_common_vfprintf 49550->49551 49552 7ff73ad036d2 49551->49552 49553 7ff73ad03580 GetStdHandle SetConsoleTextAttribute 49552->49553 49554 7ff73ad036da 49553->49554 49555 7ff73ad03810 __acrt_iob_func __stdio_common_vfprintf 49554->49555 49556 7ff73ad036e6 49555->49556 49557 7ff73ad03580 GetStdHandle SetConsoleTextAttribute 49556->49557 49558 7ff73ad036ee 49557->49558 49559 7ff73ad03810 __acrt_iob_func __stdio_common_vfprintf 49558->49559 49560 7ff73ad036fa 49559->49560 49561 7ff73ad03580 GetStdHandle SetConsoleTextAttribute 49560->49561 49562 7ff73ad03702 49561->49562 49563 7ff73ad03810 __acrt_iob_func __stdio_common_vfprintf 49562->49563 49564 7ff73ad0370e 49563->49564 49565 7ff73ad03580 GetStdHandle SetConsoleTextAttribute 49564->49565 49566 7ff73ad03716 49565->49566 49567 7ff73ad03810 __acrt_iob_func __stdio_common_vfprintf 49566->49567 49568 7ff73ad03722 49567->49568 49569 7ff73ad02010 34 API calls 49568->49569 49570 7ff73ad0373e 49569->49570 49571 7ff73acf4b00 __std_exception_copy _invalid_parameter_noinfo_noreturn memcpy malloc _CxxThrowException 49570->49571 49572 7ff73ad0374d 49571->49572 49573 7ff73acf3980 567 API calls 49572->49573 49574 7ff73ad0375c system GetConsoleWindow ShowWindow Beep 49573->49574 49575 7ff73acf4aa0 7 API calls 49574->49575 49576 7ff73ad0379b 49575->49576 49577 7ff73acf4aa0 7 API calls 49576->49577 49578 7ff73ad037ad 49577->49578 49579 7ff73ad037e0 system system exit 49578->49579 49580->49514 49581->49516 49583 7ff73acf4ac1 49582->49583 49583->49583 49596 7ff73acf50a0 49583->49596 49585 7ff73acf4acf rand 49586 7ff73ad03290 49585->49586 49587 7ff73ad0333b 49586->49587 49589 7ff73ad032c9 49586->49589 49587->49533 49588 7ff73ad032d0 rand 49588->49589 49589->49587 49589->49588 49621 7ff73ad02350 7 API calls 2 library calls 49589->49621 49592 7ff73acf4a53 49591->49592 49593 7ff73acf4a77 49591->49593 49592->49593 49594 7ff73acf4a98 _invalid_parameter_noinfo_noreturn 49592->49594 49593->49536 49597 7ff73acf50be memcpy 49596->49597 49603 7ff73acf50ea 49596->49603 49597->49585 49600 7ff73acf5174 49606 7ff73acf5183 49600->49606 49607 7ff73acf5179 49600->49607 49601 7ff73acf5148 49604 7ff73acf5155 49601->49604 49605 7ff73acf51f1 49601->49605 49603->49600 49603->49601 49613 7ff73acf51f6 49603->49613 49617 7ff73ad50fd4 __std_exception_copy malloc _CxxThrowException Concurrency::cancel_current_task 49604->49617 49619 7ff73acf18c0 __std_exception_copy Concurrency::cancel_current_task 49605->49619 49611 7ff73acf5185 memcpy 49606->49611 49618 7ff73ad50fd4 __std_exception_copy malloc _CxxThrowException Concurrency::cancel_current_task 49607->49618 49614 7ff73acf51a6 49611->49614 49616 7ff73acf51cb 49611->49616 49612 7ff73acf515d 49612->49611 49615 7ff73acf51ea _invalid_parameter_noinfo_noreturn 49612->49615 49620 7ff73acf1960 ?_Xlength_error@std@@YAXPEBD 49613->49620 49614->49615 49614->49616 49615->49605 49616->49585 49617->49612 49618->49612 49619->49613 49621->49589 49622 7ff73ad096cb 49623 7ff73ad096e1 49622->49623 49624 7ff73ad09712 49622->49624 49659 7ff73ad21330 49623->49659 49625 7ff73ad097ba 49624->49625 49630 7ff73ad09710 49624->49630 49627 7ff73ad097d4 49625->49627 49633 7ff73ad09874 49625->49633 49906 7ff73ad1e5b0 24 API calls 49627->49906 49628 7ff73ad096fa 49631 7ff73ad26e30 2 API calls 49628->49631 49632 7ff73ad08aa0 292 API calls 49630->49632 49655 7ff73ad0901b 49630->49655 49631->49630 49632->49655 49634 7ff73ad08aa0 292 API calls 49633->49634 49633->49655 49634->49655 49635 7ff73ad097e1 49636 7ff73ad08aa0 292 API calls 49635->49636 49639 7ff73ad09801 49636->49639 49638 7ff73ad0a0c2 49641 7ff73ad0980a 49639->49641 49642 7ff73ad09866 free 49639->49642 49640 7ff73ad0a0b3 49911 7ff73ad17710 19 API calls 49640->49911 49643 7ff73ad09821 49641->49643 49647 7ff73ad09813 free 49641->49647 49642->49655 49907 7ff73ad1db70 28 API calls 49643->49907 49644 7ff73ad0a240 17 API calls 49644->49655 49647->49655 49650 7ff73ad09857 free 49650->49655 49651 7ff73ad18f90 10 API calls 49651->49655 49652 7ff73ad09832 49652->49650 49653 7ff73ad090be 49654 7ff73ad17710 19 API calls 49653->49654 49653->49655 49654->49653 49655->49638 49655->49640 49655->49644 49655->49651 49655->49653 49657 7ff73ad08aa0 292 API calls 49655->49657 49905 7ff73ad17710 19 API calls 49655->49905 49908 7ff73ad131d0 90 API calls 49655->49908 49909 7ff73ad077c0 15 API calls 49655->49909 49910 7ff73ad26f80 22 API calls 49655->49910 49657->49655 49660 7ff73ad213c8 49659->49660 49661 7ff73ad21401 free _strdup 49660->49661 49664 7ff73ad2142b 49660->49664 49891 7ff73ad213de 49660->49891 49661->49664 49661->49891 49662 7ff73ad51370 8 API calls 49663 7ff73ad096eb 49662->49663 49663->49624 49663->49628 49665 7ff73ad214e1 free 49664->49665 49666 7ff73ad214f5 49664->49666 49665->49666 49667 7ff73ad21514 49666->49667 49922 7ff73ad1ab50 15 API calls 49666->49922 49669 7ff73ad2155f free 49667->49669 49670 7ff73ad215bd 49667->49670 49667->49891 49672 7ff73ad21572 free 49669->49672 49679 7ff73ad21621 49670->49679 49923 7ff73ad26220 335 API calls 49670->49923 49680 7ff73ad216c3 49672->49680 49681 7ff73ad216ea 49672->49681 49673 7ff73ad21609 49677 7ff73ad21610 free 49673->49677 49673->49679 49676 7ff73ad2165e free 49676->49672 49676->49891 49677->49891 49679->49676 49924 7ff73ad26220 335 API calls 49679->49924 49680->49681 49925 7ff73ad1ab50 15 API calls 49680->49925 49683 7ff73ad217a6 free 49681->49683 49684 7ff73ad2176e free 49681->49684 49681->49891 49685 7ff73ad21795 49683->49685 49926 7ff73ad1ab50 15 API calls 49684->49926 49686 7ff73ad217dd 49685->49686 49692 7ff73ad217c6 49685->49692 49685->49891 49927 7ff73ad0d9a0 6 API calls 49686->49927 49689 7ff73ad217e9 49928 7ff73ad45cc0 59 API calls 49689->49928 49691 7ff73ad21802 49691->49692 49691->49891 49723 7ff73ad217cb 49692->49723 49929 7ff73ad0e910 free free 49692->49929 49693 7ff73ad21a4c free 49705 7ff73ad21a6f 49693->49705 49695 7ff73ad218d8 49697 7ff73ad2191f strchr 49695->49697 49713 7ff73ad218f1 49695->49713 49696 7ff73ad21870 49930 7ff73ad0dba0 26 API calls 49696->49930 49699 7ff73ad21934 strchr 49697->49699 49697->49713 49704 7ff73ad21947 strchr 49699->49704 49699->49713 49700 7ff73ad21b77 49710 7ff73ad21ba0 49700->49710 49712 7ff73ad21bdb 49700->49712 49701 7ff73ad21a2c 49932 7ff73ad17710 19 API calls 49701->49932 49702 7ff73ad21885 49931 7ff73ad0e910 free free 49702->49931 49704->49713 49705->49700 49706 7ff73ad21aa5 49705->49706 49933 7ff73ad23e30 strchr strchr strchr malloc memcpy 49706->49933 49707 7ff73ad219a5 49707->49701 49707->49713 49935 7ff73ad1ab50 15 API calls 49710->49935 49711 7ff73ad21a3b 49711->49891 49936 7ff73ad1ab50 15 API calls 49712->49936 49713->49693 49714 7ff73ad21aad 49717 7ff73ad21acb 49714->49717 49718 7ff73ad21ac0 free 49714->49718 49714->49891 49720 7ff73ad21af6 49717->49720 49725 7ff73ad21ae0 memcpy 49717->49725 49719 7ff73ad21b1f 49718->49719 49724 7ff73ad21b43 49719->49724 49934 7ff73ad1ab50 15 API calls 49719->49934 49722 7ff73ad21afb strchr 49720->49722 49721 7ff73ad21bd9 49721->49724 49750 7ff73ad21dff 49721->49750 49721->49891 49726 7ff73ad21b08 49722->49726 49727 7ff73ad21b0b free 49722->49727 49723->49695 49723->49707 49723->49891 49724->49711 49724->49721 49937 7ff73ad402e0 23 API calls 49724->49937 49725->49722 49726->49727 49727->49719 49730 7ff73ad22090 calloc 49733 7ff73ad220bf 49730->49733 49730->49891 49731 7ff73ad21df2 49735 7ff73ad402b0 13 API calls 49731->49735 49732 7ff73ad21e3e 49739 7ff73ad21e7a free 49732->49739 49740 7ff73ad21fce 49732->49740 49741 7ff73ad21e9a 49732->49741 49736 7ff73ad23700 25 API calls 49733->49736 49734 7ff73ad21ef8 49940 7ff73ad17710 19 API calls 49734->49940 49735->49711 49742 7ff73ad220d3 49736->49742 49738 7ff73ad21c57 49738->49731 49738->49891 49938 7ff73ad40420 8 API calls 49738->49938 49939 7ff73ad1ab50 15 API calls 49739->49939 49740->49741 49746 7ff73ad21ff2 free 49740->49746 49741->49730 49741->49891 49751 7ff73ad22140 49742->49751 49757 7ff73ad22107 49742->49757 49742->49891 49744 7ff73ad21f11 49754 7ff73ad21fb2 49744->49754 49761 7ff73ad21f6f 49744->49761 49748 7ff73ad2201d 49746->49748 49749 7ff73ad22010 49746->49749 49747 7ff73ad21d02 49747->49731 49755 7ff73ad21d0a 49747->49755 49748->49749 49756 7ff73ad22030 49748->49756 49944 7ff73ad1ab50 15 API calls 49749->49944 49750->49732 49750->49734 49750->49744 49750->49761 49752 7ff73ad2216e 49751->49752 49753 7ff73ad22145 49751->49753 49946 7ff73ad23340 7 API calls 49752->49946 49758 7ff73ad23700 25 API calls 49753->49758 49942 7ff73ad17710 19 API calls 49754->49942 49759 7ff73ad402b0 13 API calls 49755->49759 49943 7ff73ad1ab50 15 API calls 49756->49943 49945 7ff73ad23340 7 API calls 49757->49945 49778 7ff73ad2216c 49758->49778 49772 7ff73ad21d12 49759->49772 49761->49732 49768 7ff73ad21f99 49761->49768 49941 7ff73ad17710 19 API calls 49768->49941 49769 7ff73ad22128 free 49769->49778 49770 7ff73ad2218b 49775 7ff73ad23700 25 API calls 49770->49775 49770->49778 49770->49891 49772->49750 49773 7ff73ad21d3a strstr 49772->49773 49774 7ff73ad21dcf 49772->49774 49776 7ff73ad21d52 49773->49776 49774->49750 49775->49778 49776->49774 49777 7ff73ad1ac20 13 API calls 49776->49777 49777->49774 49779 7ff73ad23700 25 API calls 49778->49779 49778->49891 49780 7ff73ad22380 free free free 49779->49780 49782 7ff73ad223be 49780->49782 49780->49891 49781 7ff73ad2257b 49783 7ff73ad226c1 49781->49783 49781->49891 49950 7ff73ad29a10 _gmtime64 49781->49950 49782->49781 49785 7ff73ad22421 49782->49785 49790 7ff73ad22505 49782->49790 49782->49891 49912 7ff73ad237a0 49783->49912 49784 7ff73ad22550 49784->49781 49791 7ff73ad22564 49784->49791 49784->49891 49947 7ff73ad0b7c0 62 API calls 49785->49947 49788 7ff73ad225ad 49792 7ff73ad225b3 49788->49792 49810 7ff73ad225c9 49788->49810 49789 7ff73ad22524 49794 7ff73ad23700 25 API calls 49789->49794 49789->49891 49790->49784 49790->49789 49793 7ff73ad23700 25 API calls 49790->49793 49949 7ff73ad23340 7 API calls 49791->49949 49951 7ff73ad17710 19 API calls 49792->49951 49793->49789 49794->49784 49798 7ff73ad22578 49798->49781 49799 7ff73ad226cf 49800 7ff73ad22700 49799->49800 49808 7ff73ad22aec 49799->49808 49799->49891 49802 7ff73ad22a93 49800->49802 49804 7ff73ad227f7 49800->49804 49805 7ff73ad22710 49800->49805 49801 7ff73ad224f6 49801->49790 49961 7ff73ad23340 7 API calls 49802->49961 49806 7ff73ad22800 49804->49806 49828 7ff73ad22871 49804->49828 49805->49802 49826 7ff73ad2271a 49805->49826 49809 7ff73ad23700 25 API calls 49806->49809 49807 7ff73ad22aa9 49818 7ff73ad234b0 62 API calls 49807->49818 49807->49891 49812 7ff73ad23700 25 API calls 49808->49812 49816 7ff73ad22b45 49808->49816 49817 7ff73ad22810 49809->49817 49810->49783 49813 7ff73ad1ac20 13 API calls 49810->49813 49810->49891 49811 7ff73ad224ee 49948 7ff73ad0b730 9 API calls 49811->49948 49812->49816 49823 7ff73ad22695 49813->49823 49814 7ff73ad22904 49839 7ff73ad229e1 49814->49839 49855 7ff73ad2291f 49814->49855 49815 7ff73ad22b71 49840 7ff73ad22c61 49815->49840 49868 7ff73ad22b94 49815->49868 49815->49891 49816->49815 49824 7ff73ad23700 25 API calls 49816->49824 49816->49891 49833 7ff73ad234b0 62 API calls 49817->49833 49817->49891 49825 7ff73ad22acc 49818->49825 49819 7ff73ad2276b 49822 7ff73ad2278f 49819->49822 49819->49891 49953 7ff73ad25d30 28 API calls 49819->49953 49820 7ff73ad23700 25 API calls 49827 7ff73ad22468 49820->49827 49954 7ff73ad23340 7 API calls 49822->49954 49952 7ff73ad23340 7 API calls 49823->49952 49824->49815 49834 7ff73ad2284f 49825->49834 49835 7ff73ad22ad6 49825->49835 49826->49819 49844 7ff73ad23700 25 API calls 49826->49844 49827->49801 49827->49811 49827->49820 49830 7ff73ad23700 25 API calls 49828->49830 49838 7ff73ad228c0 49828->49838 49830->49838 49832 7ff73ad23700 25 API calls 49832->49838 49841 7ff73ad22833 49833->49841 49957 7ff73ad1e740 17 API calls 49834->49957 49962 7ff73ad17710 19 API calls 49835->49962 49836 7ff73ad22787 49836->49822 49836->49891 49838->49814 49838->49832 49838->49891 49870 7ff73ad229c5 49839->49870 49958 7ff73ad25d30 28 API calls 49839->49958 49884 7ff73ad22c0c 49840->49884 49963 7ff73ad25d30 28 API calls 49840->49963 49841->49834 49846 7ff73ad22839 49841->49846 49844->49819 49956 7ff73ad17710 19 API calls 49846->49956 49849 7ff73ad226b7 49849->49783 49849->49891 49852 7ff73ad227a5 49857 7ff73ad234b0 62 API calls 49852->49857 49852->49891 49853 7ff73ad22c97 49862 7ff73ad22cb1 49853->49862 49873 7ff73ad22d88 49853->49873 49854 7ff73ad22e21 49971 7ff73ad23340 7 API calls 49854->49971 49858 7ff73ad2295f strchr 49855->49858 49855->49870 49856 7ff73ad22868 49856->49891 49973 7ff73ad26f80 22 API calls 49856->49973 49861 7ff73ad227d3 49857->49861 49863 7ff73ad22974 strchr 49858->49863 49883 7ff73ad22994 49858->49883 49859 7ff73ad22bd7 strchr 49864 7ff73ad22bec strchr 49859->49864 49859->49884 49865 7ff73ad227d9 49861->49865 49866 7ff73ad227ef 49861->49866 49867 7ff73ad22cbe 49862->49867 49862->49873 49869 7ff73ad22987 strchr 49863->49869 49863->49883 49871 7ff73ad22bff strchr 49864->49871 49864->49884 49955 7ff73ad17710 19 API calls 49865->49955 49972 7ff73ad1e740 17 API calls 49866->49972 49964 7ff73ad23340 7 API calls 49867->49964 49868->49859 49868->49884 49869->49883 49959 7ff73ad23340 7 API calls 49870->49959 49871->49884 49873->49891 49901 7ff73ad22cf8 49873->49901 49969 7ff73ad23340 7 API calls 49873->49969 49874 7ff73ad22a20 49880 7ff73ad234b0 62 API calls 49874->49880 49874->49891 49878 7ff73ad22ef5 49886 7ff73ad17890 15 API calls 49878->49886 49878->49891 49885 7ff73ad22a73 49880->49885 49881 7ff73ad22cd4 49889 7ff73ad22cfd 49881->49889 49890 7ff73ad22ce5 49881->49890 49881->49891 49882 7ff73ad22de3 49887 7ff73ad234b0 62 API calls 49882->49887 49883->49870 49883->49891 49884->49853 49884->49854 49884->49891 49885->49866 49888 7ff73ad22a7d 49885->49888 49886->49891 49892 7ff73ad22e01 49887->49892 49960 7ff73ad17710 19 API calls 49888->49960 49895 7ff73ad22d44 49889->49895 49897 7ff73ad23700 25 API calls 49889->49897 49965 7ff73ad23340 7 API calls 49890->49965 49891->49662 49892->49866 49896 7ff73ad22e0b 49892->49896 49895->49901 49968 7ff73ad23340 7 API calls 49895->49968 49970 7ff73ad17710 19 API calls 49896->49970 49900 7ff73ad22d15 49897->49900 49900->49901 49966 7ff73ad23340 7 API calls 49900->49966 49901->49882 49901->49891 49903 7ff73ad22d2c 49903->49895 49967 7ff73ad23340 7 API calls 49903->49967 49905->49655 49906->49635 49907->49652 49908->49655 49909->49655 49910->49655 49911->49638 49915 7ff73ad237cb 49912->49915 49913 7ff73ad23850 strchr 49914 7ff73ad23869 strchr 49913->49914 49913->49915 49914->49915 49915->49913 49916 7ff73ad238b8 _strdup 49915->49916 49919 7ff73ad23a84 free 49915->49919 49920 7ff73ad23aaa 49915->49920 49921 7ff73ad23700 25 API calls 49915->49921 49916->49915 49917 7ff73ad23ac9 49916->49917 49918 7ff73ad23ad3 free free 49917->49918 49917->49920 49918->49920 49919->49915 49920->49799 49921->49915 49922->49667 49923->49673 49924->49676 49925->49681 49926->49685 49927->49689 49928->49691 49929->49696 49930->49702 49931->49723 49932->49711 49933->49714 49934->49724 49935->49721 49936->49721 49937->49738 49938->49747 49939->49741 49940->49711 49941->49711 49942->49711 49943->49741 49944->49741 49945->49769 49946->49770 49947->49827 49948->49801 49949->49798 49950->49788 49951->49711 49952->49849 49953->49836 49954->49852 49955->49891 49956->49711 49957->49856 49958->49883 49959->49874 49960->49711 49961->49807 49962->49711 49963->49884 49964->49881 49965->49901 49966->49903 49967->49895 49968->49901 49969->49901 49970->49711 49971->49873 49972->49856 49973->49878 49974 7ff73ad23230 49975 7ff73ad11910 253 API calls 49974->49975 49976 7ff73ad23247 49975->49976 49977 7ff73ad09310 49978 7ff73ad09321 49977->49978 50005 7ff73ad201c0 49978->50005 49980 7ff73ad09355 49981 7ff73ad09387 49980->49981 49982 7ff73ad17890 15 API calls 49980->49982 50033 7ff73ad20c10 314 API calls 49981->50033 49984 7ff73ad09381 49982->49984 49984->49981 49986 7ff73ad09397 49984->49986 49985 7ff73ad09394 49985->49986 50009 7ff73ad0a2c0 49986->50009 49993 7ff73ad0a0c2 49994 7ff73ad0a0b3 50037 7ff73ad17710 19 API calls 49994->50037 49995 7ff73ad0a240 17 API calls 50002 7ff73ad0901b 49995->50002 49999 7ff73ad18f90 10 API calls 49999->50002 50000 7ff73ad17710 19 API calls 50001 7ff73ad090be 50000->50001 50001->50000 50001->50002 50002->49993 50002->49994 50002->49995 50002->49999 50002->50001 50004 7ff73ad08aa0 292 API calls 50002->50004 50031 7ff73ad17710 19 API calls 50002->50031 50034 7ff73ad131d0 90 API calls 50002->50034 50035 7ff73ad077c0 15 API calls 50002->50035 50036 7ff73ad26f80 22 API calls 50002->50036 50004->50002 50006 7ff73ad201ea 50005->50006 50007 7ff73ad20cf0 18 API calls 50006->50007 50008 7ff73ad20209 50007->50008 50008->49980 50014 7ff73ad0a326 50009->50014 50010 7ff73ad0a6a8 memcpy memcpy 50011 7ff73ad0a590 50010->50011 50012 7ff73ad51370 8 API calls 50011->50012 50015 7ff73ad093a2 50012->50015 50013 7ff73ad0a46e calloc 50013->50011 50021 7ff73ad0a488 50013->50021 50014->50013 50019 7ff73ad0a59a 50014->50019 50014->50021 50015->50002 50025 7ff73ad208e0 50015->50025 50016 7ff73ad0a6a4 50016->50010 50018 7ff73ad1f8a0 malloc memcpy 50018->50021 50019->50010 50019->50016 50044 7ff73ad1fb70 free 50019->50044 50020 7ff73ad0a587 free 50020->50011 50021->50011 50021->50014 50021->50018 50021->50020 50022 7ff73ad0a57f 50021->50022 50038 7ff73ad1fbe0 50021->50038 50043 7ff73ad1fb70 free 50022->50043 50026 7ff73ad208f9 50025->50026 50045 7ff73ad13c30 50026->50045 50028 7ff73ad20910 50029 7ff73ad092ac 50028->50029 50069 7ff73ad131d0 90 API calls 50028->50069 50029->50002 50032 7ff73ad1d320 free 50029->50032 50031->50002 50032->50002 50033->49985 50034->50002 50035->50002 50036->50002 50037->49993 50039 7ff73ad1fbf7 50038->50039 50040 7ff73ad1fc96 50038->50040 50039->50040 50041 7ff73ad1fc17 malloc 50039->50041 50040->50021 50042 7ff73ad1fc46 50041->50042 50042->50021 50043->50020 50044->50019 50046 7ff73ad26e30 2 API calls 50045->50046 50047 7ff73ad13c55 50046->50047 50048 7ff73ad13c65 50047->50048 50049 7ff73ad13cb9 50047->50049 50050 7ff73ad13c8e free 50047->50050 50048->50028 50052 7ff73ad1f550 2 API calls 50049->50052 50054 7ff73ad13cc5 50049->50054 50070 7ff73ad1ab50 15 API calls 50050->50070 50053 7ff73ad13cef 50052->50053 50055 7ff73ad13d31 50053->50055 50056 7ff73ad13d03 50053->50056 50054->50028 50057 7ff73ad26e30 2 API calls 50055->50057 50058 7ff73ad18520 614 API calls 50056->50058 50059 7ff73ad13d3e 50057->50059 50060 7ff73ad13d19 50058->50060 50063 7ff73ad13d61 50059->50063 50064 7ff73ad26e30 2 API calls 50059->50064 50061 7ff73ad13d21 50060->50061 50062 7ff73ad1f550 2 API calls 50060->50062 50061->50028 50065 7ff73ad13df4 50062->50065 50066 7ff73ad190a0 47 API calls 50063->50066 50064->50063 50065->50028 50067 7ff73ad13d7a 50066->50067 50067->50060 50068 7ff73ad17890 15 API calls 50067->50068 50068->50060 50069->50029 50070->50049 50071 7ff73ad0c9b0 50072 7ff73ad0ca04 50071->50072 50073 7ff73ad0c9f4 50071->50073 50075 7ff73ad1f550 2 API calls 50072->50075 50116 7ff73ad1fe90 50073->50116 50076 7ff73ad0ca46 50075->50076 50082 7ff73ad0d050 calloc 50076->50082 50079 7ff73ad0ca6e 50123 7ff73ad17710 19 API calls 50079->50123 50080 7ff73ad0ca65 50083 7ff73ad0d1de _errno 50082->50083 50084 7ff73ad0d0a1 malloc 50082->50084 50087 7ff73ad0ca61 50083->50087 50085 7ff73ad0d157 50084->50085 50086 7ff73ad0d12c InitializeCriticalSectionEx 50084->50086 50089 7ff73ad0d180 free 50085->50089 50090 7ff73ad0d170 DeleteCriticalSection free 50085->50090 50124 7ff73ad26800 socket 50086->50124 50087->50079 50087->50080 50092 7ff73ad0d198 50089->50092 50093 7ff73ad0d193 50089->50093 50090->50089 50096 7ff73ad0d1a8 free 50092->50096 50097 7ff73ad0d1a2 closesocket 50092->50097 50144 7ff73ad2a420 free free free 50093->50144 50094 7ff73ad0d206 _strdup 50094->50085 50098 7ff73ad0d220 free _strdup 50094->50098 50096->50083 50097->50096 50099 7ff73ad0d26e 50098->50099 50100 7ff73ad0d242 50098->50100 50102 7ff73ad0d27a EnterCriticalSection LeaveCriticalSection 50099->50102 50103 7ff73ad0d2f1 free 50099->50103 50143 7ff73ad2aaf0 _beginthreadex 50100->50143 50105 7ff73ad0d2a4 CloseHandle 50102->50105 50106 7ff73ad0d2b5 50102->50106 50103->50083 50104 7ff73ad0d256 50104->50087 50107 7ff73ad0d25e _errno 50104->50107 50111 7ff73ad0d2d8 50105->50111 50108 7ff73ad0d2ba 50106->50108 50109 7ff73ad0d2c2 50106->50109 50107->50099 50145 7ff73ad2ab40 WaitForSingleObjectEx CloseHandle 50108->50145 50146 7ff73ad0ced0 7 API calls 50109->50146 50110 7ff73ad0d2e8 closesocket 50110->50103 50111->50110 50147 7ff73ad078a0 free 50111->50147 50115 7ff73ad0d2cb free 50115->50111 50117 7ff73ad1fe99 50116->50117 50118 7ff73ad1feaf socket 50116->50118 50117->50072 50119 7ff73ad1fecc 50118->50119 50120 7ff73ad1fec5 50118->50120 50121 7ff73ad18370 2 API calls 50119->50121 50120->50072 50122 7ff73ad1fed6 50121->50122 50122->50072 50123->50080 50125 7ff73ad26855 htonl setsockopt 50124->50125 50130 7ff73ad26850 50124->50130 50126 7ff73ad269db closesocket closesocket closesocket 50125->50126 50127 7ff73ad268b4 bind 50125->50127 50126->50130 50127->50126 50129 7ff73ad268cf getsockname 50127->50129 50128 7ff73ad51370 8 API calls 50131 7ff73ad0d14f 50128->50131 50129->50126 50132 7ff73ad268eb listen 50129->50132 50130->50128 50131->50085 50131->50094 50132->50126 50133 7ff73ad26900 socket 50132->50133 50133->50126 50134 7ff73ad2691b connect 50133->50134 50134->50126 50135 7ff73ad26936 accept 50134->50135 50135->50126 50136 7ff73ad26952 50135->50136 50137 7ff73ad1ac20 13 API calls 50136->50137 50138 7ff73ad26969 send 50137->50138 50138->50126 50140 7ff73ad2699a recv 50138->50140 50140->50126 50141 7ff73ad269b8 memcmp 50140->50141 50141->50126 50142 7ff73ad269ce closesocket 50141->50142 50142->50130 50143->50104 50144->50092 50145->50109 50146->50115 50147->50110 50148 7ff73ad09e55 50149 7ff73ad09e64 50148->50149 50153 7ff73ad09e83 50148->50153 50150 7ff73ad09e75 50149->50150 50151 7ff73ad0a240 17 API calls 50149->50151 50152 7ff73ad08aa0 292 API calls 50150->50152 50151->50150 50152->50153 50166 7ff73ad0901b 50153->50166 50169 7ff73ad077c0 15 API calls 50153->50169 50155 7ff73ad0a240 17 API calls 50155->50166 50157 7ff73ad0a0c2 50158 7ff73ad0a0b3 50173 7ff73ad17710 19 API calls 50158->50173 50162 7ff73ad18f90 10 API calls 50162->50166 50163 7ff73ad090be 50164 7ff73ad17710 19 API calls 50163->50164 50163->50166 50164->50163 50166->50155 50166->50157 50166->50158 50166->50162 50166->50163 50167 7ff73ad08aa0 292 API calls 50166->50167 50168 7ff73ad17710 19 API calls 50166->50168 50170 7ff73ad131d0 90 API calls 50166->50170 50171 7ff73ad077c0 15 API calls 50166->50171 50172 7ff73ad26f80 22 API calls 50166->50172 50167->50166 50168->50166 50169->50166 50170->50166 50171->50166 50172->50166 50173->50157

                                            Executed Functions

                                            Function 00007FF73AD21330 Relevance: 178.5, APIs: 31, Strings: 70, Instructions: 1702stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free$strchr$_strdup$callocmemcpystrstr
                                            • String ID: %s$%s $%s HTTP/%s%s%s%s%s%s%s%s%s%s%s%s%s$%s%s$%s%s=%s$%s: %s, %02d %s %4d %02d:%02d:%02d GMT$%s?%s$%x$0$1.0$1.1$100-continue$;type=$;type=%c$?%s$Accept$Accept-Encoding$Accept-Encoding: %s$Accept: */*$Chunky upload is not supported by HTTP 1.0$Content-Length$Content-Length: %I64d$Content-Length: 0$Content-Range$Content-Range: bytes %s%I64d/%I64d$Content-Range: bytes %s/%I64d$Content-Range: bytes 0-%I64d/%I64d$Content-Type$Content-Type: application/x-www-form-urlencoded$Cookie$Cookie: $Could not seek stream$Could only read %I64d bytes from the input$Expect$Expect:$Failed sending HTTP POST request$Failed sending HTTP request$Failed sending POST request$Failed sending PUT request$File already completely uploaded$GET$HEAD$Host$Host:$Host: %s%s%s$Host: %s%s%s:%d$Host:%s$If-Modified-Since$If-Unmodified-Since$Invalid TIMEVALUE$Last-Modified$OPTIONS$POST$PUT$Proxy-Connection$Proxy-Connection: Keep-Alive$Range$Range: bytes=%s$Referer$Referer: %s$Transfer-Encoding$Transfer-Encoding:$Transfer-Encoding: chunked$User-Agent$chunked$ftp$ftp://%s:%s@%s$http$multipart/form-data$upload completely sent off: %I64d out of %I64d bytes
                                            • API String ID: 2045874074-4264080130
                                            • Opcode ID: 955865406a5f8e2f9fc8f83f6401c383669c58a7e88c3455f6c98b275ceff23b
                                            • Instruction ID: 6ecd3c9845e224021bd6b0ff319f2300784faaa9ed5157855dbc9f14c1cbdcf8
                                            • Opcode Fuzzy Hash: 955865406a5f8e2f9fc8f83f6401c383669c58a7e88c3455f6c98b275ceff23b
                                            • Instruction Fuzzy Hash: 2E03D579A2868AA1FB58AB25D4423FDA7A0EF45B84FC440B1DE1D0769DDF3CE541E320
                                            Function 00007FF73AD2BCDD Relevance: 116.1, APIs: 43, Strings: 23, Instructions: 552stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: strchr$_strdupstrncmpstrtol
                                            • String ID: CurrentService$CurrentUser$CurrentUserGroupPolicy$LocalMachine$LocalMachineEnterprise$LocalMachineGroupPolicy$Microsoft Unified Security Protocol Provider$Services$Unable to set ciphers to passed via SSL_CONN_CONFIG$Users$http/1.1$http/1.1$schannel: ALPN, offering %s$schannel: AcquireCredentialsHandle failed: %s$schannel: Failed to get certificate from file %s, last error is 0x%x$schannel: Failed to get certificate location or file for %s$schannel: Failed to import cert file %s, last error is 0x%x$schannel: Failed to import cert file %s, password is bad$schannel: Failed to open cert store %x %s, last error is 0x%x$schannel: Failed to read cert file %s$schannel: TLS 1.3 is not yet supported$schannel: unable to allocate memory$schannel: using IP address, SNI is not supported by OS.
                                            • API String ID: 707411602-3372543188
                                            • Opcode ID: 1627879a47a5845c18c4de8ee2a585c2af060702f9ac72af15faa4f2d1283c54
                                            • Instruction ID: 0c0fb1f2713a472c1fad837bf182fa2af76f51c16d09fa83ae6876971263bac3
                                            • Opcode Fuzzy Hash: 1627879a47a5845c18c4de8ee2a585c2af060702f9ac72af15faa4f2d1283c54
                                            • Instruction Fuzzy Hash: 9642F179A28B46A2FB24AF21D4563B9A7A0FF45B84FC04075CA1E47798DF3DE444E720
                                            Function 00007FF73AD1A720 Relevance: 45.7, APIs: 21, Strings: 5, Instructions: 191libraryloadernetworkCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 929 7ff73ad1a720-7ff73ad1a73c 930 7ff73ad1a73e-7ff73ad1a750 WSAStartup 929->930 931 7ff73ad1a786-7ff73ad1a78d call 7ff73ad44220 929->931 932 7ff73ad1a769-7ff73ad1a785 call 7ff73ad51370 930->932 933 7ff73ad1a752-7ff73ad1a759 930->933 940 7ff73ad1aa4f-7ff73ad1aa66 call 7ff73ad51370 931->940 941 7ff73ad1a793-7ff73ad1a7c0 GetModuleHandleA 931->941 935 7ff73ad1a75b-7ff73ad1a761 933->935 936 7ff73ad1a763 WSACleanup 933->936 935->931 935->936 936->932 943 7ff73ad1a7ce-7ff73ad1a803 GetProcAddress strpbrk 941->943 944 7ff73ad1a7c2-7ff73ad1a7c9 941->944 945 7ff73ad1a82b-7ff73ad1a82e 943->945 946 7ff73ad1a805-7ff73ad1a80b 943->946 948 7ff73ad1a953-7ff73ad1aa47 VerSetConditionMask * 5 VerifyVersionInfoA QueryPerformanceFrequency 944->948 951 7ff73ad1a85a-7ff73ad1a871 GetSystemDirectoryA 945->951 952 7ff73ad1a830-7ff73ad1a843 GetProcAddress 945->952 949 7ff73ad1a81d-7ff73ad1a826 LoadLibraryA 946->949 950 7ff73ad1a80d-7ff73ad1a818 946->950 948->940 953 7ff73ad1a91a-7ff73ad1a92c 949->953 950->953 955 7ff73ad1a877-7ff73ad1a88a malloc 951->955 956 7ff73ad1a912 951->956 952->951 954 7ff73ad1a845-7ff73ad1a855 LoadLibraryExA 952->954 953->948 958 7ff73ad1a92e-7ff73ad1a94c GetProcAddress 953->958 954->953 959 7ff73ad1a909-7ff73ad1a90c free 955->959 960 7ff73ad1a88c-7ff73ad1a89a GetSystemDirectoryA 955->960 956->953 958->948 959->956 960->959 961 7ff73ad1a89c-7ff73ad1a8a6 960->961 962 7ff73ad1a8b0-7ff73ad1a8b9 961->962 962->962 963 7ff73ad1a8bb-7ff73ad1a8c0 962->963 964 7ff73ad1a8c4-7ff73ad1a8cb 963->964 964->964 965 7ff73ad1a8cd-7ff73ad1a8d6 964->965 966 7ff73ad1a8e0-7ff73ad1a8ec 965->966 966->966 967 7ff73ad1a8ee-7ff73ad1a8f4 966->967 968 7ff73ad1a900 LoadLibraryA 967->968 969 7ff73ad1a8f6-7ff73ad1a8fe 967->969 970 7ff73ad1a906 968->970 969->970 970->959
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: ConditionMask$AddressLibraryLoadProc$DirectorySystem$CleanupFrequencyHandleInfoModulePerformanceQueryStartupVerifyVersionfreemallocstrpbrk
                                            • String ID: AddDllDirectory$LoadLibraryExA$if_nametoindex$iphlpapi.dll$kernel32
                                            • API String ID: 2612373469-2794540096
                                            • Opcode ID: a2949ce53e448b5f0c449650b4e06b854fbaa729135adb64d1c555148e16f196
                                            • Instruction ID: 6f99ae4006be175ab83b4211b8177f5be7f760eb7cbafe7990f3a89b78678b49
                                            • Opcode Fuzzy Hash: a2949ce53e448b5f0c449650b4e06b854fbaa729135adb64d1c555148e16f196
                                            • Instruction Fuzzy Hash: 47919769E1CB82A1FB60AB21E4163B9A3A1FF89B80FC44175D94D0776CEF3CE5459720
                                            Function 00007FF73AD19A60 Relevance: 38.9, APIs: 15, Strings: 7, Instructions: 357networkCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1226 7ff73ad19a60-7ff73ad19acd 1227 7ff73ad19acf 1226->1227 1228 7ff73ad19ad2-7ff73ad19ae2 1226->1228 1227->1228 1229 7ff73ad19af1-7ff73ad19b09 memcpy 1228->1229 1230 7ff73ad19ae4-7ff73ad19aec 1228->1230 1231 7ff73ad19b38-7ff73ad19b4b socket 1229->1231 1232 7ff73ad19b0b-7ff73ad19b36 call 7ff73ad08030 * 2 1229->1232 1230->1229 1233 7ff73ad19b4e-7ff73ad19b5a 1231->1233 1232->1233 1235 7ff73ad19b60-7ff73ad19b68 1233->1235 1236 7ff73ad19fef 1233->1236 1238 7ff73ad19b77-7ff73ad19b80 1235->1238 1239 7ff73ad19b6a-7ff73ad19b72 call 7ff73ad26a30 1235->1239 1240 7ff73ad19ff4-7ff73ad1a01d call 7ff73ad51370 1236->1240 1242 7ff73ad19b90-7ff73ad19b99 1238->1242 1243 7ff73ad19b82-7ff73ad19b8d 1238->1243 1239->1238 1246 7ff73ad19bac-7ff73ad19bb0 1242->1246 1247 7ff73ad19b9b-7ff73ad19b9e 1242->1247 1243->1242 1252 7ff73ad19bb5-7ff73ad19bc7 call 7ff73ad42f60 1246->1252 1250 7ff73ad19f9a-7ff73ad19fed _errno * 3 call 7ff73ad042a0 call 7ff73ad17710 call 7ff73ad18370 1247->1250 1251 7ff73ad19ba4-7ff73ad19baa 1247->1251 1250->1240 1251->1252 1252->1250 1259 7ff73ad19bcd-7ff73ad19bf5 htons call 7ff73ad17890 1252->1259 1264 7ff73ad19bf7-7ff73ad19bfa 1259->1264 1265 7ff73ad19bfc-7ff73ad19c01 1259->1265 1264->1265 1267 7ff73ad19c6e 1264->1267 1265->1267 1268 7ff73ad19c03-7ff73ad19c0d 1265->1268 1270 7ff73ad19c71-7ff73ad19c8d 1267->1270 1269 7ff73ad19c0f-7ff73ad19c3b setsockopt 1268->1269 1268->1270 1271 7ff73ad19c69-7ff73ad19c6c 1269->1271 1272 7ff73ad19c3d-7ff73ad19c64 WSAGetLastError call 7ff73ad042a0 call 7ff73ad17890 1269->1272 1273 7ff73ad19cbd-7ff73ad19cc0 1270->1273 1274 7ff73ad19c8f-7ff73ad19ca3 call 7ff73ad1a5a0 1270->1274 1271->1270 1272->1271 1275 7ff73ad19cc2-7ff73ad19ce7 getsockopt 1273->1275 1276 7ff73ad19d14-7ff73ad19d17 1273->1276 1289 7ff73ad19cb1-7ff73ad19cbb 1274->1289 1290 7ff73ad19ca5-7ff73ad19caf 1274->1290 1279 7ff73ad19ce9-7ff73ad19cf1 1275->1279 1280 7ff73ad19cf3-7ff73ad19d0e setsockopt 1275->1280 1281 7ff73ad19d1d-7ff73ad19d24 1276->1281 1282 7ff73ad19dff-7ff73ad19e06 1276->1282 1279->1276 1279->1280 1280->1276 1281->1282 1287 7ff73ad19d2a-7ff73ad19d55 setsockopt 1281->1287 1285 7ff73ad19e08-7ff73ad19e35 call 7ff73ad08030 * 2 1282->1285 1286 7ff73ad19e3a-7ff73ad19e41 1282->1286 1319 7ff73ad19e37 1285->1319 1320 7ff73ad19e85-7ff73ad19e87 1285->1320 1294 7ff73ad19e48-7ff73ad19e68 call 7ff73ad42ed0 call 7ff73ad193d0 1286->1294 1295 7ff73ad19e43-7ff73ad19e46 1286->1295 1292 7ff73ad19d57-7ff73ad19d69 call 7ff73ad17890 1287->1292 1293 7ff73ad19d6e-7ff73ad19de2 call 7ff73ad1a110 * 2 WSAIoctl 1287->1293 1289->1275 1290->1276 1292->1282 1293->1282 1316 7ff73ad19de4-7ff73ad19dfa WSAGetLastError call 7ff73ad17890 1293->1316 1299 7ff73ad19e9e-7ff73ad19ec8 call 7ff73ad26a30 call 7ff73ad1f550 1294->1299 1313 7ff73ad19e6a-7ff73ad19e78 call 7ff73ad18370 1294->1313 1295->1294 1295->1299 1321 7ff73ad19eca-7ff73ad19eda call 7ff73ad07590 1299->1321 1322 7ff73ad19edf-7ff73ad19ee2 1299->1322 1313->1236 1329 7ff73ad19e7e-7ff73ad19e80 1313->1329 1316->1282 1319->1286 1320->1286 1326 7ff73ad19e89-7ff73ad19e99 call 7ff73ad18370 1320->1326 1321->1322 1323 7ff73ad19ee8-7ff73ad19ef0 1322->1323 1324 7ff73ad19f8f-7ff73ad19f98 1322->1324 1323->1324 1328 7ff73ad19ef6-7ff73ad19efd 1323->1328 1324->1240 1326->1240 1331 7ff73ad19f28-7ff73ad19f33 WSAGetLastError 1328->1331 1332 7ff73ad19eff-7ff73ad19f14 connect 1328->1332 1329->1240 1335 7ff73ad19f82-7ff73ad19f84 1331->1335 1336 7ff73ad19f35-7ff73ad19f3e 1331->1336 1332->1331 1334 7ff73ad19f16-7ff73ad19f18 1332->1334 1337 7ff73ad19f8b-7ff73ad19f8d 1334->1337 1338 7ff73ad19f1a-7ff73ad19f23 1334->1338 1335->1337 1336->1335 1339 7ff73ad19f40-7ff73ad19f80 call 7ff73ad042a0 call 7ff73ad17890 call 7ff73ad18370 1336->1339 1337->1240 1338->1240 1339->1240
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: ErrorLast$setsockopt$fwrite$CounterIoctlPerformanceQuery_errnoclosesocketconnectgetsockopthtonsioctlsocketmemcpysocket
                                            • String ID: Trying %s:%ld...$ @$Could not set TCP_NODELAY: %s$Failed to set SIO_KEEPALIVE_VALS on fd %d: %d$Failed to set SO_KEEPALIVE on fd %d$Immediate connect fail for %s: %s$sa_addr inet_ntop() failed with errno %d: %s
                                            • API String ID: 3453287622-3868455274
                                            • Opcode ID: 7db98673a1862746b6fb662ee0155c3ef7d425d7e40dea859b6aa2dc1ddde034
                                            • Instruction ID: b886627aed14009f7a36c4700db93906e5f29ad99a6af5ec6cd15fc99e1130c1
                                            • Opcode Fuzzy Hash: 7db98673a1862746b6fb662ee0155c3ef7d425d7e40dea859b6aa2dc1ddde034
                                            • Instruction Fuzzy Hash: 18F1E579A28242A6FB90EB35D4462BDA390FB44B44FC04475EA4E47B9CDF3CE545EB10
                                            Function 00007FF73AD1A400 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 128librarystringloaderCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • GetModuleHandleA.KERNEL32(?,?,?,00007FF73AD4425A,?,?,?,?,00007FF73AD1A78B), ref: 00007FF73AD1A414
                                            • GetProcAddress.KERNEL32(?,?,00007FF73AD4425A,?,?,?,?,00007FF73AD1A78B), ref: 00007FF73AD1A439
                                            • strpbrk.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00007FF73AD4425A,?,?,?,?,00007FF73AD1A78B), ref: 00007FF73AD1A44C
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: AddressHandleModuleProcstrpbrk
                                            • String ID: AddDllDirectory$LoadLibraryExA$kernel32
                                            • API String ID: 27745253-3327535076
                                            • Opcode ID: 930ffd6944da0613daa0a17fe6f37ed625366f21847b97e45e01bf7b474feb0e
                                            • Instruction ID: 8e7259d15134bc35a57f51034edee4d5906cb055bc52857528a3f164421405c3
                                            • Opcode Fuzzy Hash: 930ffd6944da0613daa0a17fe6f37ed625366f21847b97e45e01bf7b474feb0e
                                            • Instruction Fuzzy Hash: 4841E85AF1D64262FF55AF66A411139A791EF46BE1F888170CE1D037A8DF3CD486D320
                                            Function 00007FF73AD26800 Relevance: 24.1, APIs: 16, Instructions: 127networkCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1883 7ff73ad26800-7ff73ad2684e socket 1884 7ff73ad26850 1883->1884 1885 7ff73ad26855-7ff73ad268ae htonl setsockopt 1883->1885 1886 7ff73ad26a04-7ff73ad26a22 call 7ff73ad51370 1884->1886 1887 7ff73ad269db-7ff73ad269f7 closesocket * 3 1885->1887 1888 7ff73ad268b4-7ff73ad268c9 bind 1885->1888 1891 7ff73ad269fc 1887->1891 1888->1887 1890 7ff73ad268cf-7ff73ad268e5 getsockname 1888->1890 1890->1887 1893 7ff73ad268eb-7ff73ad268fa listen 1890->1893 1891->1886 1893->1887 1894 7ff73ad26900-7ff73ad26915 socket 1893->1894 1894->1887 1895 7ff73ad2691b-7ff73ad26930 connect 1894->1895 1895->1887 1896 7ff73ad26936-7ff73ad2694c accept 1895->1896 1896->1887 1897 7ff73ad26952-7ff73ad2696e call 7ff73ad1ac20 1896->1897 1900 7ff73ad26975-7ff73ad2697c 1897->1900 1900->1900 1901 7ff73ad2697e-7ff73ad26998 send 1900->1901 1901->1887 1902 7ff73ad2699a-7ff73ad269b6 recv 1901->1902 1902->1887 1903 7ff73ad269b8-7ff73ad269cc memcmp 1902->1903 1903->1887 1904 7ff73ad269ce-7ff73ad269d9 closesocket 1903->1904 1904->1891
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: socket$acceptbindclosesocketconnectgetsocknamehtonllistenmemcmprecvsendsetsockopt
                                            • String ID:
                                            • API String ID: 3699910901-0
                                            • Opcode ID: 6cc5f48b77c786b183805c6372d46d3aefc17a40480fa3092477dd1ea067b7c8
                                            • Instruction ID: 18f950b8884021a4059057cb4ccc98cdd88d5863e43c4a6d8481d48b6dce1a36
                                            • Opcode Fuzzy Hash: 6cc5f48b77c786b183805c6372d46d3aefc17a40480fa3092477dd1ea067b7c8
                                            • Instruction Fuzzy Hash: 0551D075628A46A2FB10AF25E455169B361EF84BB0F804331EABE03AECDF3CD449D710
                                            Function 00007FF73AD18720 Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 337COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1905 7ff73ad18720-7ff73ad1876d 1906 7ff73ad18778-7ff73ad187b3 call 7ff73ad1f550 1905->1906 1907 7ff73ad1876f-7ff73ad18773 1905->1907 1912 7ff73ad187b8-7ff73ad187bb 1906->1912 1913 7ff73ad187b5 1906->1913 1908 7ff73ad18c96-7ff73ad18cb4 call 7ff73ad51370 1907->1908 1915 7ff73ad187d8 1912->1915 1916 7ff73ad187bd-7ff73ad187c0 1912->1916 1913->1912 1919 7ff73ad187db-7ff73ad18807 call 7ff73ad1f5e0 1915->1919 1917 7ff73ad187c2-7ff73ad187c5 1916->1917 1918 7ff73ad187d3-7ff73ad187d6 1916->1918 1917->1919 1920 7ff73ad187c7-7ff73ad187d1 1917->1920 1918->1919 1923 7ff73ad18809-7ff73ad1881d call 7ff73ad17710 1919->1923 1924 7ff73ad18822-7ff73ad1882a 1919->1924 1920->1919 1931 7ff73ad18c86-7ff73ad18c8e 1923->1931 1925 7ff73ad18859-7ff73ad18877 1924->1925 1926 7ff73ad1882c-7ff73ad1883e call 7ff73ad198f0 1924->1926 1930 7ff73ad18880-7ff73ad18895 1925->1930 1935 7ff73ad18840-7ff73ad18842 1926->1935 1936 7ff73ad18852-7ff73ad18854 1926->1936 1933 7ff73ad18b1a 1930->1933 1934 7ff73ad1889b-7ff73ad188af call 7ff73ad27d80 1930->1934 1931->1908 1938 7ff73ad18b1e-7ff73ad18b2f 1933->1938 1945 7ff73ad18a30-7ff73ad18a33 1934->1945 1946 7ff73ad188b5-7ff73ad188e0 call 7ff73ad1f5e0 1934->1946 1935->1936 1939 7ff73ad18844-7ff73ad1884d call 7ff73ad19a00 1935->1939 1936->1931 1938->1930 1941 7ff73ad18b35-7ff73ad18b37 1938->1941 1939->1936 1942 7ff73ad18c7c 1941->1942 1943 7ff73ad18b3d-7ff73ad18b54 call 7ff73ad1a020 1941->1943 1948 7ff73ad18c7e 1942->1948 1961 7ff73ad18c07-7ff73ad18c09 1943->1961 1962 7ff73ad18b5a-7ff73ad18b61 1943->1962 1949 7ff73ad18aa4-7ff73ad18aea SleepEx getsockopt 1945->1949 1950 7ff73ad18a35-7ff73ad18a3c 1945->1950 1959 7ff73ad188f9-7ff73ad188fc 1946->1959 1960 7ff73ad188e2-7ff73ad188f4 call 7ff73ad17890 1946->1960 1948->1931 1955 7ff73ad18aec-7ff73ad18af4 WSAGetLastError 1949->1955 1956 7ff73ad18af6 1949->1956 1950->1949 1952 7ff73ad18a3e-7ff73ad18a40 1950->1952 1957 7ff73ad1894f-7ff73ad18951 1952->1957 1958 7ff73ad18a46-7ff73ad18a8c SleepEx getsockopt 1952->1958 1963 7ff73ad18afa-7ff73ad18afc 1955->1963 1956->1963 1957->1933 1973 7ff73ad18957-7ff73ad1896c WSASetLastError 1957->1973 1964 7ff73ad18a9b-7ff73ad18a9f 1958->1964 1965 7ff73ad18a8e-7ff73ad18a96 WSAGetLastError 1958->1965 1969 7ff73ad1894b 1959->1969 1970 7ff73ad188fe-7ff73ad18905 1959->1970 1960->1959 1961->1948 1967 7ff73ad18b67-7ff73ad18b6e 1962->1967 1968 7ff73ad18c0b-7ff73ad18c12 1962->1968 1971 7ff73ad18afe-7ff73ad18b04 1963->1971 1972 7ff73ad18b73-7ff73ad18bc1 1963->1972 1964->1957 1965->1957 1977 7ff73ad18c36-7ff73ad18c79 call 7ff73ad042a0 call 7ff73ad17710 1967->1977 1974 7ff73ad18c1d-7ff73ad18c24 1968->1974 1975 7ff73ad18c14-7ff73ad18c1b 1968->1975 1969->1957 1970->1969 1978 7ff73ad18907-7ff73ad18933 call 7ff73ad1f5e0 1970->1978 1971->1972 1981 7ff73ad18b06-7ff73ad18b15 call 7ff73ad17890 1971->1981 1979 7ff73ad18bc3-7ff73ad18bcb call 7ff73ad18370 1972->1979 1980 7ff73ad18bd6-7ff73ad18beb call 7ff73ad198f0 1972->1980 1973->1933 1982 7ff73ad18972-7ff73ad189dc call 7ff73ad20940 call 7ff73ad042a0 call 7ff73ad17890 1973->1982 1983 7ff73ad18c2f 1974->1983 1984 7ff73ad18c26-7ff73ad18c2d 1974->1984 1975->1977 1977->1942 1978->1969 1999 7ff73ad18935-7ff73ad18946 call 7ff73ad1a020 1978->1999 1979->1980 1980->1948 2000 7ff73ad18bf1-7ff73ad18bf3 1980->2000 1981->1933 2008 7ff73ad189fe-7ff73ad18a14 call 7ff73ad1a020 1982->2008 2009 7ff73ad189de-7ff73ad189e5 1982->2009 1983->1977 1984->1977 1999->1969 2000->1948 2004 7ff73ad18bf9-7ff73ad18c02 call 7ff73ad19a00 2000->2004 2004->1961 2015 7ff73ad18a27-7ff73ad18a2b 2008->2015 2016 7ff73ad18a16-7ff73ad18a21 2008->2016 2009->2008 2010 7ff73ad189e7-7ff73ad189ee 2009->2010 2012 7ff73ad189f0-7ff73ad189f3 2010->2012 2012->2008 2014 7ff73ad189f5-7ff73ad189fc 2012->2014 2014->2008 2014->2012 2015->1938 2016->1933 2016->2015
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: After %I64dms connect time, move on!$Connection failed$Connection time-out$Failed to connect to %s port %ld: %s$connect to %s port %ld failed: %s
                                            • API String ID: 0-3307081561
                                            • Opcode ID: f1202ecb1fa770e4090af42aa361c3384aef45fef6d8e9a7931020e231e9cf06
                                            • Instruction ID: c65c9b0af87c32c847dd024fcd22f523ea2bf195e20d40806dbf1946ee9a6a83
                                            • Opcode Fuzzy Hash: f1202ecb1fa770e4090af42aa361c3384aef45fef6d8e9a7931020e231e9cf06
                                            • Instruction Fuzzy Hash: B1E1126AB28682A2FB94EB34D1463BDA3A1FB45794F840275EA5D077C9DF3CE401D310
                                            Function 00007FF73AD07B60 Relevance: 4.8, APIs: 3, Instructions: 309networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: freerecv
                                            • String ID:
                                            • API String ID: 2032557106-0
                                            • Opcode ID: 6e71e634e3f003646cfc9b0eeaab8402402f034b778676c0a0fe01f72510a5ee
                                            • Instruction ID: ca520014e387509612c4f28cd43b78f4533862be35f9de7787754e0c9a7af721
                                            • Opcode Fuzzy Hash: 6e71e634e3f003646cfc9b0eeaab8402402f034b778676c0a0fe01f72510a5ee
                                            • Instruction Fuzzy Hash: E2C1283AB28A8296FB25DB2590013B9A390FF45BA4F844275DE6E477C8DF3CE8419711
                                            Function 00007FF73AD035B0 Relevance: 47.4, APIs: 16, Strings: 11, Instructions: 135processCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FF73AD035CB
                                            • rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FF73AD035EC
                                              • Part of subcall function 00007FF73AD03290: rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FF73AD032D0
                                            • SetConsoleTitleA.KERNEL32 ref: 00007FF73AD03611
                                            • GetConsoleWindow.KERNELBASE ref: 00007FF73AD03621
                                            • GetWindowLongPtrA.USER32 ref: 00007FF73AD03632
                                            • SetWindowLongPtrA.USER32 ref: 00007FF73AD03648
                                            • SetLayeredWindowAttributes.USER32 ref: 00007FF73AD0365C
                                            • GetStdHandle.KERNEL32 ref: 00007FF73AD0366C
                                            • SetConsoleTextAttribute.KERNELBASE ref: 00007FF73AD03678
                                              • Part of subcall function 00007FF73AD03580: GetStdHandle.KERNEL32 ref: 00007FF73AD0358E
                                              • Part of subcall function 00007FF73ACF2DD0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF2F78
                                              • Part of subcall function 00007FF73AD03810: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,0000000B,00007FF73AD0369E), ref: 00007FF73AD03834
                                              • Part of subcall function 00007FF73AD03810: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,0000000B,00007FF73AD0369E), ref: 00007FF73AD03855
                                              • Part of subcall function 00007FF73AD02010: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP140 ref: 00007FF73AD02052
                                              • Part of subcall function 00007FF73AD02010: ?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z.MSVCP140 ref: 00007FF73AD0206C
                                              • Part of subcall function 00007FF73AD02010: ?getloc@ios_base@std@@QEBA?AVlocale@2@XZ.MSVCP140 ref: 00007FF73AD0208D
                                              • Part of subcall function 00007FF73AD02010: ?width@ios_base@std@@QEBA_JXZ.MSVCP140 ref: 00007FF73AD020DF
                                              • Part of subcall function 00007FF73AD02010: ?width@ios_base@std@@QEBA_JXZ.MSVCP140 ref: 00007FF73AD020F4
                                              • Part of subcall function 00007FF73AD02010: ?width@ios_base@std@@QEBA_JXZ.MSVCP140 ref: 00007FF73AD02113
                                              • Part of subcall function 00007FF73AD02010: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP140 ref: 00007FF73AD02132
                                              • Part of subcall function 00007FF73AD02010: ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF73AD0213B
                                              • Part of subcall function 00007FF73AD02010: ?width@ios_base@std@@QEAA_J_J@Z.MSVCP140 ref: 00007FF73AD021EC
                                            • system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73AD03763
                                            • GetConsoleWindow.KERNEL32 ref: 00007FF73AD03769
                                            • ShowWindow.USER32 ref: 00007FF73AD03774
                                            • Beep.KERNEL32 ref: 00007FF73AD03781
                                            • system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73AD037E7
                                            • system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73AD037F4
                                            • exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73AD037FC
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: U?$char_traits@Window$?width@ios_base@std@@ConsoleD@std@@@std@@$randsystem$?rdbuf@?$basic_ios@D@std@@@2@HandleLongV?$basic_streambuf@$?getloc@ios_base@std@@?sgetc@?$basic_streambuf@AttributeAttributesBeepIpfx@?$basic_istream@LayeredShowTextTitleVlocale@2@__acrt_iob_func__stdio_common_vfprintf_invalid_parameter_noinfo_noreturnexit
                                            • String ID: Inserir Key: $##########################################################$##########################################################$.exe$C:\Windows\System32\ServiceHubSettingsHostDialog.exe$[ Selecione uma opcao: ]$cd C:\$cls$fivem$http://185.101.104.122/Runtimess.exe$start C:\Windows\System32\ServiceHubSettingsHostDialog.exe
                                            • API String ID: 3205950358-389504625
                                            • Opcode ID: f27d5433c3341dc8c674189e7306529748f819ba727e9977b5b18e8fb9edc4d3
                                            • Instruction ID: 1ef49dce3d1fc42624f2a9cddf2937a5cbca756b30670c2e771cb40989c7805e
                                            • Opcode Fuzzy Hash: f27d5433c3341dc8c674189e7306529748f819ba727e9977b5b18e8fb9edc4d3
                                            • Instruction Fuzzy Hash: 6851BA68A29943B1FB04FB20E8671B9E355FF90741FC040B5D51E469BAEF2CE549E720
                                            Function 00007FF73ACF2DD0 Relevance: 40.7, APIs: 16, Strings: 7, Instructions: 402sleepwindowCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 972 7ff73acf2dd0-7ff73acf2e1f call 7ff73acf2b70 975 7ff73acf2e25-7ff73acf2e2a 972->975 976 7ff73acf33d8-7ff73acf3447 call 7ff73acf3450 Sleep exit 972->976 975->976 977 7ff73acf2e30-7ff73acf2f4e call 7ff73acf3490 call 7ff73acf49a0 call 7ff73acf3600 call 7ff73acf49a0 call 7ff73acf3700 call 7ff73acf49a0 975->977 981 7ff73acf3448-7ff73acf344f call 7ff73acf18c0 976->981 995 7ff73acf2f84-7ff73acf2f9d 977->995 996 7ff73acf2f50-7ff73acf2f61 977->996 999 7ff73acf2fd5-7ff73acf2fdd 995->999 1000 7ff73acf2f9f-7ff73acf2fb1 995->1000 997 7ff73acf2f63-7ff73acf2f76 996->997 998 7ff73acf2f7f call 7ff73ad51010 996->998 997->998 1001 7ff73acf2f78-7ff73acf2f7e _invalid_parameter_noinfo_noreturn 997->1001 998->995 1005 7ff73acf3013-7ff73acf302b 999->1005 1006 7ff73acf2fdf-7ff73acf2ff0 999->1006 1003 7ff73acf2fb3-7ff73acf2fc6 1000->1003 1004 7ff73acf2fcf-7ff73acf2fd4 call 7ff73ad51010 1000->1004 1001->998 1003->1004 1009 7ff73acf2fc8-7ff73acf2fce _invalid_parameter_noinfo_noreturn 1003->1009 1004->999 1007 7ff73acf3062-7ff73acf306a 1005->1007 1008 7ff73acf302d-7ff73acf303e 1005->1008 1011 7ff73acf2ff2-7ff73acf3005 1006->1011 1012 7ff73acf300e call 7ff73ad51010 1006->1012 1017 7ff73acf30a0-7ff73acf30e7 1007->1017 1018 7ff73acf306c-7ff73acf307d 1007->1018 1015 7ff73acf3040-7ff73acf3053 1008->1015 1016 7ff73acf305c-7ff73acf3061 call 7ff73ad51010 1008->1016 1009->1004 1011->1012 1013 7ff73acf3007-7ff73acf300d _invalid_parameter_noinfo_noreturn 1011->1013 1012->1005 1013->1012 1015->1016 1022 7ff73acf3055-7ff73acf305b _invalid_parameter_noinfo_noreturn 1015->1022 1016->1007 1020 7ff73acf30e9-7ff73acf30f6 1017->1020 1021 7ff73acf30f8-7ff73acf311b 1017->1021 1024 7ff73acf307f-7ff73acf3092 1018->1024 1025 7ff73acf309b call 7ff73ad51010 1018->1025 1026 7ff73acf3172-7ff73acf318b call 7ff73acf42c0 call 7ff73acf2b70 1020->1026 1027 7ff73acf314f-7ff73acf3152 1021->1027 1028 7ff73acf311d-7ff73acf3124 1021->1028 1022->1016 1024->1025 1030 7ff73acf3094-7ff73acf309a _invalid_parameter_noinfo_noreturn 1024->1030 1025->1017 1043 7ff73acf3190-7ff73acf31c8 call 7ff73acf5950 call 7ff73acf5640 1026->1043 1034 7ff73acf3154-7ff73acf3159 call 7ff73ad50fd4 1027->1034 1035 7ff73acf315b 1027->1035 1028->981 1033 7ff73acf312a-7ff73acf3138 call 7ff73ad50fd4 1028->1033 1030->1025 1044 7ff73acf313a-7ff73acf3146 1033->1044 1045 7ff73acf3148-7ff73acf314e _invalid_parameter_noinfo_noreturn 1033->1045 1039 7ff73acf315e-7ff73acf316d memcpy 1034->1039 1035->1039 1039->1026 1050 7ff73acf32d3-7ff73acf3343 call 7ff73acf5640 call 7ff73ad50fd4 call 7ff73acf50a0 call 7ff73acf6780 call 7ff73acf4be0 1043->1050 1051 7ff73acf31ce-7ff73acf31dd call 7ff73acf5640 1043->1051 1044->1039 1045->1027 1079 7ff73acf3345-7ff73acf3390 call 7ff73acf5640 call 7ff73acf5720 call 7ff73acf4880 ShellExecuteA exit 1050->1079 1080 7ff73acf3391-7ff73acf33d7 call 7ff73acf5640 call 7ff73acf5a80 call 7ff73acf4880 MessageBoxA call 7ff73acf4a40 exit 1050->1080 1057 7ff73acf31e5 1051->1057 1058 7ff73acf31df-7ff73acf31e3 1051->1058 1060 7ff73acf31e8-7ff73acf31f1 1057->1060 1058->1060 1062 7ff73acf31f6-7ff73acf3219 call 7ff73acf50a0 call 7ff73acf4be0 1060->1062 1063 7ff73acf31f3 1060->1063 1072 7ff73acf324f-7ff73acf3263 1062->1072 1073 7ff73acf321b-7ff73acf322c 1062->1073 1063->1062 1077 7ff73acf3265-7ff73acf3273 1072->1077 1078 7ff73acf3299-7ff73acf32d2 call 7ff73ad51370 1072->1078 1075 7ff73acf322e-7ff73acf3241 1073->1075 1076 7ff73acf324a call 7ff73ad51010 1073->1076 1075->1076 1083 7ff73acf3243-7ff73acf3249 _invalid_parameter_noinfo_noreturn 1075->1083 1076->1072 1085 7ff73acf3275-7ff73acf3288 1077->1085 1086 7ff73acf3291-7ff73acf3294 call 7ff73ad51010 1077->1086 1079->1080 1080->976 1083->1076 1085->1086 1090 7ff73acf328a-7ff73acf3290 _invalid_parameter_noinfo_noreturn 1085->1090 1086->1078 1090->1086
                                            APIs
                                              • Part of subcall function 00007FF73ACF2B70: system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF2BD7
                                              • Part of subcall function 00007FF73ACF2B70: system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF2C47
                                              • Part of subcall function 00007FF73ACF2B70: system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF2CA7
                                              • Part of subcall function 00007FF73ACF2B70: system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF2CF7
                                              • Part of subcall function 00007FF73ACF2B70: system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF2D47
                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF2F78
                                              • Part of subcall function 00007FF73ACF5640: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF5700
                                              • Part of subcall function 00007FF73AD50FD4: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,-3333333333333333,00007FF73ACF517E,7FFFFFFFFFFFFFFF,https://keyauth.win/api/1.2/,-3333333333333333,00007FF73ACF1A19), ref: 00007FF73AD50FEE
                                              • Part of subcall function 00007FF73ACF50A0: memcpy.VCRUNTIME140(7FFFFFFFFFFFFFFF,https://keyauth.win/api/1.2/,-3333333333333333,00007FF73ACF1A19), ref: 00007FF73ACF50D1
                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF2FC8
                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF3007
                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF3055
                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF3094
                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF3148
                                            • memcpy.VCRUNTIME140 ref: 00007FF73ACF316D
                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF3243
                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF328A
                                            • ShellExecuteA.SHELL32 ref: 00007FF73ACF3382
                                            • exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF338A
                                            • MessageBoxA.USER32 ref: 00007FF73ACF33C0
                                            • exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF33D1
                                            • Sleep.KERNEL32 ref: 00007FF73ACF3439
                                            • exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF3441
                                            • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF73ACF3448
                                              • Part of subcall function 00007FF73ACF3490: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF359F
                                              • Part of subcall function 00007FF73ACF3490: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF35E0
                                              • Part of subcall function 00007FF73ACF49A0: memcpy.VCRUNTIME140 ref: 00007FF73ACF49F3
                                              • Part of subcall function 00007FF73ACF3600: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF36E0
                                              • Part of subcall function 00007FF73ACF3700: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF37E0
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: _invalid_parameter_noinfo_noreturn$system$exitmemcpy$Concurrency::cancel_current_taskExecuteMessageShellSleepmalloc
                                            • String ID: Failure$download$invalidver$message$open$sessionid$success
                                            • API String ID: 3283070336-3881042241
                                            • Opcode ID: c6c0d88f1881646470753c44f85bd3bd17c848248a9b68d82f9522dd865cdc20
                                            • Instruction ID: f368e829d7731613cbeb6630bde61e33ab7d9db326d87de9191e5c70c699561e
                                            • Opcode Fuzzy Hash: c6c0d88f1881646470753c44f85bd3bd17c848248a9b68d82f9522dd865cdc20
                                            • Instruction Fuzzy Hash: A3022866E19B82A5FB00EB24D4563ADA761FB40794FC05271EAAD07BDADF7CE080D350
                                            Function 00007FF73AD2D360 Relevance: 38.9, APIs: 6, Strings: 16, Instructions: 385COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1103 7ff73ad2d360-7ff73ad2d3dd 1104 7ff73ad2d3fe-7ff73ad2d403 1103->1104 1105 7ff73ad2d3df-7ff73ad2d3e3 1103->1105 1106 7ff73ad2d422-7ff73ad2d426 1104->1106 1107 7ff73ad2d405-7ff73ad2d41d call 7ff73ad17890 1104->1107 1105->1104 1108 7ff73ad2d3e5-7ff73ad2d3f9 call 7ff73ad17890 1105->1108 1111 7ff73ad2d428-7ff73ad2d43c call 7ff73ad17890 1106->1111 1112 7ff73ad2d441-7ff73ad2d444 1106->1112 1119 7ff73ad2d843-7ff73ad2d846 1107->1119 1118 7ff73ad2d84c-7ff73ad2d859 1108->1118 1111->1119 1116 7ff73ad2d75a 1112->1116 1117 7ff73ad2d44a-7ff73ad2d44e 1112->1117 1124 7ff73ad2d762-7ff73ad2d76a 1116->1124 1117->1116 1121 7ff73ad2d454-7ff73ad2d469 1117->1121 1122 7ff73ad2d965-7ff73ad2d96b 1118->1122 1123 7ff73ad2d85f-7ff73ad2d863 1118->1123 1119->1118 1119->1122 1125 7ff73ad2d46b-7ff73ad2d46e 1121->1125 1126 7ff73ad2d470-7ff73ad2d49b realloc 1121->1126 1128 7ff73ad2d97d-7ff73ad2d993 1122->1128 1129 7ff73ad2d96d-7ff73ad2d970 1122->1129 1123->1122 1127 7ff73ad2d869-7ff73ad2d86d 1123->1127 1130 7ff73ad2d76e 1124->1130 1125->1126 1131 7ff73ad2d4ed-7ff73ad2d502 call 7ff73ad17a90 1125->1131 1132 7ff73ad2d49d-7ff73ad2d4b9 call 7ff73ad17710 1126->1132 1133 7ff73ad2d4be-7ff73ad2d4eb 1126->1133 1127->1122 1138 7ff73ad2d873-7ff73ad2d888 call 7ff73ad1a5a0 1127->1138 1134 7ff73ad2d9db-7ff73ad2d9e1 1128->1134 1135 7ff73ad2d995-7ff73ad2d9d9 memcpy * 2 1128->1135 1129->1128 1139 7ff73ad2d972-7ff73ad2d97a 1129->1139 1140 7ff73ad2d776-7ff73ad2d77c 1130->1140 1145 7ff73ad2d507-7ff73ad2d50d 1131->1145 1132->1118 1133->1131 1143 7ff73ad2d9f5-7ff73ad2d9f8 1134->1143 1144 7ff73ad2d9e3-7ff73ad2d9e6 1134->1144 1141 7ff73ad2da05-7ff73ad2da27 call 7ff73ad51370 1135->1141 1165 7ff73ad2d94e-7ff73ad2d960 call 7ff73ad17890 1138->1165 1166 7ff73ad2d88e-7ff73ad2d890 1138->1166 1139->1128 1147 7ff73ad2d812-7ff73ad2d818 1140->1147 1148 7ff73ad2d782-7ff73ad2d797 call 7ff73ad17890 1140->1148 1151 7ff73ad2d9fa-7ff73ad2d9fe 1143->1151 1152 7ff73ad2da00-7ff73ad2da02 1143->1152 1144->1143 1150 7ff73ad2d9e8-7ff73ad2d9f0 1144->1150 1153 7ff73ad2d712-7ff73ad2d71a 1145->1153 1154 7ff73ad2d513-7ff73ad2d51f 1145->1154 1157 7ff73ad2d81e-7ff73ad2d82e 1147->1157 1158 7ff73ad2d540-7ff73ad2d54f 1147->1158 1169 7ff73ad2d799-7ff73ad2d79c 1148->1169 1170 7ff73ad2d7a2-7ff73ad2d7b2 1148->1170 1150->1143 1151->1152 1152->1141 1160 7ff73ad2d71c-7ff73ad2d72d 1153->1160 1161 7ff73ad2d732 1153->1161 1162 7ff73ad2d539-7ff73ad2d53e 1154->1162 1163 7ff73ad2d521-7ff73ad2d527 1154->1163 1157->1119 1168 7ff73ad2d830-7ff73ad2d834 1157->1168 1158->1119 1167 7ff73ad2d555-7ff73ad2d557 1158->1167 1160->1158 1161->1162 1173 7ff73ad2d738-7ff73ad2d755 1161->1173 1162->1158 1171 7ff73ad2d52d-7ff73ad2d534 call 7ff73ad17890 1163->1171 1172 7ff73ad2d6fe-7ff73ad2d70d call 7ff73ad17890 1163->1172 1165->1122 1166->1165 1174 7ff73ad2d896-7ff73ad2d8a2 1166->1174 1167->1119 1176 7ff73ad2d55d-7ff73ad2d560 1167->1176 1177 7ff73ad2d83b 1168->1177 1169->1170 1179 7ff73ad2d922-7ff73ad2d929 1169->1179 1180 7ff73ad2d93a-7ff73ad2d949 1170->1180 1181 7ff73ad2d7b8-7ff73ad2d7f9 call 7ff73ad17890 call 7ff73ad2b820 1170->1181 1171->1162 1172->1162 1173->1158 1174->1122 1184 7ff73ad2d572-7ff73ad2d5f0 call 7ff73ad1a160 1176->1184 1185 7ff73ad2d562-7ff73ad2d566 1176->1185 1178 7ff73ad2d83e call 7ff73ad17890 1177->1178 1178->1119 1179->1177 1180->1178 1198 7ff73ad2d92e-7ff73ad2d935 1181->1198 1199 7ff73ad2d7ff-7ff73ad2d80d call 7ff73ad17890 1181->1199 1196 7ff73ad2d5f2-7ff73ad2d5f7 1184->1196 1197 7ff73ad2d604-7ff73ad2d609 1184->1197 1185->1184 1190 7ff73ad2d568-7ff73ad2d56c 1185->1190 1190->1119 1190->1184 1196->1197 1200 7ff73ad2d5f9-7ff73ad2d5fe 1196->1200 1201 7ff73ad2d6ae-7ff73ad2d6b2 1197->1201 1202 7ff73ad2d60f-7ff73ad2d639 1197->1202 1198->1178 1199->1158 1200->1197 1205 7ff73ad2d8a7-7ff73ad2d8ad 1200->1205 1201->1124 1204 7ff73ad2d6b8-7ff73ad2d6bd 1201->1204 1206 7ff73ad2d63b-7ff73ad2d63e 1202->1206 1207 7ff73ad2d640-7ff73ad2d65b realloc 1202->1207 1204->1124 1209 7ff73ad2d6c3-7ff73ad2d6d5 1204->1209 1213 7ff73ad2d8af-7ff73ad2d8c0 1205->1213 1214 7ff73ad2d8d6-7ff73ad2d901 call 7ff73ad03ab0 call 7ff73ad17890 1205->1214 1206->1207 1210 7ff73ad2d685-7ff73ad2d689 1206->1210 1211 7ff73ad2d661-7ff73ad2d681 1207->1211 1212 7ff73ad2d906-7ff73ad2d91d call 7ff73ad17710 1207->1212 1209->1140 1216 7ff73ad2d6db-7ff73ad2d6fc memcpy 1209->1216 1218 7ff73ad2d68b-7ff73ad2d6a8 memcpy 1210->1218 1219 7ff73ad2d6ac 1210->1219 1211->1210 1212->1119 1220 7ff73ad2d8ca-7ff73ad2d8d1 1213->1220 1221 7ff73ad2d8c2 1213->1221 1214->1119 1216->1130 1218->1219 1219->1201 1220->1177 1221->1220
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: memcpy
                                            • String ID: schannel: Curl_read_plain returned CURLE_RECV_ERROR$schannel: Curl_read_plain returned error %d$schannel: SSL/TLS connection renegotiated$schannel: an unrecoverable error occurred in a prior call$schannel: can't renogotiate, an error is pending$schannel: can't renogotiate, encrypted data available$schannel: enough decrypted data is already available$schannel: failed to decrypt data, need more data$schannel: failed to read data from server: %s$schannel: remote party requests renegotiation$schannel: renegotiating SSL/TLS connection$schannel: renegotiation failed$schannel: server closed abruptly (missing close_notify)$schannel: server closed the connection$schannel: server indicated shutdown in a prior call$schannel: unable to re-allocate memory
                                            • API String ID: 3510742995-857957974
                                            • Opcode ID: 658663e5c896aa931729701bfbad33902eb0a8421c31b811211404a493ba3bfb
                                            • Instruction ID: be893e487933c01b086de291a1660bc31f6e1c6be723f1df2ce22ca681808e6b
                                            • Opcode Fuzzy Hash: 658663e5c896aa931729701bfbad33902eb0a8421c31b811211404a493ba3bfb
                                            • Instruction Fuzzy Hash: B302357AA28B4995FB50EF19D4453A9ABA4FB80B94FA00276DE8D433ACDF3CD441D710
                                            Function 00007FF73AD2C7F0 Relevance: 31.9, APIs: 9, Strings: 9, Instructions: 415encryptionCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1346 7ff73ad2c7f0-7ff73ad2c85e 1347 7ff73ad2c880 1346->1347 1348 7ff73ad2c860-7ff73ad2c875 1346->1348 1349 7ff73ad2c887-7ff73ad2c8a1 1347->1349 1348->1347 1350 7ff73ad2c877-7ff73ad2c87e 1348->1350 1351 7ff73ad2c8a7-7ff73ad2c8ac 1349->1351 1352 7ff73ad2cf6b 1349->1352 1350->1349 1351->1352 1353 7ff73ad2c8b2-7ff73ad2c8c0 1351->1353 1354 7ff73ad2c902-7ff73ad2c906 1353->1354 1355 7ff73ad2c8c2-7ff73ad2c8fc malloc 1353->1355 1357 7ff73ad2c908-7ff73ad2c94d malloc 1354->1357 1358 7ff73ad2c953-7ff73ad2c964 1354->1358 1355->1354 1356 7ff73ad2cf5f 1355->1356 1356->1352 1357->1356 1357->1358 1359 7ff73ad2c9d8-7ff73ad2c9da 1358->1359 1360 7ff73ad2c966-7ff73ad2c980 realloc 1358->1360 1361 7ff73ad2ca3a-7ff73ad2cae1 call 7ff73ad1a160 malloc 1359->1361 1362 7ff73ad2c9dc-7ff73ad2ca00 call 7ff73ad17a90 1359->1362 1363 7ff73ad2c982-7ff73ad2c98c call 7ff73ad17710 1360->1363 1364 7ff73ad2c9c0-7ff73ad2c9d6 1360->1364 1361->1356 1373 7ff73ad2cae7-7ff73ad2cb01 memcpy 1361->1373 1368 7ff73ad2ca05-7ff73ad2ca08 1362->1368 1370 7ff73ad2c991 1363->1370 1364->1359 1371 7ff73ad2ca0e-7ff73ad2ca10 1368->1371 1372 7ff73ad2cc7f-7ff73ad2cc86 1368->1372 1374 7ff73ad2c996-7ff73ad2c9bf call 7ff73ad51370 1370->1374 1375 7ff73ad2cc66-7ff73ad2cc7a call 7ff73ad17710 1371->1375 1376 7ff73ad2ca16-7ff73ad2ca1e 1371->1376 1377 7ff73ad2cf58-7ff73ad2cf5a 1372->1377 1378 7ff73ad2cc8c-7ff73ad2cc98 1372->1378 1373->1370 1379 7ff73ad2cb07-7ff73ad2cb73 free 1373->1379 1375->1374 1376->1375 1382 7ff73ad2ca24-7ff73ad2ca36 1376->1382 1377->1374 1378->1374 1386 7ff73ad2cb79-7ff73ad2cb80 1379->1386 1387 7ff73ad2cf43-7ff73ad2cf4a 1379->1387 1382->1361 1389 7ff73ad2ceec-7ff73ad2cef8 1386->1389 1390 7ff73ad2cb86-7ff73ad2cb8d 1386->1390 1388 7ff73ad2cf4e 1387->1388 1388->1377 1391 7ff73ad2cefa-7ff73ad2cf26 call 7ff73ad03ab0 call 7ff73ad17710 1389->1391 1392 7ff73ad2cf2b-7ff73ad2cf3e 1389->1392 1393 7ff73ad2cb98-7ff73ad2cb9f 1390->1393 1394 7ff73ad2cb8f-7ff73ad2cb92 1390->1394 1391->1374 1392->1374 1396 7ff73ad2cba0-7ff73ad2cba4 1393->1396 1394->1393 1395 7ff73ad2cc9d-7ff73ad2cca4 1394->1395 1401 7ff73ad2cca6-7ff73ad2ccad 1395->1401 1402 7ff73ad2cce4-7ff73ad2cd0d call 7ff73ad03ab0 call 7ff73ad17710 1395->1402 1398 7ff73ad2cba6-7ff73ad2cbaa 1396->1398 1399 7ff73ad2cbe3-7ff73ad2cbea 1396->1399 1398->1399 1403 7ff73ad2cbac-7ff73ad2cbc7 call 7ff73ad17fd0 1398->1403 1405 7ff73ad2cbf9-7ff73ad2cc02 1399->1405 1406 7ff73ad2cbec 1399->1406 1401->1391 1407 7ff73ad2ccb3-7ff73ad2ccdf call 7ff73ad03ab0 call 7ff73ad17710 1401->1407 1402->1370 1415 7ff73ad2cbcc-7ff73ad2cbd2 1403->1415 1405->1396 1412 7ff73ad2cc04-7ff73ad2cc08 1405->1412 1406->1405 1407->1374 1417 7ff73ad2cd38-7ff73ad2cd3f 1412->1417 1418 7ff73ad2cc0e-7ff73ad2cc13 1412->1418 1420 7ff73ad2cbd8-7ff73ad2cbdd 1415->1420 1421 7ff73ad2cd12-7ff73ad2cd33 call 7ff73ad17710 1415->1421 1422 7ff73ad2cd47-7ff73ad2cd4e 1417->1422 1418->1417 1424 7ff73ad2cc19-7ff73ad2cc2a 1418->1424 1420->1399 1420->1421 1421->1374 1422->1388 1426 7ff73ad2cd54-7ff73ad2cd57 1422->1426 1424->1422 1428 7ff73ad2cc30-7ff73ad2cc54 memcpy 1424->1428 1430 7ff73ad2cd59 1426->1430 1431 7ff73ad2cd63-7ff73ad2cd6b 1426->1431 1428->1426 1432 7ff73ad2cc5a-7ff73ad2cc5f 1428->1432 1430->1431 1433 7ff73ad2cd6d-7ff73ad2cd87 1431->1433 1434 7ff73ad2cd93 1431->1434 1432->1375 1433->1434 1435 7ff73ad2cd89-7ff73ad2cd91 1433->1435 1436 7ff73ad2cd9b-7ff73ad2cd9e 1434->1436 1435->1436 1437 7ff73ad2cec0-7ff73ad2cec8 1436->1437 1438 7ff73ad2cda4-7ff73ad2cdd5 1436->1438 1437->1377 1439 7ff73ad2cece-7ff73ad2ced9 1437->1439 1443 7ff73ad2cddb-7ff73ad2cde3 1438->1443 1444 7ff73ad2ce93-7ff73ad2cebe call 7ff73ad03ab0 call 7ff73ad17710 1438->1444 1439->1377 1441 7ff73ad2cedb-7ff73ad2cee7 call 7ff73ad47870 1439->1441 1441->1374 1443->1444 1446 7ff73ad2cde9-7ff73ad2cdec 1443->1446 1449 7ff73ad2ce65-7ff73ad2ce68 1444->1449 1448 7ff73ad2cdee-7ff73ad2cdf5 1446->1448 1446->1449 1453 7ff73ad2cdf7-7ff73ad2ce1e memset call 7ff73ad4a250 1448->1453 1454 7ff73ad2ce60 1448->1454 1451 7ff73ad2ce6a CertFreeCertificateContext 1449->1451 1452 7ff73ad2ce70-7ff73ad2ce72 1449->1452 1451->1452 1452->1437 1456 7ff73ad2ce74-7ff73ad2ce85 call 7ff73ad17710 1452->1456 1462 7ff73ad2ce5b 1453->1462 1463 7ff73ad2ce20-7ff73ad2ce2a 1453->1463 1454->1449 1456->1374 1462->1454 1464 7ff73ad2ce8a-7ff73ad2ce91 1463->1464 1465 7ff73ad2ce2c-7ff73ad2ce36 1463->1465 1466 7ff73ad2ce53-7ff73ad2ce56 call 7ff73ad17710 1464->1466 1465->1464 1467 7ff73ad2ce38-7ff73ad2ce4a call 7ff73ad10e80 1465->1467 1466->1462 1467->1462 1471 7ff73ad2ce4c 1467->1471 1471->1466
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: malloc$memcpy$CertCertificateContextFreefreememsetrealloc
                                            • String ID: SSL: failed retrieving public key from server certificate$SSL: public key does not match pinned public key!$schannel: Failed to read remote certificate context: %s$schannel: SNI or certificate check failed: %s$schannel: failed to receive handshake, SSL/TLS connection failed$schannel: failed to send next handshake data: sent %zd of %lu bytes$schannel: next InitializeSecurityContext failed: %s$schannel: unable to allocate memory$schannel: unable to re-allocate memory
                                            • API String ID: 860210379-3059304359
                                            • Opcode ID: 9a453b4f3af2256e115fd8ec33db338714afa8d6d4086593a2de63151eed420b
                                            • Instruction ID: 2e5a715c0d45239bbcb84407a873f819d5fe569cf82efc6e52287bb9d8309833
                                            • Opcode Fuzzy Hash: 9a453b4f3af2256e115fd8ec33db338714afa8d6d4086593a2de63151eed420b
                                            • Instruction Fuzzy Hash: 3912037AA18B8596FB60EB29D8493BEB7A0FB44B84F900072CA5D47798DF3DD841D710
                                            Function 00007FF73AD2BA10 Relevance: 30.1, APIs: 4, Strings: 13, Instructions: 348libraryloaderCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1472 7ff73ad2ba10-7ff73ad2ba80 1473 7ff73ad2ba82-7ff73ad2ba94 1472->1473 1474 7ff73ad2ba9f 1472->1474 1473->1474 1475 7ff73ad2ba96-7ff73ad2ba9d 1473->1475 1476 7ff73ad2baa6-7ff73ad2bac0 call 7ff73ad1a5a0 1474->1476 1475->1476 1479 7ff73ad2bad1-7ff73ad2bad8 1476->1479 1480 7ff73ad2bac2-7ff73ad2bacc call 7ff73ad17890 1476->1480 1482 7ff73ad2bada-7ff73ad2bafa GetModuleHandleA GetProcAddress 1479->1482 1483 7ff73ad2bb18 1479->1483 1480->1479 1482->1483 1485 7ff73ad2bafc-7ff73ad2bb12 call 7ff73ad1a5a0 1482->1485 1484 7ff73ad2bb1a-7ff73ad2bb2b 1483->1484 1486 7ff73ad2bb2d-7ff73ad2bb45 1484->1486 1487 7ff73ad2bb50 1484->1487 1485->1483 1494 7ff73ad2bb14-7ff73ad2bb16 1485->1494 1486->1487 1489 7ff73ad2bb47-7ff73ad2bb4e 1486->1489 1490 7ff73ad2bb57-7ff73ad2bb5a 1487->1490 1489->1490 1492 7ff73ad2bb9b-7ff73ad2bba2 1490->1492 1493 7ff73ad2bb5c-7ff73ad2bb73 call 7ff73ad1a5a0 1490->1493 1496 7ff73ad2bba6-7ff73ad2bbb7 1492->1496 1502 7ff73ad2bb82-7ff73ad2bb96 call 7ff73ad17710 1493->1502 1503 7ff73ad2bb75-7ff73ad2bb80 1493->1503 1494->1484 1498 7ff73ad2bbb9-7ff73ad2bbd1 1496->1498 1499 7ff73ad2bbdc 1496->1499 1498->1499 1500 7ff73ad2bbd3-7ff73ad2bbda 1498->1500 1501 7ff73ad2bbe3-7ff73ad2bbe5 1499->1501 1500->1501 1504 7ff73ad2bbe7-7ff73ad2bc03 call 7ff73ad12100 call 7ff73ad11b20 1501->1504 1505 7ff73ad2bc28-7ff73ad2bc32 1501->1505 1515 7ff73ad2c79d-7ff73ad2c7c6 call 7ff73ad51370 1502->1515 1503->1496 1533 7ff73ad2bc20-7ff73ad2bc23 call 7ff73ad12130 1504->1533 1534 7ff73ad2bc05-7ff73ad2bc1d 1504->1534 1508 7ff73ad2c4a7-7ff73ad2c4be call 7ff73ad296a0 1505->1508 1509 7ff73ad2bc38-7ff73ad2bc63 1505->1509 1527 7ff73ad2c4c0-7ff73ad2c4d1 call 7ff73ad296a0 1508->1527 1528 7ff73ad2c4d3-7ff73ad2c4dd call 7ff73ad17890 1508->1528 1513 7ff73ad2bc9b 1509->1513 1514 7ff73ad2bc65-7ff73ad2bc7c 1509->1514 1516 7ff73ad2bca0-7ff73ad2bcaa 1513->1516 1520 7ff73ad2bc7e-7ff73ad2bc83 1514->1520 1521 7ff73ad2bc85-7ff73ad2bc8c 1514->1521 1524 7ff73ad2bcac-7ff73ad2bcaf 1516->1524 1525 7ff73ad2bcb2-7ff73ad2bcbd 1516->1525 1520->1516 1522 7ff73ad2bc8e-7ff73ad2bc93 1521->1522 1523 7ff73ad2bc95-7ff73ad2bc99 1521->1523 1522->1516 1523->1516 1524->1525 1531 7ff73ad2c48f-7ff73ad2c49e call 7ff73ad17710 1525->1531 1532 7ff73ad2bcc3-7ff73ad2bcd8 1525->1532 1527->1528 1536 7ff73ad2c4e2-7ff73ad2c4ed 1527->1536 1528->1536 1531->1508 1545 7ff73ad2c798 1531->1545 1532->1531 1533->1505 1534->1533 1540 7ff73ad2c576-7ff73ad2c588 1536->1540 1541 7ff73ad2c4f3-7ff73ad2c574 call 7ff73ad17890 call 7ff73ad1a120 1536->1541 1544 7ff73ad2c58d-7ff73ad2c5e5 calloc 1540->1544 1541->1544 1547 7ff73ad2c5e7-7ff73ad2c5f1 call 7ff73ad17710 1544->1547 1548 7ff73ad2c600-7ff73ad2c603 1544->1548 1545->1515 1552 7ff73ad2c5f6-7ff73ad2c5fb 1547->1552 1551 7ff73ad2c605-7ff73ad2c663 1548->1551 1548->1552 1555 7ff73ad2c669-7ff73ad2c698 free 1551->1555 1556 7ff73ad2c70c-7ff73ad2c728 call 7ff73ad17fd0 1551->1556 1552->1515 1557 7ff73ad2c69a-7ff73ad2c6a0 1555->1557 1558 7ff73ad2c6e6-7ff73ad2c707 call 7ff73ad03ab0 call 7ff73ad17710 1555->1558 1562 7ff73ad2c72d-7ff73ad2c74a 1556->1562 1560 7ff73ad2c6a2-7ff73ad2c6bb call 7ff73ad03ab0 call 7ff73ad17710 1557->1560 1561 7ff73ad2c6c0-7ff73ad2c6e1 call 7ff73ad03ab0 call 7ff73ad17710 1557->1561 1558->1515 1560->1545 1561->1515 1573 7ff73ad2c789-7ff73ad2c790 1562->1573 1574 7ff73ad2c74c-7ff73ad2c74f 1562->1574 1573->1545 1578 7ff73ad2c793 call 7ff73ad17710 1573->1578 1574->1573 1577 7ff73ad2c751-7ff73ad2c787 1574->1577 1577->1515 1578->1545
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: AddressHandleModuleProc
                                            • String ID: Unrecognized parameter passed via CURLOPT_SSLVERSION$http/1.1$http/1.1$ntdll$schannel: ALPN, offering %s$schannel: SNI or certificate check failed: %s$schannel: Windows version is old and may not be able to connect to some servers due to lack of SNI, algorithms, etc.$schannel: failed to send initial handshake data: sent %zd of %lu bytes$schannel: initial InitializeSecurityContext failed: %s$schannel: this version of Windows is too old to support certificate verification via CA bundle file.$schannel: unable to allocate memory$schannel: using IP address, SNI is not supported by OS.$wine_get_version
                                            • API String ID: 1646373207-2477831187
                                            • Opcode ID: eb65caeb0ec1ceeca98515e8ebfcbbb51050129689c5196f292fa902b77437af
                                            • Instruction ID: a56c235d66d25c25adab162493667f625dcef4335c7c9dfb224946539fb38864
                                            • Opcode Fuzzy Hash: eb65caeb0ec1ceeca98515e8ebfcbbb51050129689c5196f292fa902b77437af
                                            • Instruction Fuzzy Hash: 59021F7AA18B85AAFB20AB24D8453FEB7A4FB44784F800176DA5D07798DF3CE540E710
                                            Function 00007FF73AD0D050 Relevance: 28.7, APIs: 19, Instructions: 165COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1580 7ff73ad0d050-7ff73ad0d09b calloc 1581 7ff73ad0d1de-7ff73ad0d1e7 _errno 1580->1581 1582 7ff73ad0d0a1-7ff73ad0d12a malloc 1580->1582 1585 7ff73ad0d1e9-7ff73ad0d205 1581->1585 1583 7ff73ad0d167-7ff73ad0d16e 1582->1583 1584 7ff73ad0d12c-7ff73ad0d151 InitializeCriticalSectionEx call 7ff73ad26800 1582->1584 1587 7ff73ad0d180-7ff73ad0d191 free 1583->1587 1588 7ff73ad0d170-7ff73ad0d17a DeleteCriticalSection free 1583->1588 1592 7ff73ad0d157-7ff73ad0d15f 1584->1592 1593 7ff73ad0d206-7ff73ad0d21a _strdup 1584->1593 1590 7ff73ad0d198-7ff73ad0d1a0 1587->1590 1591 7ff73ad0d193 call 7ff73ad2a420 1587->1591 1588->1587 1595 7ff73ad0d1a8-7ff73ad0d1d8 free 1590->1595 1596 7ff73ad0d1a2 closesocket 1590->1596 1591->1590 1592->1583 1593->1583 1597 7ff73ad0d220-7ff73ad0d240 free _strdup 1593->1597 1595->1581 1596->1595 1598 7ff73ad0d26e-7ff73ad0d278 1597->1598 1599 7ff73ad0d242-7ff73ad0d251 call 7ff73ad2aaf0 1597->1599 1601 7ff73ad0d27a-7ff73ad0d2a2 EnterCriticalSection LeaveCriticalSection 1598->1601 1602 7ff73ad0d2f1-7ff73ad0d30c free 1598->1602 1603 7ff73ad0d256-7ff73ad0d25c 1599->1603 1604 7ff73ad0d2a4-7ff73ad0d2ac CloseHandle 1601->1604 1605 7ff73ad0d2b5-7ff73ad0d2b8 1601->1605 1602->1581 1606 7ff73ad0d2ae-7ff73ad0d2b0 1603->1606 1607 7ff73ad0d25e-7ff73ad0d26b _errno 1603->1607 1608 7ff73ad0d2d8-7ff73ad0d2db 1604->1608 1609 7ff73ad0d2ba-7ff73ad0d2bd call 7ff73ad2ab40 1605->1609 1610 7ff73ad0d2c2-7ff73ad0d2d2 call 7ff73ad0ced0 free 1605->1610 1606->1585 1607->1598 1611 7ff73ad0d2e8-7ff73ad0d2eb closesocket 1608->1611 1612 7ff73ad0d2dd-7ff73ad0d2e3 call 7ff73ad078a0 1608->1612 1609->1610 1610->1608 1611->1602 1612->1611
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free$CriticalSection$_errno_strdupclosesocket$CloseDeleteEnterHandleInitializeLeavecallocmallocsocket
                                            • String ID:
                                            • API String ID: 259767416-0
                                            • Opcode ID: 1ab21e29e097ba9015accc2a1786f64bc2b6e26699699161f436a0ea4b40475b
                                            • Instruction ID: 56c4939578745ff474d8b04d13383906d4c4e6b402969292675a83ec70fed0f8
                                            • Opcode Fuzzy Hash: 1ab21e29e097ba9015accc2a1786f64bc2b6e26699699161f436a0ea4b40475b
                                            • Instruction Fuzzy Hash: 9A818E2AD15B8196F724EF21E851269B360FB98B54F805375DB9E037A9DF38E0D4D310
                                            Function 00007FF73AD146C0 Relevance: 28.6, APIs: 6, Strings: 10, Instructions: 557COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: NTLM picked AND auth done set, clear picked!$NTLM-proxy picked AND auth done set, clear picked!$No connections available in cache$No connections available.$No more connections allowed to host %s: %zu$Re-using existing connection! (#%ld) with %s %s$anonymous$ftp@example.com$host$proxy
                                            • API String ID: 0-760484938
                                            • Opcode ID: 4ee4e4438b715250b0852179961d660f393744e2c14307a6a4f5d37ba513111d
                                            • Instruction ID: e624ae60bc0581f6ef847c3bc50dda70c82f98fed33e1c2d1f8d3025f349fb31
                                            • Opcode Fuzzy Hash: 4ee4e4438b715250b0852179961d660f393744e2c14307a6a4f5d37ba513111d
                                            • Instruction Fuzzy Hash: D142D6AAB19B8261FBD9EB3195413B9A390FB55B84F8841B5CE5D07789DF3CE060D320
                                            Function 00007FF73AD13650 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 153COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD03901,?,?,?,?,00007FF73ACF4301), ref: 00007FF73AD13668
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73AD136B1
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: callocfree
                                            • String ID: <$<$<$`$v
                                            • API String ID: 306872129-2056843887
                                            • Opcode ID: ed4afc367ca02616cb8f6bc22ca0dcd32d3313aa164d0e3b3b22a3d0f2c825f4
                                            • Instruction ID: 80c2198777c5ab3a99d1e4ea4e55f2a8312e5711c15e461f9232da12e758d6cf
                                            • Opcode Fuzzy Hash: ed4afc367ca02616cb8f6bc22ca0dcd32d3313aa164d0e3b3b22a3d0f2c825f4
                                            • Instruction Fuzzy Hash: 2B916B76918BC186E3409F34D4053E87BA0FB95B5CF485239CF990A79ADF7AA094C720
                                            Function 00007FF73AD190A0 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 161networkCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: ErrorLast$_errnogetpeernamegetsockname
                                            • String ID: getpeername() failed with errno %d: %s$getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s$ssrem inet_ntop() failed with errno %d: %s
                                            • API String ID: 2911674258-670633250
                                            • Opcode ID: ae4c1ae73554bbbf6e251e1cbcb7cc57b8f9f27a25c1969845fcb2e9fb67ec3b
                                            • Instruction ID: 82d01cf6e9480de4ac13ed92ab2fe12ac05458e2873881ded5b959d5cc4ba44a
                                            • Opcode Fuzzy Hash: ae4c1ae73554bbbf6e251e1cbcb7cc57b8f9f27a25c1969845fcb2e9fb67ec3b
                                            • Instruction Fuzzy Hash: A191E27AA28BC192EB10DF35C4513E973A0FB89B88F845235EE4D47659DF39E185CB20
                                            Function 00007FF73AD2A470 Relevance: 19.6, APIs: 13, Instructions: 128networkCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2052 7ff73ad2a470-7ff73ad2a49d getaddrinfo 2053 7ff73ad2a4a3-7ff73ad2a4b5 2052->2053 2054 7ff73ad2a634-7ff73ad2a641 2052->2054 2055 7ff73ad2a4bb 2053->2055 2056 7ff73ad2a614-7ff73ad2a61d WSASetLastError 2053->2056 2058 7ff73ad2a4c0-7ff73ad2a4c6 2055->2058 2057 7ff73ad2a623-7ff73ad2a630 2056->2057 2057->2054 2059 7ff73ad2a4c8-7ff73ad2a4cb 2058->2059 2060 7ff73ad2a4cd-7ff73ad2a4d0 2058->2060 2061 7ff73ad2a4d9-7ff73ad2a4dd 2059->2061 2062 7ff73ad2a581-7ff73ad2a588 2060->2062 2063 7ff73ad2a4d6 2060->2063 2061->2062 2065 7ff73ad2a4e3-7ff73ad2a4ea 2061->2065 2062->2058 2064 7ff73ad2a58e 2062->2064 2063->2061 2066 7ff73ad2a5c2-7ff73ad2a5cf 2064->2066 2065->2062 2067 7ff73ad2a4f0-7ff73ad2a4f3 2065->2067 2068 7ff73ad2a5d7-7ff73ad2a5da 2066->2068 2069 7ff73ad2a5d1 freeaddrinfo 2066->2069 2067->2062 2070 7ff73ad2a4f9-7ff73ad2a50a malloc 2067->2070 2073 7ff73ad2a5dc-7ff73ad2a5df 2068->2073 2074 7ff73ad2a60f-7ff73ad2a612 2068->2074 2069->2068 2071 7ff73ad2a5bc 2070->2071 2072 7ff73ad2a510-7ff73ad2a545 malloc 2070->2072 2071->2066 2075 7ff73ad2a547-7ff73ad2a55d memcpy 2072->2075 2076 7ff73ad2a5ab-7ff73ad2a5ba free 2072->2076 2077 7ff73ad2a60a-7ff73ad2a60d 2073->2077 2078 7ff73ad2a5e1-7ff73ad2a608 free * 3 2073->2078 2074->2056 2074->2057 2079 7ff73ad2a56e-7ff73ad2a578 2075->2079 2080 7ff73ad2a55f-7ff73ad2a56c _strdup 2075->2080 2076->2066 2077->2057 2078->2077 2078->2078 2082 7ff73ad2a57a 2079->2082 2083 7ff73ad2a57e 2079->2083 2080->2079 2081 7ff73ad2a590-7ff73ad2a5a9 free * 2 2080->2081 2081->2066 2082->2083 2083->2062
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free$malloc$ErrorLast_strdupfreeaddrinfogetaddrinfomemcpy
                                            • String ID:
                                            • API String ID: 2364279375-0
                                            • Opcode ID: 3b81a1883c57e47432cecb4e621141014c86fe15a50a35486e3fd9914ba85bd1
                                            • Instruction ID: cae8469d3854cf5479ab8e0d9b4a63fde5ae6f861f963774ddf2e4777d278466
                                            • Opcode Fuzzy Hash: 3b81a1883c57e47432cecb4e621141014c86fe15a50a35486e3fd9914ba85bd1
                                            • Instruction Fuzzy Hash: 18517F79A19B4696FB25AF11A50113AF7A0FB44B90F844075CE9E07B68DF3CE845E720
                                            Function 00007FF73AD27D80 Relevance: 16.7, APIs: 11, Instructions: 241sleepnetworkCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2084 7ff73ad27d80-7ff73ad27dc5 2085 7ff73ad27dc7-7ff73ad27dca 2084->2085 2086 7ff73ad27dfb-7ff73ad27e15 2084->2086 2085->2086 2089 7ff73ad27dcc-7ff73ad27dcf 2085->2089 2087 7ff73ad27e17-7ff73ad27e27 2086->2087 2088 7ff73ad27e2c-7ff73ad27e47 2086->2088 2087->2088 2090 7ff73ad27ed7-7ff73ad27ee3 2088->2090 2091 7ff73ad27e4d-7ff73ad27e52 2088->2091 2089->2086 2092 7ff73ad27dd1-7ff73ad27dd4 2089->2092 2095 7ff73ad27f30-7ff73ad27f3a 2090->2095 2096 7ff73ad27ee5-7ff73ad27ef9 2090->2096 2097 7ff73ad27e67-7ff73ad27e6a 2091->2097 2098 7ff73ad27e54-7ff73ad27e5e 2091->2098 2093 7ff73ad27df4-7ff73ad27df6 2092->2093 2094 7ff73ad27dd6 2092->2094 2101 7ff73ad2809d 2093->2101 2099 7ff73ad27dd8-7ff73ad27de6 WSASetLastError 2094->2099 2100 7ff73ad27deb-7ff73ad27dee Sleep 2094->2100 2107 7ff73ad27f3c-7ff73ad27f3f 2095->2107 2108 7ff73ad27f73-7ff73ad27f7b 2095->2108 2102 7ff73ad27efb 2096->2102 2103 7ff73ad27f0f-7ff73ad27f11 2096->2103 2105 7ff73ad27e6c-7ff73ad27e70 2097->2105 2106 7ff73ad27e8d-7ff73ad27e92 2097->2106 2098->2097 2104 7ff73ad27e60-7ff73ad27e65 2098->2104 2099->2101 2100->2093 2115 7ff73ad2809f-7ff73ad280bf call 7ff73ad51370 2101->2115 2111 7ff73ad27f00-7ff73ad27f07 2102->2111 2112 7ff73ad27f29-7ff73ad27f2c 2103->2112 2113 7ff73ad27f13-7ff73ad27f16 2103->2113 2104->2097 2104->2098 2105->2106 2114 7ff73ad27e72-7ff73ad27e86 2105->2114 2116 7ff73ad27ea4-7ff73ad27eae 2106->2116 2117 7ff73ad27e94-7ff73ad27e9b 2106->2117 2107->2108 2118 7ff73ad27f41-7ff73ad27f43 2107->2118 2109 7ff73ad27f7d-7ff73ad27f80 2108->2109 2110 7ff73ad27f82 2108->2110 2122 7ff73ad27fba-7ff73ad27fea select 2109->2122 2123 7ff73ad27fb0-7ff73ad27fb3 2110->2123 2124 7ff73ad27f84-7ff73ad27fae 2110->2124 2111->2103 2125 7ff73ad27f09-7ff73ad27f0d 2111->2125 2112->2095 2113->2112 2126 7ff73ad27f18-7ff73ad27f25 2113->2126 2114->2106 2120 7ff73ad27ecb-7ff73ad27ed3 2116->2120 2121 7ff73ad27eb0-7ff73ad27eb8 2116->2121 2117->2116 2128 7ff73ad27e9d-7ff73ad27ea2 2117->2128 2118->2108 2119 7ff73ad27f45-7ff73ad27f48 2118->2119 2130 7ff73ad27f4a-7ff73ad27f4c 2119->2130 2131 7ff73ad27f51 2119->2131 2120->2090 2121->2120 2132 7ff73ad27eba-7ff73ad27ec7 2121->2132 2134 7ff73ad27ff0-7ff73ad27ffa 2122->2134 2123->2122 2133 7ff73ad27fb5 2123->2133 2124->2122 2125->2103 2125->2111 2126->2112 2128->2116 2128->2117 2130->2134 2135 7ff73ad27f53-7ff73ad27f61 WSASetLastError 2131->2135 2136 7ff73ad27f66-7ff73ad27f71 Sleep 2131->2136 2132->2120 2133->2122 2137 7ff73ad27ffc-7ff73ad27fff 2134->2137 2138 7ff73ad28004 2134->2138 2135->2134 2136->2134 2137->2115 2139 7ff73ad2800d-7ff73ad28010 2138->2139 2140 7ff73ad28006-7ff73ad28008 2138->2140 2141 7ff73ad2803f-7ff73ad28042 2139->2141 2142 7ff73ad28012-7ff73ad2803a __WSAFDIsSet * 2 2139->2142 2140->2115 2144 7ff73ad2806e-7ff73ad28071 2141->2144 2145 7ff73ad28044-7ff73ad28055 __WSAFDIsSet 2141->2145 2142->2141 2143 7ff73ad2803c 2142->2143 2143->2141 2144->2101 2148 7ff73ad28073-7ff73ad28084 __WSAFDIsSet 2144->2148 2146 7ff73ad28057 2145->2146 2147 7ff73ad2805a-7ff73ad28069 __WSAFDIsSet 2145->2147 2146->2147 2147->2144 2149 7ff73ad2806b 2147->2149 2150 7ff73ad28089-7ff73ad28098 __WSAFDIsSet 2148->2150 2151 7ff73ad28086 2148->2151 2149->2144 2150->2101 2152 7ff73ad2809a 2150->2152 2151->2150 2152->2101
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: ErrorLastSleep
                                            • String ID:
                                            • API String ID: 1458359878-0
                                            • Opcode ID: 5b13c4459e5748bf63562c5fbd040ba3a850f07834c93df58ed827bc88dc06bf
                                            • Instruction ID: 43c8858b8195b89966ab1c7c7cdc066e9b7492f9ba08edc77b213fe4a24a6f82
                                            • Opcode Fuzzy Hash: 5b13c4459e5748bf63562c5fbd040ba3a850f07834c93df58ed827bc88dc06bf
                                            • Instruction Fuzzy Hash: 93914C29B2C686A6FB346E2499421B9E2A1FF45754F904174EA1D87BCCDF3CE901E720
                                            Function 00007FF73AD16C90 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 153COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: calloc
                                            • String ID: Couldn't resolve host '%s'$Couldn't resolve proxy '%s'$Unix socket path too long: '%s'
                                            • API String ID: 2635317215-3812100122
                                            • Opcode ID: 298ca9fd91460239932b425c5934b15dc46c6d5126ddd13708cd9e9d54dcac22
                                            • Instruction ID: 681996ba9be8174f6bf7754ef0a13b64f9728232c666d67a678c7d330796fd36
                                            • Opcode Fuzzy Hash: 298ca9fd91460239932b425c5934b15dc46c6d5126ddd13708cd9e9d54dcac22
                                            • Instruction Fuzzy Hash: 1851F72AB1CB42A3FB99AB35D051379A790EB84780F944571EF4C433A8DF3DE451A720
                                            Function 00007FF73ACF2B70 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 121processCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: system
                                            • String ID: .8$h%49
                                            • API String ID: 3377271179-4206735779
                                            • Opcode ID: 04e1bb3fdf93c86dc89e0371cfefaac794fe8f72405b8646e5bcbe3c504f26a1
                                            • Instruction ID: 24aa7df3952545eb4e8d9ec3f3f5c0d4967992b9dd784b4c76a22dcf3022f212
                                            • Opcode Fuzzy Hash: 04e1bb3fdf93c86dc89e0371cfefaac794fe8f72405b8646e5bcbe3c504f26a1
                                            • Instruction Fuzzy Hash: C6617077E28BD698F301DB78D8061BCB770FB99748F8052B4DEC526D1AEBA85148C354
                                            Function 00007FF73AD5164C Relevance: 12.1, APIs: 8, Instructions: 94COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: __p___argc__p___argv__scrt_acquire_startup_lock__scrt_release_startup_lock_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
                                            • String ID:
                                            • API String ID: 1133592946-0
                                            • Opcode ID: 0b57f4e5e11b319b301b3d568c6fca9fb7e553c9c51a03cb5587130aab8ce9b2
                                            • Instruction ID: c152532b934a0df1e0d58a0e5faabcad6d08ab74a42cc25b9bc45275773632f2
                                            • Opcode Fuzzy Hash: 0b57f4e5e11b319b301b3d568c6fca9fb7e553c9c51a03cb5587130aab8ce9b2
                                            • Instruction Fuzzy Hash: ED312BA9E2D243A1FE14BB2494137BA9391EF41784FC440B5F64D076DFDF2CA849A630
                                            Function 00007FF73AD0CF40 Relevance: 12.1, APIs: 8, Instructions: 67networkCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00007FF73AD2A470: getaddrinfo.WS2_32 ref: 00007FF73AD2A492
                                              • Part of subcall function 00007FF73AD2A470: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF73AD0CF95), ref: 00007FF73AD2A4FE
                                              • Part of subcall function 00007FF73AD2A470: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF73AD0CF95), ref: 00007FF73AD2A538
                                              • Part of subcall function 00007FF73AD2A470: memcpy.VCRUNTIME140(?,?,?,00007FF73AD0CF95), ref: 00007FF73AD2A551
                                              • Part of subcall function 00007FF73AD2A470: _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF73AD0CF95), ref: 00007FF73AD2A55F
                                              • Part of subcall function 00007FF73AD2A470: freeaddrinfo.WS2_32(?,?,?,00007FF73AD0CF95), ref: 00007FF73AD2A5D1
                                              • Part of subcall function 00007FF73AD2A470: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF73AD0CF95), ref: 00007FF73AD2A5E5
                                              • Part of subcall function 00007FF73AD2A470: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF73AD0CF95), ref: 00007FF73AD2A5EF
                                              • Part of subcall function 00007FF73AD2A470: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF73AD0CF95), ref: 00007FF73AD2A5FC
                                            • WSAGetLastError.WS2_32 ref: 00007FF73AD0CF9B
                                            • WSAGetLastError.WS2_32 ref: 00007FF73AD0CFA5
                                            • EnterCriticalSection.KERNEL32 ref: 00007FF73AD0CFC0
                                            • LeaveCriticalSection.KERNEL32 ref: 00007FF73AD0CFCF
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73AD0CFE0
                                            • send.WS2_32 ref: 00007FF73AD0D003
                                            • WSAGetLastError.WS2_32 ref: 00007FF73AD0D00D
                                            • LeaveCriticalSection.KERNEL32 ref: 00007FF73AD0D020
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free$CriticalErrorLastSection$Leavemalloc$Enter_strdupfreeaddrinfogetaddrinfomemcpysend
                                            • String ID:
                                            • API String ID: 506363382-0
                                            • Opcode ID: eca7f3fa03cb7088b04734fff395d0f0ef4854b132db828a14a1e6d0a8eb1d44
                                            • Instruction ID: ee244dbf4a9519cad175bb8bc7b8fac13ad736d44aad1a4b3ea54d6c9e15d696
                                            • Opcode Fuzzy Hash: eca7f3fa03cb7088b04734fff395d0f0ef4854b132db828a14a1e6d0a8eb1d44
                                            • Instruction Fuzzy Hash: 6431E775A18A42A2FB00EF35E455269B7A0FF84F98F800172DA5E836ACDF3CD845D761
                                            Function 00007FF73AD279E0 Relevance: 10.7, APIs: 7, Instructions: 242sleepnetworkCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: ErrorLastSleep
                                            • String ID:
                                            • API String ID: 1458359878-0
                                            • Opcode ID: c8679dafddfc3f6c28f1eb495d0364e39bcf7d316b2b1e20d03c4006334b0ab5
                                            • Instruction ID: 9dc5d62c208c4307a88215c04dc147c79cb91f13de002f9440170ffabbd2dcd3
                                            • Opcode Fuzzy Hash: c8679dafddfc3f6c28f1eb495d0364e39bcf7d316b2b1e20d03c4006334b0ab5
                                            • Instruction Fuzzy Hash: 91A14B29B3864A96FB796F24D4052B9A2A5FF86BA0F804274E91D47BCCDF3DD500E710
                                            Function 00007FF73AD2DA30 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 172COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: freemallocmemcpy
                                            • String ID: schannel: timed out sending data (bytes sent: %zd)$select/poll on SSL socket, errno: %d
                                            • API String ID: 3056473165-3891197721
                                            • Opcode ID: 5b335bf0d44496320023fedbc5dd29276b42dff4725346786d21bfd590ced9a1
                                            • Instruction ID: 835eb8c238c9083c51cc77e4e3e4d80ed3934ba777b7ee860fdf34020db7ae2f
                                            • Opcode Fuzzy Hash: 5b335bf0d44496320023fedbc5dd29276b42dff4725346786d21bfd590ced9a1
                                            • Instruction Fuzzy Hash: E071AD7AB18B059AFB10EF65D4516AD73A1FB48BA8F800275DE6D477D8EE38E006D310
                                            Function 00007FF73AD08AA0 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 193COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free
                                            • String ID: %s$Connection #%ld to host %s left intact
                                            • API String ID: 1294909896-118628944
                                            • Opcode ID: 7146bb7cb77169b74bd752f62843a2f7559ec1fea6529fc12f3af6bbe38571ea
                                            • Instruction ID: 3db8d25b01fff5c683aae7d8f1a607804547954f8f7c53375b07622c4cd6b7fc
                                            • Opcode Fuzzy Hash: 7146bb7cb77169b74bd752f62843a2f7559ec1fea6529fc12f3af6bbe38571ea
                                            • Instruction Fuzzy Hash: EB91B13AA28681A2FB58FB2195463FDB3E0FB45B84F844471DE4E07259CF3CE460A361
                                            Function 00007FF73AD12F30 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 147COMMON
                                            Download Yara Rule
                                            APIs
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73AD12F5B
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73AD12F71
                                              • Part of subcall function 00007FF73AD12D10: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD13395), ref: 00007FF73AD12D8D
                                              • Part of subcall function 00007FF73AD12D10: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD13395), ref: 00007FF73AD12DAA
                                              • Part of subcall function 00007FF73AD12D10: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD13395), ref: 00007FF73AD12DBE
                                              • Part of subcall function 00007FF73AD12D10: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD13395), ref: 00007FF73AD12DDA
                                              • Part of subcall function 00007FF73AD12D10: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD13395), ref: 00007FF73AD12DF7
                                              • Part of subcall function 00007FF73AD12D10: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD13395), ref: 00007FF73AD12E1A
                                              • Part of subcall function 00007FF73AD12D10: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD13395), ref: 00007FF73AD12E2E
                                              • Part of subcall function 00007FF73AD12D10: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD13395), ref: 00007FF73AD12E42
                                              • Part of subcall function 00007FF73AD12D10: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD13395), ref: 00007FF73AD12E68
                                              • Part of subcall function 00007FF73AD12D10: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD13395), ref: 00007FF73AD12E7C
                                              • Part of subcall function 00007FF73AD12D10: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD13395), ref: 00007FF73AD12E90
                                              • Part of subcall function 00007FF73AD12D10: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD13395), ref: 00007FF73AD12EDF
                                              • Part of subcall function 00007FF73AD12D10: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD13395), ref: 00007FF73AD12EEC
                                              • Part of subcall function 00007FF73AD12D10: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD13395), ref: 00007FF73AD12F15
                                            • memset.VCRUNTIME140 ref: 00007FF73AD12FA5
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free$memset
                                            • String ID: Connected to %s (%s) port %ld (#%ld)$User-Agent: %s
                                            • API String ID: 2717317152-3248832348
                                            • Opcode ID: fa8131d12a719602b61b1e86ffa4e1997d555cdfa0adbb24a1c8e12bb0559bf3
                                            • Instruction ID: 7a74f2734769f9384f44d1780d3702ddb72f07a344eaf754dc385889eb591822
                                            • Opcode Fuzzy Hash: fa8131d12a719602b61b1e86ffa4e1997d555cdfa0adbb24a1c8e12bb0559bf3
                                            • Instruction Fuzzy Hash: CD71916AA1CBC291F791EF35D4023BDA790EB81B94F884175DB5D0B699DF3DE4809320
                                            Function 00007FF73AD234B0 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 138COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free$memcpy
                                            • String ID: 1.1
                                            • API String ID: 4107583993-2150719395
                                            • Opcode ID: 1bd5f0f387f3a883000cfacb9928adfb29df4d7921f4b7b1319418afa16f066e
                                            • Instruction ID: 46842e934c4c2e0aea38d4df54441ea427c05bf81f51614a936e859ebaf189ee
                                            • Opcode Fuzzy Hash: 1bd5f0f387f3a883000cfacb9928adfb29df4d7921f4b7b1319418afa16f066e
                                            • Instruction Fuzzy Hash: 8751AF7A718B8996E764AF22E4413AAB3A4FB45B84F844071DFAD47B58CF3CE094D310
                                            Function 00007FF73AD17C70 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 113networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: ErrorLastmallocrecvsend
                                            • String ID: Send failure: %s
                                            • API String ID: 25851408-857917747
                                            • Opcode ID: d1fc5e5179596be071d0c38d7398d39a64957bf0ca119ddfe01feb8fd2c11583
                                            • Instruction ID: a8cfb2f2506b6f240452bd007f8251a9b5331b894c4cbda52debe84e3aa7ab24
                                            • Opcode Fuzzy Hash: d1fc5e5179596be071d0c38d7398d39a64957bf0ca119ddfe01feb8fd2c11583
                                            • Instruction Fuzzy Hash: DC41CF7A719B8595FBA0AF25E801779A290EB0AFE8F844675CE6D033A8DF3CD001D710
                                            Function 00007FF73AD09B98 Relevance: 7.8, APIs: 4, Strings: 1, Instructions: 297COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free
                                            • String ID: Resolving timed out after %I64d milliseconds
                                            • API String ID: 1294909896-3343404259
                                            • Opcode ID: c2a34b1b45cb065c9d649304fbdcad52066438d8b336b1c57e8476e612c7512c
                                            • Instruction ID: 93d7af2493013f1696a343854cf30a3705f15189e2580bf0fe93f0e93194f662
                                            • Opcode Fuzzy Hash: c2a34b1b45cb065c9d649304fbdcad52066438d8b336b1c57e8476e612c7512c
                                            • Instruction Fuzzy Hash: CAD1D229A28642A5FB64EF3594563BDA3A0FF40B88F844071CE0E0769DDF3CE441E362
                                            Function 00007FF73ACF42C0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 157windowCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00007FF73ACF2B70: system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF2BD7
                                              • Part of subcall function 00007FF73ACF2B70: system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF2C47
                                              • Part of subcall function 00007FF73ACF2B70: system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF2CA7
                                              • Part of subcall function 00007FF73ACF2B70: system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF2CF7
                                              • Part of subcall function 00007FF73ACF2B70: system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF2D47
                                            • MessageBoxA.USER32 ref: 00007FF73ACF4497
                                              • Part of subcall function 00007FF73ACF50A0: memcpy.VCRUNTIME140(7FFFFFFFFFFFFFFF,https://keyauth.win/api/1.2/,-3333333333333333,00007FF73ACF1A19), ref: 00007FF73ACF50D1
                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF44FA
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: system$Message_invalid_parameter_noinfo_noreturnmemcpy
                                            • String ID: keyauth.win$null
                                            • API String ID: 3545939226-2841560827
                                            • Opcode ID: 91c01acedcb4111391999ea3e5a931a389cdf41610cc0d000267b5aeb74d4831
                                            • Instruction ID: b4fa55c3c77867a67f3aa5dedd2d00851dab66832695905bfac71689c636f694
                                            • Opcode Fuzzy Hash: 91c01acedcb4111391999ea3e5a931a389cdf41610cc0d000267b5aeb74d4831
                                            • Instruction Fuzzy Hash: 2B51242AB28B5296FB04EB75D5263AC6361FB45B88F804074CE4D27F8ACF7C9081E350
                                            Function 00007FF73AD44220 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00007FF73AD1A400: GetModuleHandleA.KERNEL32(?,?,?,00007FF73AD4425A,?,?,?,?,00007FF73AD1A78B), ref: 00007FF73AD1A414
                                            • GetProcAddressForCaller.KERNELBASE(?,?,?,?,00007FF73AD1A78B), ref: 00007FF73AD44270
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: AddressCallerHandleModuleProc
                                            • String ID: InitSecurityInterfaceA$secur32.dll$security.dll
                                            • API String ID: 2084706301-3788156360
                                            • Opcode ID: d4c6a8a4b507def5e730b413bfa4ab8bd59957322d8615b0279df938ddcedc57
                                            • Instruction ID: 809ba263032810ddcb57ba3df24f9dd68d4e4832f6e8ea855cdf45e81749616a
                                            • Opcode Fuzzy Hash: d4c6a8a4b507def5e730b413bfa4ab8bd59957322d8615b0279df938ddcedc57
                                            • Instruction Fuzzy Hash: 2AF03CACF29B1361FE88B725A883774A391FF64344FC840F4C40C426A8EF2CE185A320
                                            Function 00007FF73AD096CB Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 246COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Resolving timed out after %I64d milliseconds
                                            • API String ID: 0-3343404259
                                            • Opcode ID: 55be08e2d3e19c291efd03ebd0f8e0b29753fb8546e2701047407bbb22ee9059
                                            • Instruction ID: da9da0ff346227e066e467c90c80683cc2b684071fac40a476a71a64acc0711d
                                            • Opcode Fuzzy Hash: 55be08e2d3e19c291efd03ebd0f8e0b29753fb8546e2701047407bbb22ee9059
                                            • Instruction Fuzzy Hash: F1B1E73AA28642A5FB64EF3594563BDA7A0EF41B88FC44171C91F0729DDE3DE440E362
                                            Function 00007FF73AD23070 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 97COMMON
                                            Download Yara Rule
                                            APIs
                                            • calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73AD23170
                                              • Part of subcall function 00007FF73AD23700: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73AD2375A
                                              • Part of subcall function 00007FF73AD234B0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73AD23548
                                              • Part of subcall function 00007FF73AD234B0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73AD23551
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free$calloc
                                            • String ID: PROXY %s %s %s %li %li$TCP4$TCP6
                                            • API String ID: 3095843317-1242256665
                                            • Opcode ID: 45be2aec400c7d59d6bdeaaeb9b6dce72d69af401b23e24f33f9db4f36e27481
                                            • Instruction ID: 580de2189c52f9bd7944007461888426b7313547fb6f8441b1f8b266ea7312e1
                                            • Opcode Fuzzy Hash: 45be2aec400c7d59d6bdeaaeb9b6dce72d69af401b23e24f33f9db4f36e27481
                                            • Instruction Fuzzy Hash: 7241C979A2C78656FB51EB34A4033B9B7A1EB85384F884072DA8C4768DDF3DD405D720
                                            Function 00007FF73AD07960 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: closesocket$calloc
                                            • String ID:
                                            • API String ID: 2958813939-0
                                            • Opcode ID: adcd41059a93c5a12562aac0115d5b4778b5ccd73cececd10c8aa0c0fa95c822
                                            • Instruction ID: 942f1d116f8a220c1a3a1570583c43e989733a0b5421ddf3613ef253cb6ac2aa
                                            • Opcode Fuzzy Hash: adcd41059a93c5a12562aac0115d5b4778b5ccd73cececd10c8aa0c0fa95c822
                                            • Instruction Fuzzy Hash: 08419239628A42A1F740FF31D4522E9A361EF88724FC44276DE5D4A2DEEF38D2059330
                                            Function 00007FF73AD2B820 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 129COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: SSL/TLS connection timeout$select/poll on SSL/TLS socket, errno: %d
                                            • API String ID: 0-3791222319
                                            • Opcode ID: bef170d119d3551d91fe1efd9ca46ca6567ff3494167cb8991f2f6b72ba38573
                                            • Instruction ID: 6407952e852da80b9bc18115955e41734570dc7e33dd8f87f145e47c6ea986bd
                                            • Opcode Fuzzy Hash: bef170d119d3551d91fe1efd9ca46ca6567ff3494167cb8991f2f6b72ba38573
                                            • Instruction Fuzzy Hash: A051E829B2864AA5FB50AB218543379F3A1FB457A8F948271DA6D473D8DF7CE001E320
                                            Function 00007FF73AD13C30 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 106COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free
                                            • String ID: Connected to %s (%s) port %ld (#%ld)$User-Agent: %s
                                            • API String ID: 1294909896-3248832348
                                            • Opcode ID: 823838333e7cdc50a4f9ed4410d19f08b348a5a54098fdbe177a74f7df289918
                                            • Instruction ID: a281ff557c27056797376e09d35a65f0641e69c36e09f6473f0493a8fdf1db5e
                                            • Opcode Fuzzy Hash: 823838333e7cdc50a4f9ed4410d19f08b348a5a54098fdbe177a74f7df289918
                                            • Instruction Fuzzy Hash: C5518E66A18AC291F7819F39D0413E9A760EB85F98F884171DE9C0B79EDF7CD491D320
                                            Function 00007FF73AD17A90 Relevance: 3.0, APIs: 2, Instructions: 23networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: ErrorLastrecv
                                            • String ID:
                                            • API String ID: 2514157807-0
                                            • Opcode ID: e75c1192dd4fd5a57e77694487cd01bf22fc594a0e8d0d7ccf1d47ada6a12edb
                                            • Instruction ID: ba2d28d3a8228e117965a27607468f07cd6ca0b2218eba2d16c4714d91128cc8
                                            • Opcode Fuzzy Hash: e75c1192dd4fd5a57e77694487cd01bf22fc594a0e8d0d7ccf1d47ada6a12edb
                                            • Instruction Fuzzy Hash: 1DE0DF61F1850942FF286B70E8663381190DF48731F844778DA3A867C4DA2C45D29710
                                            Function 00007FF73AD18370 Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: closesocket
                                            • String ID:
                                            • API String ID: 2781271927-0
                                            • Opcode ID: 4bfacc65b28e4e5b74e3d713c9b2aff8daa8d44071257a7161c37984f54c1391
                                            • Instruction ID: bcfec114bf223923b9b3f24b2ab8e7a735c997c29a4e29879eaa13459c31cc4c
                                            • Opcode Fuzzy Hash: 4bfacc65b28e4e5b74e3d713c9b2aff8daa8d44071257a7161c37984f54c1391
                                            • Instruction Fuzzy Hash: B401D615B25941A1FB54E73AE0593ADB350EF88B84F8C4071D70D8B299DF2DD4919311
                                            Function 00007FF73AD1FE90 Relevance: 1.5, APIs: 1, Instructions: 23networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: socket
                                            • String ID:
                                            • API String ID: 98920635-0
                                            • Opcode ID: becd7a5ff14762408319016343dfb43986883124b2cf6d12fa017e53fd5bac3a
                                            • Instruction ID: bbf2113f488c2dc605a0ef673bb60393ebd585fc3acb24dac750b49d8114af08
                                            • Opcode Fuzzy Hash: becd7a5ff14762408319016343dfb43986883124b2cf6d12fa017e53fd5bac3a
                                            • Instruction Fuzzy Hash: B3E0223EE1264192EE48B73984926B82360EB44734FC443B2C63D063D2CE2CD256AB10
                                            Function 00007FF73AD2AAF0 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: _beginthreadex
                                            • String ID:
                                            • API String ID: 3014514943-0
                                            • Opcode ID: 2dec2157a321897fdf059764d08ed67426825e7b25764f03caee5d0884abbd61
                                            • Instruction ID: 3c0cbf661c5a33f8fb245a975cecb75e92dd6747669d9d04d357ee4a49e6f8c5
                                            • Opcode Fuzzy Hash: 2dec2157a321897fdf059764d08ed67426825e7b25764f03caee5d0884abbd61
                                            • Instruction Fuzzy Hash: 87D02BA3B18A00439F10DF71A851029E351F788770B884338AE7D827E4EB3CD1454600
                                            Function 00007FF73AD26A30 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: ioctlsocket
                                            • String ID:
                                            • API String ID: 3577187118-0
                                            • Opcode ID: 405ead4ae07c6f026bc210f9fbb496f0cb9ffb6ecbebfd299f215b64ef538add
                                            • Instruction ID: a68a059a13378874712311c2bdb725ee96901f8373cfe5b88b66dc22114bc3b9
                                            • Opcode Fuzzy Hash: 405ead4ae07c6f026bc210f9fbb496f0cb9ffb6ecbebfd299f215b64ef538add
                                            • Instruction Fuzzy Hash: E8C0805BF24581C2D7446F615489087A771FBC4204FD56435E10B82528EE3CC2A5DB40

                                            Non-executed Functions

                                            Function 00007FF73AD3EFC0 Relevance: 102.1, APIs: 45, Strings: 13, Instructions: 581COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free$#211$fwrite$#217calloc
                                            • String ID: ;binary$DN: $LDAP local: %s$LDAP local: %s$LDAP local: Cannot connect to %s:%ld$LDAP local: LDAP Vendor = %s ; LDAP Version = %d$LDAP local: bind via ldap_win_bind %s$LDAP local: trying to establish %s connection$LDAP remote: %s$Microsoft Corporation.$There are more than %d entries$cleartext$encrypted
                                            • API String ID: 2742731861-78870445
                                            • Opcode ID: 5a27c8f7a7e85cb9c839a577cf93d0005398a7b06e3f97042b69b9d58b9455a9
                                            • Instruction ID: 196d9d0e639e3d5ee66162cd0844ecbfc581d2589bd0152faff150a595e89265
                                            • Opcode Fuzzy Hash: 5a27c8f7a7e85cb9c839a577cf93d0005398a7b06e3f97042b69b9d58b9455a9
                                            • Instruction Fuzzy Hash: BC42A379F29B46A6FB14AF62D4152B9A3A1FB48B88F8044B1CE0D5B798DF3DE405D310
                                            Function 00007FF73ACFA2DD Relevance: 78.0, APIs: 39, Strings: 5, Instructions: 975COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: Xbad_function_call@std@@__std_exception_destroy_invalid_parameter_noinfo_noreturn
                                            • String ID: array$number overflow parsing '$object$object key$object separator
                                            • API String ID: 1664669839-85532522
                                            • Opcode ID: 6de16f66f950f8ec2507d0f5c2894ec5dac0ac7ed59934fa8fa6312eb6c6831b
                                            • Instruction ID: cc7b9156fc90c98573c7d0a8cf575e2a81cca9ded0b90e542b5e684753a83e8c
                                            • Opcode Fuzzy Hash: 6de16f66f950f8ec2507d0f5c2894ec5dac0ac7ed59934fa8fa6312eb6c6831b
                                            • Instruction Fuzzy Hash: AAA2F376A19B87A6FF00EB68D4553ADA361FB417A4F804271DA9D07AD9DF7CE080E310
                                            Function 00007FF73AD3B2C0 Relevance: 77.4, APIs: 26, Strings: 18, Instructions: 435networkfilepipeCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: ErrorLast$File$FreeLibraryRead$HandleMultipleNamedObjectsPeekPipeStartupTypeWaitcallocsend
                                            • String ID: $FreeLibrary(wsock2) failed (%u)$Time-out$WS2_32.DLL$WSACloseEvent$WSACloseEvent failed (%d)$WSACreateEvent$WSACreateEvent failed (%d)$WSAEnumNetworkEvents$WSAEnumNetworkEvents failed (%d)$WSAEventSelect$WSAStartup failed (%d)$failed to find WSACloseEvent function (%u)$failed to find WSACreateEvent function (%u)$failed to find WSAEnumNetworkEvents function (%u)$failed to find WSAEventSelect function (%u)$failed to load WS2_32.DLL (%u)$insufficient winsock version to support telnet
                                            • API String ID: 1025660337-777782649
                                            • Opcode ID: 09bab5dfd0a1050dc16566aa1b7cf4762c81da28fbbf565bb227b1c71a5ee9be
                                            • Instruction ID: 752b54a13b86386de5ea34081982c55f101a43e3536ce959b4d3b97ca6f898b7
                                            • Opcode Fuzzy Hash: 09bab5dfd0a1050dc16566aa1b7cf4762c81da28fbbf565bb227b1c71a5ee9be
                                            • Instruction Fuzzy Hash: A412C079E28A82A1FB64AF2594163B9A3A0FB45B84F844175DA4E077DCDF7DE040E720
                                            Function 00007FF73ACFB97D Relevance: 74.4, APIs: 37, Strings: 5, Instructions: 925COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: _invalid_parameter_noinfo_noreturn$__std_exception_destroy$memcmp
                                            • String ID: array$number overflow parsing '$object$object key$object separator
                                            • API String ID: 969624648-85532522
                                            • Opcode ID: dc7c8f70ece017b678ce96ceb78a522e73b5f35ef2c887ae0adcbfb1cdb96434
                                            • Instruction ID: 4dde2615f542e6136dc1a27de6954bd2c878c14f73c03f09bb8df093af227a00
                                            • Opcode Fuzzy Hash: dc7c8f70ece017b678ce96ceb78a522e73b5f35ef2c887ae0adcbfb1cdb96434
                                            • Instruction Fuzzy Hash: E692D276B19B86A6FF10EB68D4553ADA361FB417A4F800231DA6D07AD9DF7CE081E310
                                            Function 00007FF73AD10E80 Relevance: 52.8, APIs: 25, Strings: 5, Instructions: 254stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: freemallocstrncmp
                                            • String ID: public key hash: sha256//%s$-----END PUBLIC KEY-----$-----BEGIN PUBLIC KEY-----$;sha256//$sha256//
                                            • API String ID: 1436789207-471711153
                                            • Opcode ID: a88bebe2319867f2a29d7404d9809670e682c1f6d8e34b4361839db4683956b6
                                            • Instruction ID: f45890f83c01aaa5c19402b14d808361fbf21e59f1281f55b7a8684ca732cd0a
                                            • Opcode Fuzzy Hash: a88bebe2319867f2a29d7404d9809670e682c1f6d8e34b4361839db4683956b6
                                            • Instruction Fuzzy Hash: FEA1A059A29B4261FF94AB26A402279A790FF45BD0FC840B4ED4E47799EF3CE445E320
                                            Function 00007FF73AD48190 Relevance: 52.8, APIs: 17, Strings: 13, Instructions: 253fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: ErrorLast$CreateFile_errnofree
                                            • String ID: -----END CERTIFICATE-----$-----BEGIN CERTIFICATE-----$schannel: CA file '%s' is not correctly formatted$schannel: CA file exceeds max size of %u bytes$schannel: added %d certificate(s) from CA file '%s'$schannel: did not add any certificates from CA file '%s'$schannel: failed to add certificate from CA file '%s' to certificate store: %s$schannel: failed to determine size of CA file '%s': %s$schannel: failed to extract certificate from CA file '%s': %s$schannel: failed to open CA file '%s': %s$schannel: failed to read from CA file '%s': %s$schannel: invalid path name for CA file '%s': %s$schannel: unexpected content type '%d' when extracting certificate from CA file '%s'
                                            • API String ID: 1377488173-902404565
                                            • Opcode ID: 837417be68a0b86993f0d9a2acaf56ac0aabc9627356470fb6c0b852d90db816
                                            • Instruction ID: f3c4aaf903dd4ed810ddf7891cbf41ef80972a75a5dcbac197eb291a347cf81c
                                            • Opcode Fuzzy Hash: 837417be68a0b86993f0d9a2acaf56ac0aabc9627356470fb6c0b852d90db816
                                            • Instruction Fuzzy Hash: C3B1C369F28B51A2FA10AB25E4026ADA3A1FB457C4FC044B5DD4E5BB9CDF3CE500E720
                                            Function 00007FF73AD150D0 Relevance: 51.2, APIs: 21, Strings: 8, Instructions: 401stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free$strchr$_strdupmemsetreallocstrncpy$EnvironmentVariabletolower
                                            • String ID: ALL_PROXY$NO_PROXY$Uses proxy env variable %s == '%s'$_proxy$all_proxy$http_proxy$memory shortage$no_proxy
                                            • API String ID: 1339443121-1021110354
                                            • Opcode ID: 87a442d9f6b5ce944168b9e003a38c7973c54f2c93fe0649b83e4c14fcefe897
                                            • Instruction ID: 620883f62f0d9407474018729348214b23c4b44af28e49df6f97f0ed1069bd4c
                                            • Opcode Fuzzy Hash: 87a442d9f6b5ce944168b9e003a38c7973c54f2c93fe0649b83e4c14fcefe897
                                            • Instruction Fuzzy Hash: 3102D36962D782A5FB91EB21A4163B9A790FF45788FC800B5DE8D07799DF3CE044E320
                                            Function 00007FF73AD43350 Relevance: 42.4, APIs: 21, Strings: 3, Instructions: 425COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free$malloc
                                            • String ID: WDigest$digest_sspi: MakeSignature failed, error 0x%08lx$realm
                                            • API String ID: 2190258309-2223379150
                                            • Opcode ID: 8398a34d6a0bf133b77949f209b192bff7e2f6d19aea41e0e4df37f24a9cf00a
                                            • Instruction ID: aa80c6528954099c9de34e050b035c61ea813380da9268699687fd5397158542
                                            • Opcode Fuzzy Hash: 8398a34d6a0bf133b77949f209b192bff7e2f6d19aea41e0e4df37f24a9cf00a
                                            • Instruction Fuzzy Hash: 3412AC7AA18B56AAFB10EF25E4452A9B7A4FB44B84FC440B5DE8D43BA8DF3CD404D710
                                            Function 00007FF73AD193D0 Relevance: 38.8, APIs: 14, Strings: 8, Instructions: 317stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: strncmp$memset
                                            • String ID: Bind to local port %hu failed, trying next$Couldn't bind to '%s'$Couldn't bind to interface '%s'$Local Interface %s is ip %s using address family %i$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$bind failed with errno %d: %s$getsockname() failed with errno %d: %s
                                            • API String ID: 3268688168-2769131373
                                            • Opcode ID: 2a2872e945a84521f6b84c8d07c5cde60640c61a2f25760f1ebbd45357a6bd0c
                                            • Instruction ID: 4147f5446f3947b15a1bf3162f973b146cc074d06c8d50e8c987d2e8978ea49a
                                            • Opcode Fuzzy Hash: 2a2872e945a84521f6b84c8d07c5cde60640c61a2f25760f1ebbd45357a6bd0c
                                            • Instruction Fuzzy Hash: 83E1F66AF28682A6FB50EB21E4012F9A7A0FB85788F805176EE4F43759DF7CD440D710
                                            Function 00007FF73AD2BD9C Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 203stringfileCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: strchr$_strdupfopenfseekstrncmpstrtol
                                            • String ID: $CurrentUser$schannel: Failed to import cert file %s, password is bad
                                            • API String ID: 4221717217-4282655970
                                            • Opcode ID: 08de004a40b4f3057b7c83490c12781fcf786c47ed8a6be9df3ff724dc8f06b1
                                            • Instruction ID: 101997bbd45c09591edd0c17fd6ff1f68a2e73915398dad805570369bce17c39
                                            • Opcode Fuzzy Hash: 08de004a40b4f3057b7c83490c12781fcf786c47ed8a6be9df3ff724dc8f06b1
                                            • Instruction Fuzzy Hash: 90810669B28746A1FF59AF2198163B9A790FF05B90FC44174CA2E467D8EF3DE444E320
                                            Function 00007FF73ACFA4BB Relevance: 37.3, APIs: 18, Strings: 3, Instructions: 509COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: _invalid_parameter_noinfo_noreturn$__std_exception_destroy$Xbad_function_call@std@@
                                            • String ID: array$number overflow parsing '$object
                                            • API String ID: 958247072-579821726
                                            • Opcode ID: 5d6cd3a409471a1faf37548ba221951dc722727f8913c0f1fea7796612f7cc4e
                                            • Instruction ID: 898b6a7a71cce825c77572522138da9b7b89ccf825226232b6595e604629d5ab
                                            • Opcode Fuzzy Hash: 5d6cd3a409471a1faf37548ba221951dc722727f8913c0f1fea7796612f7cc4e
                                            • Instruction Fuzzy Hash: 6C32D176A19B87A6FF10AB68D4513EDA361FB417A4F804231DA9D07AD9DF7CE180E310
                                            Function 00007FF73AD2BDA5 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202stringfileCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: strchr$_strdupfopenfseekstrncmpstrtol
                                            • String ID: CurrentUser$schannel: Failed to import cert file %s, password is bad
                                            • API String ID: 4221717217-1887299029
                                            • Opcode ID: fa1a1195df9ec8da713b047f1f74c259d12eb95e106b43fec5dd2698c8803e51
                                            • Instruction ID: c1df68e87cd9de18f7964e7710b3d1e3dbb10cc1daad66dda5feafe05742d8f8
                                            • Opcode Fuzzy Hash: fa1a1195df9ec8da713b047f1f74c259d12eb95e106b43fec5dd2698c8803e51
                                            • Instruction Fuzzy Hash: 84811769B28746A1FF59AF2198163B9A790FF05790FC44174CA2E467D8EF3DE444E320
                                            Function 00007FF73AD42320 Relevance: 28.3, APIs: 11, Strings: 5, Instructions: 252fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free$_strdup$fclosefgetsfopen
                                            • String ID: $default$login$machine$password
                                            • API String ID: 431015889-155862542
                                            • Opcode ID: 4fff364203ea5e108a1ac3e9f9e2fb84d9b83cc2516c880108be4061567b611b
                                            • Instruction ID: 5d3eed7dbe3156a037b255150225123154287c7dcc4153070da99b6d9a6ce906
                                            • Opcode Fuzzy Hash: 4fff364203ea5e108a1ac3e9f9e2fb84d9b83cc2516c880108be4061567b611b
                                            • Instruction Fuzzy Hash: 34A1D82992C69265FB69BF21941237AE790FF94794F8840F1DD8D0669CDE3CE444E730
                                            Function 00007FF73AD29A60 Relevance: 17.9, APIs: 6, Strings: 4, Instructions: 422stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: _errno$strtol
                                            • String ID: %02d:%02d%n$%02d:%02d:%02d%n$%31[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz]$GMT
                                            • API String ID: 3596500743-988243589
                                            • Opcode ID: 1a7e61c25a85243ec6ea3018c962de282b9d4355c4c1153fab2b406bca1d17d2
                                            • Instruction ID: 1e7a8bd9897d96420a65fcbdcc1c33b6fe1d6c7be7b0f05e548575026881b180
                                            • Opcode Fuzzy Hash: 1a7e61c25a85243ec6ea3018c962de282b9d4355c4c1153fab2b406bca1d17d2
                                            • Instruction Fuzzy Hash: ACF1147AF28615AAFB24AB28C4421BCB3A1EB44758F900275DE1F577DCDF38A805E750
                                            Function 00007FF73AD2B0A0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 78encryptionCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: Crypt$Hash$ContextParam$AcquireCreateDataDestroyReleasememset
                                            • String ID: @
                                            • API String ID: 2041421932-2766056989
                                            • Opcode ID: 4133925f26772bb60a5421b75906ac9122fd7e129f0c6c6a6a1ca186eceaa35b
                                            • Instruction ID: a71ce1f0d3ddad3cf30fa4e1c1c302a30f5b589f04bedb821b82a10b9ed5f4b9
                                            • Opcode Fuzzy Hash: 4133925f26772bb60a5421b75906ac9122fd7e129f0c6c6a6a1ca186eceaa35b
                                            • Instruction Fuzzy Hash: 1B316D7A628B8296FB61DF15E855A6AB7A0FBC4B80F844035EE8D53B18CF3CD445DB10
                                            Function 00007FF73AD03BEE Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 70stringwindowCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: ErrorLast_errno$FormatMessagestrchrstrncpy
                                            • String ID: %s (0x%08X)$%s - %s$SEC_E_BAD_PKGID
                                            • API String ID: 600764987-1052566392
                                            • Opcode ID: 869513566c08340eb8104fe3214b77cbae14751abf0f8e147a617354d4ac6d22
                                            • Instruction ID: 743f82f121aeca164c91302eecc3061ce969c9a89cdae18353cf1154308bfea6
                                            • Opcode Fuzzy Hash: 869513566c08340eb8104fe3214b77cbae14751abf0f8e147a617354d4ac6d22
                                            • Instruction Fuzzy Hash: 5E3185AAA1C6C1A5FA61EB20E4163AEF7A1FB84740FC00076DA8D02A99CF3CD544D721
                                            Function 00007FF73AD123A0 Relevance: 14.3, Strings: 11, Instructions: 540COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Can not multiplex, even if we wanted to!$Connection #%ld is still name resolving, can't reuse$Connection #%ld isn't open enough, can't reuse$Could multiplex, but not asked to!$Found bundle for host %s: %p [%s]$Found pending candidate for reuse and CURLOPT_PIPEWAIT is set$Multiplexed connection found!$Server doesn't support multiplex (yet)$Server doesn't support multiplex yet, wait$can multiplex$serially
                                            • API String ID: 0-2774518510
                                            • Opcode ID: 8b0f8a989666360a3a3a78e04154ed77bd1a1cc6402fab15bd18b5bf28d2d67f
                                            • Instruction ID: 6e3bacfacda60aeb1b41da03a1a0d2c59c05b4392a6f243a52141e3d13d9b11b
                                            • Opcode Fuzzy Hash: 8b0f8a989666360a3a3a78e04154ed77bd1a1cc6402fab15bd18b5bf28d2d67f
                                            • Instruction Fuzzy Hash: 8442F769A2C7C265FBEDAE3585523B9B7D1EB41748F8840B5CE5C0728DDF2EA450E320
                                            Function 00007FF73AD50CD0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 69encryptionCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: Crypt$Hash$ContextParam$AcquireCreateDataDestroyRelease
                                            • String ID: @
                                            • API String ID: 3606780921-2766056989
                                            • Opcode ID: 13d332818e2f811715d9f9e209b21b4e589ecd4c505965960861851f90cba6d2
                                            • Instruction ID: 0c31880f073567aa30a0917f87e5d660d0e0b8ab6b36a6b7cd8264d48d6ddbb1
                                            • Opcode Fuzzy Hash: 13d332818e2f811715d9f9e209b21b4e589ecd4c505965960861851f90cba6d2
                                            • Instruction Fuzzy Hash: FB219176628B8196FB609F25F45266AB7A0FBC9B84F804135EA8E03E1CCF3CD5449B10
                                            Function 00007FF73AD51C30 Relevance: 13.6, APIs: 9, Instructions: 71COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                            • String ID:
                                            • API String ID: 313767242-0
                                            • Opcode ID: 2817642b79443c0a5ef4dfb04aa502709a74585c27d39edd6239e395c2667643
                                            • Instruction ID: 1cf7344dddeb6d6e00c8c4229bc9381c89b9487a15d8ca160124ff56289a22e5
                                            • Opcode Fuzzy Hash: 2817642b79443c0a5ef4dfb04aa502709a74585c27d39edd6239e395c2667643
                                            • Instruction Fuzzy Hash: CC3181B6619B8196FB60AF60E8517FDB360FB85704F84443ADA4D47B98EF38D548C720
                                            Function 00007FF73AD4EBE0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 112encryptionCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: Crypt$Context$Release$AcquireDestroyEncryptImport
                                            • String ID: @
                                            • API String ID: 3016261861-2766056989
                                            • Opcode ID: bdeb4a614d7e723bc909c715f6cda38daf1ad5301f0aa0ed7b84976966961ef2
                                            • Instruction ID: cd293b3022e8b011488e0cc63014c0162d04ce6c08dc4eda091c45e40275a7de
                                            • Opcode Fuzzy Hash: bdeb4a614d7e723bc909c715f6cda38daf1ad5301f0aa0ed7b84976966961ef2
                                            • Instruction Fuzzy Hash: 6041D066B14AA09EFB108BB5E4513EE7BB0FB4A748F444061DE8C13A49CF3CC11AE710
                                            Function 00007FF73AD2E370 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 223COMMON
                                            Download Yara Rule
                                            APIs
                                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0000021C,-00000008,00000000,?,?,00007FF73AD2E368,?,?,?,?,?,?,00007FF73AD455AE), ref: 00007FF73AD2E3E6
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0000021C,-00000008,00000000,?,?,00007FF73AD2E368,?,?,?,?,?,?,00007FF73AD455AE), ref: 00007FF73AD2E54D
                                            • _strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73AD2E6AC
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: _strdupfreemalloc
                                            • String ID: %c%c%c%c$%c%c%c=$%c%c==
                                            • API String ID: 3985033223-3943651191
                                            • Opcode ID: e05d4d8a4c6fc84fe1cd053079c3dd5ebb97807d0b7160f07d873dab8a2f3773
                                            • Instruction ID: 83703ac2cef6744ee481f900da1997ac7e45b0286a7676cafe431c3cffb1c37b
                                            • Opcode Fuzzy Hash: e05d4d8a4c6fc84fe1cd053079c3dd5ebb97807d0b7160f07d873dab8a2f3773
                                            • Instruction Fuzzy Hash: 41915A36A2C6C555FB21AB25A4013BEBFA0EB89790F884671DAAD077CADF3CD401D710
                                            Function 00007FF73AD3D4F0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 127networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: calloc$ErrorLastbind
                                            • String ID: bind() failed; %s
                                            • API String ID: 2604820300-1141498939
                                            • Opcode ID: cd253e5438f491a74154c9e640c3cd6978355dfa3751ad09cad76179119f3d51
                                            • Instruction ID: 2d21a5c1110c179f0b0c6cfafb0e71a85c0906034014af4b0426de511c407da0
                                            • Opcode Fuzzy Hash: cd253e5438f491a74154c9e640c3cd6978355dfa3751ad09cad76179119f3d51
                                            • Instruction Fuzzy Hash: 58510139A18B86A2FB15AF22C4513B8A3A0FB05B84F844974CA9D077DDDF3DE450DB20
                                            Function 00007FF73AD3D2BE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 112networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: calloc$ErrorLastbind
                                            • String ID: bind() failed; %s
                                            • API String ID: 2604820300-1141498939
                                            • Opcode ID: 62f3814ab072319b4b32476f9713f81e90644331c3b35f721498b43526bc8a9d
                                            • Instruction ID: aaf07d81aa551ef9e4e1af45bf0e5f1d850e5c0eefdd18532e90c0564889ccab
                                            • Opcode Fuzzy Hash: 62f3814ab072319b4b32476f9713f81e90644331c3b35f721498b43526bc8a9d
                                            • Instruction Fuzzy Hash: 6F411F76B18B85A6FB14AB21D4413B8A3A0FB48B84F844575CE4D4B7C9DF3DE460DB20
                                            Function 00007FF73AD27180 Relevance: 10.1, Strings: 8, Instructions: 72COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: %2I64d.%0I64dG$%2I64d.%0I64dM$%4I64dG$%4I64dM$%4I64dP$%4I64dT$%4I64dk$%5I64d
                                            • API String ID: 0-2102732564
                                            • Opcode ID: 056a3a87ed820c39db5f7b1f4f57aecf46d6ea71dbc723de60fecf4560fbfaf3
                                            • Instruction ID: e909de17c0048373a75045a0c8aba6f8d4f756f0c9244ec3cc209305b290f511
                                            • Opcode Fuzzy Hash: 056a3a87ed820c39db5f7b1f4f57aecf46d6ea71dbc723de60fecf4560fbfaf3
                                            • Instruction Fuzzy Hash: 7721839DE2994E63FE24E796A4137F88231EF45780EC414F2EC0E067999FAD6541F120
                                            Function 00007FF73AD51FC8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00007FF73AD5204B
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: DebugDebuggerErrorLastOutputPresentStringmemset
                                            • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                            • API String ID: 1848478996-631824599
                                            • Opcode ID: 9366033f6902c7c1071b8873425f60a844e631ce242eefe73f0e5e0528f62cea
                                            • Instruction ID: 07b7c8614deb5acd8e065253429a924c713d2d4afe3773fa6c1996bb03f0421c
                                            • Opcode Fuzzy Hash: 9366033f6902c7c1071b8873425f60a844e631ce242eefe73f0e5e0528f62cea
                                            • Instruction Fuzzy Hash: 14114F76624B82A2FB44AB26D556379B2A0FB04345F808175C65D42A69EF3CE0A8D720
                                            Function 00007FF73AD2AFD0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 34encryptionCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: Crypt$Context$Release$AcquireRandom
                                            • String ID: @
                                            • API String ID: 2916321625-2766056989
                                            • Opcode ID: 3d6679f5d1a8bd536e5d3f9d326de689657df2fc498cf2213148d4a827f29bd3
                                            • Instruction ID: 5b62abc26201f4c2bb259fd1b1ef9f532a57370686956775ee053c9da347ccec
                                            • Opcode Fuzzy Hash: 3d6679f5d1a8bd536e5d3f9d326de689657df2fc498cf2213148d4a827f29bd3
                                            • Instruction Fuzzy Hash: 54F08169B18B8192FB109F25F95536BE3A0EF88BD4F844070DE8C46A6CDF7CC0858B10
                                            Function 00007FF73ACF1000 Relevance: 7.9, Strings: 6, Instructions: 363COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 1.0$6b36407be8dde999435ae16b983386e3be5bbed61532f6eb8e82edb4fe21b4ab$9WIvTVJa9m$fivem$fivem$https://keyauth.win/api/1.2/
                                            • API String ID: 0-1544451013
                                            • Opcode ID: 67221ff05def8fc3bc765e4f1f8554d147a11c6b0e4e22af859cb45be6267052
                                            • Instruction ID: c7f4d9b985061a66b80f980debbc4728d87e307901bbf79b477c392ba45f4aeb
                                            • Opcode Fuzzy Hash: 67221ff05def8fc3bc765e4f1f8554d147a11c6b0e4e22af859cb45be6267052
                                            • Instruction Fuzzy Hash: C1F16C69E3EB9269F703A735D8121A4E754EFA3384FC0C376ED4831966EF296285D304
                                            Function 00007FF73AD51E44 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                            • String ID:
                                            • API String ID: 2933794660-0
                                            • Opcode ID: 5b7df0b8cee6e7efd2ebdc7a4b6fe8109373dd1135617f400eda81176904df43
                                            • Instruction ID: ccfdcd9a114868ef85c8e6039726d781c6b56cbf902a13683c4807a4d2a0dd1c
                                            • Opcode Fuzzy Hash: 5b7df0b8cee6e7efd2ebdc7a4b6fe8109373dd1135617f400eda81176904df43
                                            • Instruction Fuzzy Hash: 5711706AB68F0599FF00DF60E8552B873A4FB19758F840E31DA2D82BA8EF38D1548350
                                            Function 00007FF73AD2DFC0 Relevance: 6.0, APIs: 4, Instructions: 33encryptionCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: Crypt$Hash$Param$ContextDestroyRelease
                                            • String ID:
                                            • API String ID: 2110207923-0
                                            • Opcode ID: 96d512b1121ee9696c480b564d554f8895ac3911cab137d0dde9ff799dcff135
                                            • Instruction ID: 741793135dba8a7968951c3e8b9363cca92e1a2fae4943858afe33ce623b5bb1
                                            • Opcode Fuzzy Hash: 96d512b1121ee9696c480b564d554f8895ac3911cab137d0dde9ff799dcff135
                                            • Instruction Fuzzy Hash: DF01BC7A618641D2FB10DF24E06636AF770EB84B88F988031DB4D06A2CCF3DC489DB10
                                            Function 00007FF73AD2DF60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20encryptionCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: Crypt$AcquireContextCreateHash
                                            • String ID: @
                                            • API String ID: 1914063823-2766056989
                                            • Opcode ID: f0b4b555460d3b3b1cd8dd556586a602bc4bc9f123f4cd3dc049f2e5c92a5d03
                                            • Instruction ID: 3795314a5175d1e0da3a8e7e770736f3a241b58140fa8288ae7ce2c38dcf67cd
                                            • Opcode Fuzzy Hash: f0b4b555460d3b3b1cd8dd556586a602bc4bc9f123f4cd3dc049f2e5c92a5d03
                                            • Instruction Fuzzy Hash: 6BE04865B3469253FB705F65E412B16A390EB94748F844170DF8C46E58DF3DC1558B14
                                            Function 00007FF73ACFEB60 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: Xbad_function_call@std@@
                                            • String ID:
                                            • API String ID: 1029415015-0
                                            • Opcode ID: 54efa5f2676a19d4adf10e1201545ef9559aef978ab5c5334c87b6b7a5b67db6
                                            • Instruction ID: d706dd07525ccf860b99d75787afc8acea737a698de3e6725727ec139eab5738
                                            • Opcode Fuzzy Hash: 54efa5f2676a19d4adf10e1201545ef9559aef978ab5c5334c87b6b7a5b67db6
                                            • Instruction Fuzzy Hash: E781E066B0ABAA98FB00DB69D4A53AC7770E715B88F944072DF4E47795DF38D080D310
                                            Function 00007FF73ACFDFD0 Relevance: .2, Instructions: 189COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 25ca6de128e55fb6ce216344201d591ed70013569d8b0f4d9d2315b49ebf49f1
                                            • Instruction ID: 9e08b9c794225870cdf9ce1d069deb45a5feabccf584372fd522b7a3d537d72b
                                            • Opcode Fuzzy Hash: 25ca6de128e55fb6ce216344201d591ed70013569d8b0f4d9d2315b49ebf49f1
                                            • Instruction Fuzzy Hash: 09612576B0AB8A92FB10CB29E456279A3A1EB49BD0F519231DF5D47B84EF3DE041D300
                                            Function 00007FF73AD50C60 Relevance: .0, Instructions: 32COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a9bc956564b332abba12e54d0044448655734ddf9d44365f360b093ba55ae5c6
                                            • Instruction ID: 94816c6376bf1fdcfb86197ef80826a23593f3880ab5cd1aa5bace72057f3a37
                                            • Opcode Fuzzy Hash: a9bc956564b332abba12e54d0044448655734ddf9d44365f360b093ba55ae5c6
                                            • Instruction Fuzzy Hash: 75F08C69325767BEFE00853B5624FBD5E409BC2700FB368748C80020CB8A9E5493D714
                                            Function 00007FF73AD2DFB0 Relevance: .0, Instructions: 3COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ae014308f0b8bb8d01c505bd5ad95d5d34cd340cf9dea9f03567bc79e687216f
                                            • Instruction ID: c25c57e8a568d6e78672d321b4be6cc81cdaf93bbfb5f4884e43e772954d1ff0
                                            • Opcode Fuzzy Hash: ae014308f0b8bb8d01c505bd5ad95d5d34cd340cf9dea9f03567bc79e687216f
                                            • Instruction Fuzzy Hash: 6FA011A2A0AA0A80AA008B08E2A2E22A2A0FB88B083808030880C028288E2880028200
                                            Function 00007FF73AD51DD8 Relevance: .0, Instructions: 2COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0df5dd26acc25ab4cb6a93150873b31a805fbcbb2c6ae98191b93a643ee72901
                                            • Instruction ID: 621734b985a2167d1b941fc6a7d611e37e95ec5bfb60990e3f66622f6bd3c7e9
                                            • Opcode Fuzzy Hash: 0df5dd26acc25ab4cb6a93150873b31a805fbcbb2c6ae98191b93a643ee72901
                                            • Instruction Fuzzy Hash: 1FA002A9E2CD42F0FF05BB50E866430B330FF90701BC001B2D00D41968AF3CA480EB20
                                            Function 00007FF73AD2B1D0 Relevance: 145.9, APIs: 50, Strings: 47, Instructions: 399stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: strcmp$strncpy$strchr
                                            • String ID: CALG_3DES$CALG_3DES_112$CALG_AES$CALG_AES_128$CALG_AES_192$CALG_AES_256$CALG_AGREEDKEY_ANY$CALG_CYLINK_MEK$CALG_DES$CALG_DESX$CALG_DH_EPHEM$CALG_DH_SF$CALG_DSS_SIGN$CALG_ECDH$CALG_ECDH_EPHEM$CALG_ECDSA$CALG_ECMQV$CALG_HASH_REPLACE_OWF$CALG_HMAC$CALG_HUGHES_MD5$CALG_MAC$CALG_MD2$CALG_MD4$CALG_MD5$CALG_NO_SIGN$CALG_PCT1_MASTER$CALG_RC2$CALG_RC4$CALG_RC5$CALG_RSA_KEYX$CALG_RSA_SIGN$CALG_SCHANNEL_ENC_KEY$CALG_SCHANNEL_MAC_KEY$CALG_SCHANNEL_MASTER_HASH$CALG_SEAL$CALG_SHA$CALG_SHA1$CALG_SHA_256$CALG_SHA_384$CALG_SHA_512$CALG_SKIPJACK$CALG_SSL2_MASTER$CALG_SSL3_MASTER$CALG_SSL3_SHAMD5$CALG_TEK$CALG_TLS1PRF$CALG_TLS1_MASTER
                                            • API String ID: 1395212091-3550120021
                                            • Opcode ID: fa9e62b0b939ff09948195c474fc8e9f909ac0562f4f0d96492c6b0c6b34c294
                                            • Instruction ID: 90b9844526c0e6188ce51e84fbc617fc63228f8958bb3feda44ed3dfb5459555
                                            • Opcode Fuzzy Hash: fa9e62b0b939ff09948195c474fc8e9f909ac0562f4f0d96492c6b0c6b34c294
                                            • Instruction Fuzzy Hash: 2B02FD58E3C61BB4FF10BB25D8525BD9665EF60348FC040B1E90E8A59DEF5CE90AE360
                                            Function 00007FF73AD38C30 Relevance: 49.9, APIs: 6, Strings: 27, Instructions: 385COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free
                                            • String ID: %s %s RTSP/1.0CSeq: %ld$%s%s%s%s%s%s%s%s$Accept$Accept-Encoding$Accept-Encoding: %s$Accept: application/sdp$CSeq$CSeq cannot be set as a custom header.$Content-Length$Content-Length: %I64d$Content-Type$Content-Type: application/sdp$Content-Type: text/parameters$Failed sending RTSP request$OPTIONS$Range$Range: %s$Referer$Referer: %s$Refusing to issue an RTSP SETUP without a Transport: header.$Refusing to issue an RTSP request [%s] without a session ID.$Session$Session ID cannot be set as a custom header.$Session: %s$Transport$Transport: %s$User-Agent
                                            • API String ID: 1294909896-2200874227
                                            • Opcode ID: 70b1589892abf31abc647d5b3cef7e10e26665819bad749bae25edf0bf5e1fc8
                                            • Instruction ID: 92e932205d5b66e458d13b8fc092a810aad82079c6d324ce7ce51073e67aa69d
                                            • Opcode Fuzzy Hash: 70b1589892abf31abc647d5b3cef7e10e26665819bad749bae25edf0bf5e1fc8
                                            • Instruction Fuzzy Hash: 0502936DA19B82A1FE60BB21A4523BAA391EF44784FC440B1CE4D4779DEF3DE445E320
                                            Function 00007FF73AD4FBB0 Relevance: 44.0, APIs: 22, Strings: 3, Instructions: 250COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free$malloc$memcpy$htonl
                                            • String ID: GSSAPI handshake failure (empty security message)$GSSAPI handshake failure (invalid security data)$GSSAPI handshake failure (invalid security layer)
                                            • API String ID: 82385936-242323837
                                            • Opcode ID: 38cb1c6ba4c226e3ac26dfdf1f68597fb04718f5678c7ac4d275bde0c8a8fbfe
                                            • Instruction ID: 9d1a7a472aec9fca6af345a11640950162d99421d37af33d63aa9608001a7869
                                            • Opcode Fuzzy Hash: 38cb1c6ba4c226e3ac26dfdf1f68597fb04718f5678c7ac4d275bde0c8a8fbfe
                                            • Instruction Fuzzy Hash: 46C18F3AA28B5296FB00EB65E4412BDB7A0FB49B94F804075DE8D47B68DF3CD449DB10
                                            Function 00007FF73AD14350 Relevance: 42.6, APIs: 34, Instructions: 121COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free
                                            • String ID:
                                            • API String ID: 1294909896-0
                                            • Opcode ID: 4889d94d5c5b74382897776f6df99c350cdccf4b5dfb6516fd6745a93b313fdb
                                            • Instruction ID: 03a963c2dcc8743e7e17b5b40ed2124652c814f0a678c1e59b1fc39f1ddd70af
                                            • Opcode Fuzzy Hash: 4889d94d5c5b74382897776f6df99c350cdccf4b5dfb6516fd6745a93b313fdb
                                            • Instruction Fuzzy Hash: BA71EF39558F8191E740AF31E4952BC73A8FB89F99F884075CE9D4B728CF389199D321
                                            Function 00007FF73ACF3980 Relevance: 39.0, APIs: 18, Strings: 4, Instructions: 486windowCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00007FF73ACF2B70: system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF2BD7
                                              • Part of subcall function 00007FF73ACF2B70: system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF2C47
                                              • Part of subcall function 00007FF73ACF2B70: system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF2CA7
                                              • Part of subcall function 00007FF73ACF2B70: system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF2CF7
                                              • Part of subcall function 00007FF73ACF2B70: system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF2D47
                                              • Part of subcall function 00007FF73AD01790: GetCurrentProcess.KERNEL32 ref: 00007FF73AD0189E
                                              • Part of subcall function 00007FF73AD01790: OpenProcessToken.ADVAPI32 ref: 00007FF73AD018B0
                                              • Part of subcall function 00007FF73ACF4150: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF425F
                                              • Part of subcall function 00007FF73ACF4150: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF42A0
                                              • Part of subcall function 00007FF73ACF49A0: memcpy.VCRUNTIME140 ref: 00007FF73ACF49F3
                                              • Part of subcall function 00007FF73ACF3600: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF36E0
                                              • Part of subcall function 00007FF73ACF3880: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF3960
                                              • Part of subcall function 00007FF73ACF3700: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF37E0
                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF3BE1
                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF3C30
                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF3C6F
                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF3CC0
                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF3CFF
                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF3D53
                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF3D92
                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF3DE0
                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF3E1F
                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF3EDA
                                              • Part of subcall function 00007FF73AD50FD4: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,-3333333333333333,00007FF73ACF517E,7FFFFFFFFFFFFFFF,https://keyauth.win/api/1.2/,-3333333333333333,00007FF73ACF1A19), ref: 00007FF73AD50FEE
                                            • memcpy.VCRUNTIME140 ref: 00007FF73ACF3EFE
                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF3FE3
                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF4033
                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF407B
                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF40F8
                                              • Part of subcall function 00007FF73ACF5640: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF5700
                                            • MessageBoxA.USER32 ref: 00007FF73ACF412E
                                            • exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF413F
                                            • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF73ACF4146
                                              • Part of subcall function 00007FF73ACF18C0: __std_exception_copy.VCRUNTIME140 ref: 00007FF73ACF1904
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: _invalid_parameter_noinfo_noreturn$system$Processmemcpy$Concurrency::cancel_current_taskCurrentMessageOpenToken__std_exception_copyexitmalloc
                                            • String ID: Failure$info$message$success
                                            • API String ID: 2728552624-4226675393
                                            • Opcode ID: cbb21ccffa80fcf26fa22f6abc24908564eb7831665ef719a18e249cea6223f9
                                            • Instruction ID: d6fc28afc862bb6efc44922c8f98a02800de59a762047b64dd4161aed8695166
                                            • Opcode Fuzzy Hash: cbb21ccffa80fcf26fa22f6abc24908564eb7831665ef719a18e249cea6223f9
                                            • Instruction Fuzzy Hash: 9B2204A6A19B8265FB00EF28D8553ED6761FB407A8F804671D66C07BDADF7CD084E310
                                            Function 00007FF73ACFBB8F Relevance: 37.2, APIs: 18, Strings: 3, Instructions: 459COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: _invalid_parameter_noinfo_noreturn$__std_exception_destroy$_dclass
                                            • String ID: array$number overflow parsing '$object
                                            • API String ID: 1391767211-579821726
                                            • Opcode ID: ddb3d61301d0e1ed8d0e5f0bcdc69018728351f7acaa656f6d9ebfc75dea4813
                                            • Instruction ID: a15044045dff49634ebc75b1adde8ae7fbc3fc5fa60d2ac5ac134cdaf6c4d0c8
                                            • Opcode Fuzzy Hash: ddb3d61301d0e1ed8d0e5f0bcdc69018728351f7acaa656f6d9ebfc75dea4813
                                            • Instruction Fuzzy Hash: BB22F576B19B86A6FB10EB78D8553ADA321FB417A4F800271DA6D07AD9DF7CD081E310
                                            Function 00007FF73AD44950 Relevance: 37.1, APIs: 10, Strings: 11, Instructions: 312networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: calloc$_strdupfreehtonsmemset
                                            • String ID: %s$%s%02x%02x$AAAA$CNAME: %s$Could not DOH-resolve: %s$DOH A: %u.%u.%u.%u$DOH AAAA: $DOH Host name: %s$DOH: %s type %s for %s$TTL: %u seconds$bad error code
                                            • API String ID: 130798683-4053692942
                                            • Opcode ID: 2e67faace451f066cac9b423d8b0440723d48db48c46238b03c9fdce2cc41085
                                            • Instruction ID: ac5d637cf2bcd628ba8ae0cba16a8bc012b143fae4312a7c9745a42a7205d52d
                                            • Opcode Fuzzy Hash: 2e67faace451f066cac9b423d8b0440723d48db48c46238b03c9fdce2cc41085
                                            • Instruction Fuzzy Hash: 6AE1C27AA28A96A6FB60EF20D4023ADB7A0FB45B84F8440B1DA4D0775CDF3CE584D710
                                            Function 00007FF73AD3DA80 Relevance: 35.2, APIs: 4, Strings: 16, Instructions: 175stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: memchrstrtol
                                            • String ID: %s (%d)$%s (%d) %s (%d)$%s (%ld)$%s (%ld)$Malformed ACK packet, rejecting$blksize$blksize is larger than max supported$blksize is smaller than min supported$blksize parsed from OACK$got option=(%s) value=(%s)$invalid blocksize value in OACK packet$invalid tsize -:%s:- value in OACK packet$requested$server requested blksize larger than allocated$tsize$tsize parsed from OACK
                                            • API String ID: 1626215102-895336422
                                            • Opcode ID: 303c895615b718c1204ea891a3a160cb41ca10eced6d83239f99ca68a4fb32ec
                                            • Instruction ID: 659026e15cfc45f6fc21536d482c71249301e295af65a23fa24566cf4dc43953
                                            • Opcode Fuzzy Hash: 303c895615b718c1204ea891a3a160cb41ca10eced6d83239f99ca68a4fb32ec
                                            • Instruction Fuzzy Hash: 8161C3A8F28642A1FA10FB25E4022B9A691EF45BD0FD04AB1D99D476DDCF3CE145E720
                                            Function 00007FF73AD0DBA0 Relevance: 34.9, APIs: 6, Strings: 17, Instructions: 352COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00007FF73AD074D0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD11AD0,?,?,?,?,?,?,?,?,?,?,00000000,00007FF73AD03901), ref: 00007FF73AD074F7
                                              • Part of subcall function 00007FF73AD074D0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD11AD0,?,?,?,?,?,?,?,?,?,?,00000000,00007FF73AD03901), ref: 00007FF73AD07503
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73AD0DE34
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73AD0DE3C
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73AD0DE63
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73AD0DE6C
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73AD0DEF0
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73AD0DEF9
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free
                                            • String ID: 8bit$; boundary=$; filename="$; name="$Content-Disposition$Content-Disposition: %s%s%s%s%s%s%s$Content-Transfer-Encoding$Content-Transfer-Encoding: %s$Content-Type$Content-Type: %s%s%s$application/octet-stream$attachment$form-data$multipart/$multipart/form-data$multipart/mixed$text/plain
                                            • API String ID: 1294909896-1595554923
                                            • Opcode ID: 610fe3032d6bc82f861157c1fdad02ad1d5042499334d0e847163bbf69b495fb
                                            • Instruction ID: 0f4c0273290b85fe999b3b35956ab7a5abc28d4fac207c8876696bb93e1256fe
                                            • Opcode Fuzzy Hash: 610fe3032d6bc82f861157c1fdad02ad1d5042499334d0e847163bbf69b495fb
                                            • Instruction Fuzzy Hash: FBE1C629B2878271FA65EB1198022B9E790FF04B84FC845B6CE8D0768DDF3CE454E321
                                            Function 00007FF73ACF7090 Relevance: 32.0, APIs: 13, Strings: 5, Instructions: 463COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00007FF73ACF50A0: memcpy.VCRUNTIME140(7FFFFFFFFFFFFFFF,https://keyauth.win/api/1.2/,-3333333333333333,00007FF73ACF1A19), ref: 00007FF73ACF50D1
                                            • memcpy.VCRUNTIME140 ref: 00007FF73ACF7206
                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF73ACF7298
                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF73ACF72D9
                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF7423
                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF7462
                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF74B0
                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF74F1
                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF754E
                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF7608
                                              • Part of subcall function 00007FF73AD50FD4: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,-3333333333333333,00007FF73ACF517E,7FFFFFFFFFFFFFFF,https://keyauth.win/api/1.2/,-3333333333333333,00007FF73ACF1A19), ref: 00007FF73AD50FEE
                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF7649
                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF7716
                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF7757
                                            • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF73ACF777A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: _invalid_parameter_noinfo_noreturn$memcpy$Concurrency::cancel_current_taskmalloc
                                            • String ID: ; expected $; last read: '$rsing $syntax error $unexpected
                                            • API String ID: 264867259-3075834232
                                            • Opcode ID: 154e10118ac65d4ba06d727cc511c6c5a02f97ee87f0fe6b43262398b2398a81
                                            • Instruction ID: bc9a82880665328379e3f02917a1cc68285cdda378701a53181503c17e902895
                                            • Opcode Fuzzy Hash: 154e10118ac65d4ba06d727cc511c6c5a02f97ee87f0fe6b43262398b2398a81
                                            • Instruction Fuzzy Hash: 0B12156AF19A4291FB10EB68E4113ADA761EB457E8F804771DAAD03BD9DF7CD084E310
                                            Function 00007FF73AD3FFE0 Relevance: 31.7, APIs: 13, Strings: 5, Instructions: 214stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: strchrstrrchr$_strdupstrstr
                                            • String ID: .$/$/$/$?
                                            • API String ID: 2325335452-1821401756
                                            • Opcode ID: 6b28ee7bcbdab15995d06b5ce03319e057799f6fdbd4524478234f115d91a2e6
                                            • Instruction ID: 64dcce4aac346296af0cafe93bcf343904644c50d39f02c66cd2b97436107891
                                            • Opcode Fuzzy Hash: 6b28ee7bcbdab15995d06b5ce03319e057799f6fdbd4524478234f115d91a2e6
                                            • Instruction Fuzzy Hash: 8681C01AA1D2A265FB656A21A502379EBD1EF45780FC840F1DE8D077CAEE3CE445E321
                                            Function 00007FF73AD3AEE0 Relevance: 31.7, APIs: 9, Strings: 12, Instructions: 208stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: strchr$free
                                            • String ID: /D:$/DEFINE:$/FIND:$/LOOKUP:$/M:$/MATCH:$CLIENT libcurl 7.70.0%sQUIT$CLIENT libcurl 7.70.0DEFINE %s %sQUIT$CLIENT libcurl 7.70.0MATCH %s %s %sQUIT$Failed sending DICT request$default$lookup word is missing
                                            • API String ID: 3578582447-31095704
                                            • Opcode ID: 4d8a0cb5b250a8f6dc45fe641b72d2b1af6ad8dfec1ff8f093a845bc13a4b92d
                                            • Instruction ID: 7f5516c4613986c17eb66725c2e3275fb006277a0b6d9ea77a6a147ddd4cfbca
                                            • Opcode Fuzzy Hash: 4d8a0cb5b250a8f6dc45fe641b72d2b1af6ad8dfec1ff8f093a845bc13a4b92d
                                            • Instruction Fuzzy Hash: 4981BC59F2968260FF51AB2199022B9E281EF45BC4FC881B1DA8C077DDEF2DE445E231
                                            Function 00007FF73AD16F10 Relevance: 30.1, APIs: 24, Instructions: 137COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free
                                            • String ID:
                                            • API String ID: 1294909896-0
                                            • Opcode ID: 97829e33dc5bb7926e0fb57e14c2ccf90653775270aaccbadb8f27eed4e50b39
                                            • Instruction ID: eae60e1c11ef12b62e79b23d46158b7bda9b9d944bda62653afe2452aca97907
                                            • Opcode Fuzzy Hash: 97829e33dc5bb7926e0fb57e14c2ccf90653775270aaccbadb8f27eed4e50b39
                                            • Instruction Fuzzy Hash: F191D63A614F81A3E7499F31E9912ACB368F749F48F444175EFAD47369CF34A2A58320
                                            Function 00007FF73AD20370 Relevance: 30.1, APIs: 7, Strings: 10, Instructions: 312stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: memcpystrchrtolower$__stdio_common_vsscanfstrtoul
                                            • String ID: %255[^:]:%d$:%u$@$Added %s:%d:%s to DNS cache$Couldn't parse CURLOPT_RESOLVE entry '%s'!$Couldn't parse CURLOPT_RESOLVE removal entry '%s'!$RESOLVE %s:%d is - old addresses discarded!$RESOLVE %s:%d is wildcard, enabling wildcard checks$Resolve address '%s' found illegal!$]
                                            • API String ID: 1094891576-1753329177
                                            • Opcode ID: 098fd66521105fe60521f42df3e8fbc25a4f0bdb7e95ef50ae0321cb69c7fa03
                                            • Instruction ID: 54249f34401a5ee633328ae932d3f41f5a5317ef1b4ce53f0956d96cfac4d01b
                                            • Opcode Fuzzy Hash: 098fd66521105fe60521f42df3e8fbc25a4f0bdb7e95ef50ae0321cb69c7fa03
                                            • Instruction Fuzzy Hash: 9DD1062AA2C68AA5FF50AB20E4013F9A7A0FB44798FC44572DA1D07ACDDF3CD801D720
                                            Function 00007FF73AD15FE0 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 219COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free
                                            • String ID: Unsupported proxy '%s', libcurl is built without the HTTPS-proxy support.$Unsupported proxy scheme for '%s'$Unsupported proxy syntax in '%s'$http$https$socks$socks4$socks4a$socks5$socks5h
                                            • API String ID: 1294909896-874090715
                                            • Opcode ID: b96cb19b3cfa9ea5ff55e13c82a5b406affe547f457c7338a0defd97fc7f88b8
                                            • Instruction ID: d19e7bff8d63eb30cd36ddac69a3f26009f61419f83facab72e9f781e17220b7
                                            • Opcode Fuzzy Hash: b96cb19b3cfa9ea5ff55e13c82a5b406affe547f457c7338a0defd97fc7f88b8
                                            • Instruction Fuzzy Hash: 8CA1E12AF28702A5FB90EB61E8426BDA7A4FB44794F8444B1CE0D1769DDF3CE544E320
                                            Function 00007FF73AD34C00 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 208stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: calloc$free$strchrstrncpy$_strdupmallocstrncmpstrrchr
                                            • String ID: Request has same path as previous transfer$Uploading to a URL without a file name!
                                            • API String ID: 2243338858-131330169
                                            • Opcode ID: e5f5215b6adfe5c2c5920e471789dfd3af1765d330e4d1fc8f87f2dd106cd71f
                                            • Instruction ID: a0ae6063383b52fd0a37252a66f7ed14e6d81b5eac7106469e28711080882f4f
                                            • Opcode Fuzzy Hash: e5f5215b6adfe5c2c5920e471789dfd3af1765d330e4d1fc8f87f2dd106cd71f
                                            • Instruction Fuzzy Hash: B291F36AF2CB82A2FB54AB25A411279A7E0FF55B81F8840B1DA4E037D8DF3DE445D710
                                            Function 00007FF73AD0C140 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 154COMMON
                                            Download Yara Rule
                                            APIs
                                            • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF73AD12E59,?,?,00000000,00007FF73AD13395), ref: 00007FF73AD0C1A3
                                            • fputs.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF73AD12E59,?,?,00000000,00007FF73AD13395), ref: 00007FF73AD0C21D
                                            • calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF73AD12E59,?,?,00000000,00007FF73AD13395), ref: 00007FF73AD0C241
                                            • qsort.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF73AD12E59,?,?,00000000,00007FF73AD13395), ref: 00007FF73AD0C290
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF73AD12E59,?,?,00000000,00007FF73AD13395), ref: 00007FF73AD0C2CA
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF73AD12E59,?,?,00000000,00007FF73AD13395), ref: 00007FF73AD0C2DC
                                            • fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF73AD12E59,?,?,00000000,00007FF73AD13395), ref: 00007FF73AD0C2EF
                                            • _unlink.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF73AD12E59,?,?,00000000,00007FF73AD13395), ref: 00007FF73AD0C30A
                                            • fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF73AD12E59,?,?,00000000,00007FF73AD13395), ref: 00007FF73AD0C320
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF73AD12E59,?,?,00000000,00007FF73AD13395), ref: 00007FF73AD0C329
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free$fclose$__acrt_iob_func_unlinkcallocfputsqsort
                                            • String ID: ## Fatal libcurl error$# Netscape HTTP Cookie File# https://curl.haxx.se/docs/http-cookies.html# This file was generated by libcurl! Edit at your own risk.$%s$%s.%s.tmp
                                            • API String ID: 1368378007-4087121635
                                            • Opcode ID: 6009f20b34a05d1dd3bb9b4faa6d0a83b2fc5cf93fa4d208a15db822bffecfa8
                                            • Instruction ID: 85035b9dff75390864299cacbd88510cb03eda35f7f04d47e2840666b1150646
                                            • Opcode Fuzzy Hash: 6009f20b34a05d1dd3bb9b4faa6d0a83b2fc5cf93fa4d208a15db822bffecfa8
                                            • Instruction Fuzzy Hash: 0D51B36DA3D64265FE65FB21981A27AA3A0FF45BC4FC444B1CD4E07768EF3CE444A221
                                            Function 00007FF73AD03AB0 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 134COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: ErrorLast_errno
                                            • String ID: %s (0x%08X)$%s - %s$CRYPT_E_REVOKED$No error$SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.$SEC_I_CONTINUE_NEEDED$Unknown error
                                            • API String ID: 3939687465-1752685260
                                            • Opcode ID: 3f59502599f9fe4b36af2ca8a19788e5d051e754496cbe36b5c47fe41c4b52c1
                                            • Instruction ID: c50ca52a80527d22ffa4a4b968b46f6b1e865dcb22f992f5159da82f26a44eb3
                                            • Opcode Fuzzy Hash: 3f59502599f9fe4b36af2ca8a19788e5d051e754496cbe36b5c47fe41c4b52c1
                                            • Instruction Fuzzy Hash: 2951D969A2CA82A5FB21EB20E4563B9B7A1FF44740FC040B5DA4D03A9DDF3CE504E721
                                            Function 00007FF73AD281E0 Relevance: 27.3, APIs: 1, Strings: 17, Instructions: 341COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown.$Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client.$Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids.$Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed.$Failed to resolve "%s" for SOCKS4 connect.$Failed to send SOCKS4 connect request.$SOCKS4 communication to %s:%d$SOCKS4 connect to IPv4 %s (locally resolved)$SOCKS4 connection to %s not supported$SOCKS4 non-blocking resolve of %s$SOCKS4 reply has wrong version, version should be 0.$SOCKS4%s request granted.$SOCKS4%s: connecting to HTTP proxy %s port %d$SOCKS4: Failed receiving connect request ack: %s$SOCKS4: too long host name$Too long SOCKS proxy name, can't use!$[
                                            • API String ID: 0-3760664348
                                            • Opcode ID: 26d194b8cc82fb13ed84a8c92531479d55a30ccc1a2d005a4b75650419007094
                                            • Instruction ID: 9eed888cc7f4e813958a39a639add6963cf782e40632b8717716d9886e0a9f2b
                                            • Opcode Fuzzy Hash: 26d194b8cc82fb13ed84a8c92531479d55a30ccc1a2d005a4b75650419007094
                                            • Instruction Fuzzy Hash: 78E1E2B9A1C685A6FB54AF25D04137DB790FB46B84F8481B5DA4E47799CF3CE040D720
                                            Function 00007FF73ACF61F0 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 364COMMON
                                            Download Yara Rule
                                            APIs
                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF634E
                                            • __std_exception_destroy.VCRUNTIME140 ref: 00007FF73ACF637C
                                            • __std_exception_destroy.VCRUNTIME140 ref: 00007FF73ACF638A
                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF63C4
                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF6415
                                            • memset.VCRUNTIME140 ref: 00007FF73ACF6243
                                              • Part of subcall function 00007FF73ACF50A0: memcpy.VCRUNTIME140(7FFFFFFFFFFFFFFF,https://keyauth.win/api/1.2/,-3333333333333333,00007FF73ACF1A19), ref: 00007FF73ACF50D1
                                              • Part of subcall function 00007FF73ACF7090: memcpy.VCRUNTIME140 ref: 00007FF73ACF7206
                                              • Part of subcall function 00007FF73ACF1E80: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF1FF1
                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF6582
                                            • __std_exception_destroy.VCRUNTIME140 ref: 00007FF73ACF65AE
                                            • __std_exception_destroy.VCRUNTIME140 ref: 00007FF73ACF65BC
                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF65F7
                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF664A
                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF6731
                                            • ?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 00007FF73ACF6749
                                            • ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF73ACF6756
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: _invalid_parameter_noinfo_noreturn$__std_exception_destroy$memcpy$?uncaught_exception@std@@D@std@@@std@@Osfx@?$basic_ostream@U?$char_traits@memset
                                            • String ID: value
                                            • API String ID: 2102519606-494360628
                                            • Opcode ID: ee0779249a2292a91785ccc2791af818acd1a168ebfab1a7e7b88034a6c403b2
                                            • Instruction ID: bf3f34c60944c5b4070589a82f6906c584383818108feae99b09fd20ffd9f741
                                            • Opcode Fuzzy Hash: ee0779249a2292a91785ccc2791af818acd1a168ebfab1a7e7b88034a6c403b2
                                            • Instruction Fuzzy Hash: EDF11A66A19AC295FF10EB74D4513ADA760FB857A4F804271EAAD03AE9DF3CD084E310
                                            Function 00007FF73AD2CF80 Relevance: 26.5, APIs: 4, Strings: 11, Instructions: 241encryptionCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: Cert$CertificateCertificatesContextEnumFreeStore
                                            • String ID: ALPN, server did not agree to a protocol$http/1.1$schannel: ALPN, server accepted to use %.*s$schannel: failed to retrieve ALPN result$schannel: failed to retrieve remote cert context$schannel: failed to setup confidentiality$schannel: failed to setup memory allocation$schannel: failed to setup replay detection$schannel: failed to setup sequence detection$schannel: failed to setup stream orientation$schannel: failed to store credential handle
                                            • API String ID: 2572311694-3353508759
                                            • Opcode ID: 0665b64c7b824c9d1b82f0c8097f4837004a7d675fd593bf18144da4f45bb90f
                                            • Instruction ID: d9e132f10097c24052e3847994973f1ab5e8666f6383299a9949d313ba04e589
                                            • Opcode Fuzzy Hash: 0665b64c7b824c9d1b82f0c8097f4837004a7d675fd593bf18144da4f45bb90f
                                            • Instruction Fuzzy Hash: 3FB12669A28A86A5FB60BB24D8123B9A391FF84B84FC441B1CD4D477ACCF3CD441E720
                                            Function 00007FF73AD4EDA0 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 179COMMON
                                            Download Yara Rule
                                            APIs
                                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,0000000100000000,?,00007FF73AD41ACF), ref: 00007FF73AD4EDCD
                                            • _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,0000000100000000,?,00007FF73AD41ACF), ref: 00007FF73AD4EDEF
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,0000000100000000,?,00007FF73AD41ACF), ref: 00007FF73AD4EE00
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,0000000100000000,?,00007FF73AD41ACF), ref: 00007FF73AD4EE2E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free$_strdupmalloc
                                            • String ID: ../$/..$/../$/./
                                            • API String ID: 111713529-456519384
                                            • Opcode ID: a9dca8a485aeb8ad91a1b015f0defd015c32b6be5d2baf9d61c7b18537e8c8ad
                                            • Instruction ID: a54fc56f4f36347affe96b0dc034abefc9420244a29d2d717c9e7965819b767b
                                            • Opcode Fuzzy Hash: a9dca8a485aeb8ad91a1b015f0defd015c32b6be5d2baf9d61c7b18537e8c8ad
                                            • Instruction Fuzzy Hash: 97710C29E2CAE275FB226B1191012B9EF90EF55B90FC441F1CA9D06AD8DF3CE451E321
                                            Function 00007FF73AD499A1 Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 165COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free$_strdupmalloc
                                            • String ID: Signature: %s$%s$-----BEGIN CERTIFICATE-----$-----END CERTIFICATE-----$Cert$FALSE$Signature$TRUE
                                            • API String ID: 111713529-3006446216
                                            • Opcode ID: 0d4af557daef4db8173579bf327fd205810d04735fbb8b2f00107e5cb014bbe7
                                            • Instruction ID: eb579b5d66e11b227375ac6cb13b49fa5b5349180971b5af0ca40bb98e2b5f23
                                            • Opcode Fuzzy Hash: 0d4af557daef4db8173579bf327fd205810d04735fbb8b2f00107e5cb014bbe7
                                            • Instruction Fuzzy Hash: 4A71EA5AA1D7D165FB11EB2594022B9FBA0EF46748FD880F2CA8E0336DDE2DD045D720
                                            Function 00007FF73AD43A10 Relevance: 24.2, APIs: 14, Strings: 2, Instructions: 227COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free$malloc
                                            • String ID: DIGEST-MD5 handshake failure (empty challenge message)$WDigest
                                            • API String ID: 2190258309-1086287758
                                            • Opcode ID: d38bc17ba37a5e20258fb7a5043cfff22c46e0f17f0983cf5e3afbb73f545bf1
                                            • Instruction ID: 59872250b356fc5066a0b45c4a7711617e45b73c8e4cd09b99a0d01e04c69921
                                            • Opcode Fuzzy Hash: d38bc17ba37a5e20258fb7a5043cfff22c46e0f17f0983cf5e3afbb73f545bf1
                                            • Instruction Fuzzy Hash: D8B18F3AA18B56A6FB10AF25E8452ADB7A0FB48B94FC000B5DE8D47B68DF3CD544D710
                                            Function 00007FF73AD40B3C Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 252COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free$_strdupmalloctolower
                                            • String ID: %%%02x
                                            • API String ID: 1244608590-4020994737
                                            • Opcode ID: 3bdad931286a79f9bcd2262c4ad410947ef22487b7b4dddfe3a9759e3ab808ee
                                            • Instruction ID: 8f1b8712b7517539d64466966e1cc6f03c2ee87859905c6c3cd17ac49ff66539
                                            • Opcode Fuzzy Hash: 3bdad931286a79f9bcd2262c4ad410947ef22487b7b4dddfe3a9759e3ab808ee
                                            • Instruction Fuzzy Hash: BFA1051D92C6A265FF61AB21B012379ABD0DF02B84F8844F1DE9D076DDDE2CE449A330
                                            Function 00007FF73AD2EE20 Relevance: 22.8, APIs: 1, Strings: 14, Instructions: 321COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: memcmp
                                            • String ID: $CAPABILITY$EXAMINE$EXPUNGE$FETCH$LIST$LSUB$NOOP$PREA$SEARCH$SELECT$STORE$UID$Unexpected continuation response
                                            • API String ID: 1475443563-555813803
                                            • Opcode ID: 2f448b81eb3546c84f0e6d75ccd4d2bf6fd10b5e6fcdd86e07e5e76f45fbdbb4
                                            • Instruction ID: 67685cdf39676c0ebc0f1bc1654c097feaf04005d81ff75b8925712152c987ef
                                            • Opcode Fuzzy Hash: 2f448b81eb3546c84f0e6d75ccd4d2bf6fd10b5e6fcdd86e07e5e76f45fbdbb4
                                            • Instruction Fuzzy Hash: 3ED1F12DE2C25B61FB25BA20C5073B9E690EF05B98FC444F1DA1D5A58DEF6CE811E321
                                            Function 00007FF73ACFCDB1 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 217COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00007FF73ACF50A0: memcpy.VCRUNTIME140(7FFFFFFFFFFFFFFF,https://keyauth.win/api/1.2/,-3333333333333333,00007FF73ACF1A19), ref: 00007FF73ACF50D1
                                              • Part of subcall function 00007FF73ACF7090: memcpy.VCRUNTIME140 ref: 00007FF73ACF7206
                                              • Part of subcall function 00007FF73ACF1E80: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF1FF1
                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACFCE60
                                            • __std_exception_destroy.VCRUNTIME140 ref: 00007FF73ACFCE8E
                                            • __std_exception_destroy.VCRUNTIME140 ref: 00007FF73ACFCE9C
                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACFCED6
                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACFCF33
                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACFCFEC
                                            • __std_exception_destroy.VCRUNTIME140 ref: 00007FF73ACFD01A
                                            • __std_exception_destroy.VCRUNTIME140 ref: 00007FF73ACFD028
                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACFD062
                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACFD0B3
                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACFD0FD
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: _invalid_parameter_noinfo_noreturn$__std_exception_destroy$memcpy
                                            • String ID: value
                                            • API String ID: 3212548336-494360628
                                            • Opcode ID: 6cb73f9417d2065379fa999359f5016c908fdb7db6f6caf688fd1ccc3f1633f3
                                            • Instruction ID: f919d0bba8cc3b938f7c79f7e2809085d169388a7328296e715899dd762be0b3
                                            • Opcode Fuzzy Hash: 6cb73f9417d2065379fa999359f5016c908fdb7db6f6caf688fd1ccc3f1633f3
                                            • Instruction Fuzzy Hash: 1CA1B666A28A8655FF00EB68E4553ADA361FB417A4F800371EA6D03ADDDF7CD081E310
                                            Function 00007FF73AD0BDB0 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 161fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: fclosefree$__acrt_iob_func_strdupcallocfopenmalloc
                                            • String ID: Set-Cookie:$ignoring failed cookie_init for %s$none
                                            • API String ID: 4109794434-4095489131
                                            • Opcode ID: d5e54a99e0cd11fccfe99adac01e35e1acda1147c8233b058bd2287fa8caed3f
                                            • Instruction ID: d5ca118337bcf15cd0e448d81b249822f5376e9a48845e7f066f795f1a2dce41
                                            • Opcode Fuzzy Hash: d5e54a99e0cd11fccfe99adac01e35e1acda1147c8233b058bd2287fa8caed3f
                                            • Instruction Fuzzy Hash: B361F829A2C782A1FB55EB2194063B9AB94FF45B88FC440B4DE8D03799DF3DE441E721
                                            Function 00007FF73AD042A0 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: ErrorLast_errno$strrchr$__sys_nerrstrerrorstrncpy
                                            • String ID: Unknown error %d (%#x)
                                            • API String ID: 4262108436-2414550090
                                            • Opcode ID: 8d7e7020460919c8f61814623c91a0f37eae63a37e14096fc4799b14e847d405
                                            • Instruction ID: aeef7b4473b3bbde218a6e89f89f26b83528c2bc4c7fb53003c22ecf891a5616
                                            • Opcode Fuzzy Hash: 8d7e7020460919c8f61814623c91a0f37eae63a37e14096fc4799b14e847d405
                                            • Instruction Fuzzy Hash: 3431A5A9A38742A1FE15BF21A41227DE691EF94F80F8850B5DE4E07B99DF3CE4019721
                                            Function 00007FF73AD02010 Relevance: 19.7, APIs: 13, Instructions: 159COMMON
                                            Download Yara Rule
                                            APIs
                                            • ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP140 ref: 00007FF73AD02052
                                            • ?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z.MSVCP140 ref: 00007FF73AD0206C
                                            • ?getloc@ios_base@std@@QEBA?AVlocale@2@XZ.MSVCP140 ref: 00007FF73AD0208D
                                            • ?width@ios_base@std@@QEBA_JXZ.MSVCP140 ref: 00007FF73AD020DF
                                            • ?width@ios_base@std@@QEBA_JXZ.MSVCP140 ref: 00007FF73AD020F4
                                            • ?width@ios_base@std@@QEBA_JXZ.MSVCP140 ref: 00007FF73AD02113
                                            • ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP140 ref: 00007FF73AD02132
                                            • ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF73AD0213B
                                            • ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP140 ref: 00007FF73AD021B8
                                            • ?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF73AD021C1
                                            • ?width@ios_base@std@@QEAA_J_J@Z.MSVCP140 ref: 00007FF73AD021EC
                                            • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF73AD02209
                                            • ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP140 ref: 00007FF73AD0221B
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: U?$char_traits@$D@std@@@std@@$?rdbuf@?$basic_ios@?width@ios_base@std@@D@std@@@2@V?$basic_streambuf@$?getloc@ios_base@std@@?setstate@?$basic_ios@?sgetc@?$basic_streambuf@?snextc@?$basic_streambuf@Ipfx@?$basic_istream@Vlocale@2@
                                            • String ID:
                                            • API String ID: 3119022203-0
                                            • Opcode ID: 7997aaaaf6a9cef25ea57c0221f9e44d5a9e3393a0893fdbf90fe20a1dedcddb
                                            • Instruction ID: 899a8aaf18d21bd898e03bb8e8ea6f8b95d8717ab38742b08d3c942c888575bb
                                            • Opcode Fuzzy Hash: 7997aaaaf6a9cef25ea57c0221f9e44d5a9e3393a0893fdbf90fe20a1dedcddb
                                            • Instruction Fuzzy Hash: 7061AB26A1AB41A1FF18EB15E5A123DA7A0EF85F95B448571DF2E037A8CF3CD054E311
                                            Function 00007FF73AD3BAC0 Relevance: 19.7, APIs: 4, Strings: 9, Instructions: 151stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • memset.VCRUNTIME140 ref: 00007FF73AD3BB2B
                                            • strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73AD3BC55
                                              • Part of subcall function 00007FF73AD074D0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD11AD0,?,?,?,?,?,?,?,?,?,?,00000000,00007FF73AD03901), ref: 00007FF73AD074F7
                                              • Part of subcall function 00007FF73AD074D0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD11AD0,?,?,?,?,?,?,?,?,?,?,00000000,00007FF73AD03901), ref: 00007FF73AD07503
                                            • strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73AD3BC0F
                                              • Part of subcall function 00007FF73AD07430: _strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73AD07440
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: freestrncpy$_strdupmemset
                                            • String ID: %127[^= ]%*[ =]%255s$%hu%*[xX]%hu$BINARY$NEW_ENV$Syntax error in telnet option: %s$TTYPE$USER,%s$Unknown telnet option %s$XDISPLOC
                                            • API String ID: 3826632026-748038847
                                            • Opcode ID: cc4282c4532705da13aa1f080671e8d77a3adb1e460cbf12d24aadad5463764a
                                            • Instruction ID: d11036c432d17f95300a343bcd5dffb5f5c6ceb20a0403e3b3b6b7914da80dc6
                                            • Opcode Fuzzy Hash: cc4282c4532705da13aa1f080671e8d77a3adb1e460cbf12d24aadad5463764a
                                            • Instruction Fuzzy Hash: 53717E7AA28AC2A4FB21EF24D4423E9A361FF84784FC40172DA8D4B29DDF39D545D760
                                            Function 00007FF73AD3E343 Relevance: 19.5, APIs: 4, Strings: 7, Instructions: 290COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free
                                            • String ID: %I64d$%s%c%s%c$TFTP buffer too small for options$TFTP file name too long$blksize$timeout$tsize
                                            • API String ID: 1294909896-3837278924
                                            • Opcode ID: 99464ddc6018426e03093cd7b496b01c2234dd420febebe29c8f08f7ecf7ba4c
                                            • Instruction ID: e4dee705db580b1535e22647a369ab2292b0d995b569c6ba2da154ef92747863
                                            • Opcode Fuzzy Hash: 99464ddc6018426e03093cd7b496b01c2234dd420febebe29c8f08f7ecf7ba4c
                                            • Instruction Fuzzy Hash: E7D1BFA6A18A82A5FF11EF24D0413B9A7A1FB85B88FC481B2CA4D477C9DF3DD505D320
                                            Function 00007FF73AD3EBC0 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 222networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: sendto$ErrorLast
                                            • String ID: Received ACK for block %d, expecting %d$Timeout waiting for block %d ACK. Retries = %d$tftp_tx: giving up waiting for block %d ack$tftp_tx: internal error, event: %i
                                            • API String ID: 4042023021-4197595102
                                            • Opcode ID: 0186047e93cd686184c325dd4522b1b8e4e4e6e58ae25586a71d20bcbbf36f2c
                                            • Instruction ID: 9ef47ba28f5ae3a2ce6f3066dd945cd2b864ced70c3bc4dbe850d3aba437c3b1
                                            • Opcode Fuzzy Hash: 0186047e93cd686184c325dd4522b1b8e4e4e6e58ae25586a71d20bcbbf36f2c
                                            • Instruction Fuzzy Hash: 9BB19E7AA28682D6FB61AF25D4412AD77A0FB88B88F844172DE4D4B79CDF39D401D720
                                            Function 00007FF73AD3DFA0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 179COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: sendto$_time64
                                            • String ID: Received last DATA packet block %d again.$Received unexpected DATA packet block %d, expecting block %d$Timeout waiting for block %d ACK. Retries = %d$tftp_rx: internal error
                                            • API String ID: 2327272419-1785996722
                                            • Opcode ID: 1ed2518f07949002f0cd12f2da94e08ae8fb468d53f05a6ce703aa36ab7b21fb
                                            • Instruction ID: 447cbf1eb403d6377b1e59fad0f8e37293d99b38e556fb6b5358559ef91adb19
                                            • Opcode Fuzzy Hash: 1ed2518f07949002f0cd12f2da94e08ae8fb468d53f05a6ce703aa36ab7b21fb
                                            • Instruction Fuzzy Hash: 6A91BF7AA28781D5EB51DF29D4413A97BA0FB88F88F848172DE4C4B798DF39D406D720
                                            Function 00007FF73AD15B90 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 151stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: _strdup$freestrchrstrncmpstrtol
                                            • String ID: %25$Invalid IPv6 address format$No valid port number in connect to host string (%s)$Please URL encode %% as %%25, see RFC 6874.
                                            • API String ID: 2070079882-2404041592
                                            • Opcode ID: b80deec93e00715ce0e7d2eb68160d3c3720eaece003735fd971f9c055ba8dbe
                                            • Instruction ID: 2c84ec68be489e27d6d449b972ec4c150ccfaada2178cf8d6eb923ccfb005805
                                            • Opcode Fuzzy Hash: b80deec93e00715ce0e7d2eb68160d3c3720eaece003735fd971f9c055ba8dbe
                                            • Instruction Fuzzy Hash: 21513969E2CA8761FB95AF359462375E7D1DF41B94FC840B1CA4D0638CEE2CE486E320
                                            Function 00007FF73AD0BBA0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 143fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: fclosefree$__acrt_iob_func_strdupcallocfopenmalloc
                                            • String ID: Set-Cookie:$none
                                            • API String ID: 4109794434-3629594122
                                            • Opcode ID: d1ef4587f7dd34f7415cf20c2dfd9bb53afe93b95252a87030d17f339b04c656
                                            • Instruction ID: 14a335c202ac9da2523e3d0b25bfc150b168a3ec543c3d48e0c1358a6da953b5
                                            • Opcode Fuzzy Hash: d1ef4587f7dd34f7415cf20c2dfd9bb53afe93b95252a87030d17f339b04c656
                                            • Instruction Fuzzy Hash: 6B51E929A2C78261FB55EB2154122B9E7D0EF45B88FC844B4CD8E07799DF3CE445A331
                                            Function 00007FF73AD16330 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 280stringCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00007FF73AD17310: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD12E13,?,?,00000000,00007FF73AD13395), ref: 00007FF73AD17324
                                              • Part of subcall function 00007FF73AD17310: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD12E13,?,?,00000000,00007FF73AD13395), ref: 00007FF73AD1733A
                                              • Part of subcall function 00007FF73AD17310: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD12E13,?,?,00000000,00007FF73AD13395), ref: 00007FF73AD1734E
                                              • Part of subcall function 00007FF73AD17310: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD12E13,?,?,00000000,00007FF73AD13395), ref: 00007FF73AD17362
                                              • Part of subcall function 00007FF73AD17310: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD12E13,?,?,00000000,00007FF73AD13395), ref: 00007FF73AD17376
                                              • Part of subcall function 00007FF73AD17310: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD12E13,?,?,00000000,00007FF73AD13395), ref: 00007FF73AD1738A
                                              • Part of subcall function 00007FF73AD17310: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD12E13,?,?,00000000,00007FF73AD13395), ref: 00007FF73AD1739E
                                              • Part of subcall function 00007FF73AD17310: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD12E13,?,?,00000000,00007FF73AD13395), ref: 00007FF73AD173B2
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73AD163B2
                                              • Part of subcall function 00007FF73AD402E0: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF73AD16355,?,?,?,?,?,00007FF73AD1475C), ref: 00007FF73AD402F5
                                              • Part of subcall function 00007FF73AD402E0: _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF73AD16355,?,?,?,?,?,00007FF73AD1475C), ref: 00007FF73AD4030F
                                              • Part of subcall function 00007FF73AD402E0: _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF73AD16355,?,?,?,?,?,00007FF73AD1475C), ref: 00007FF73AD4032A
                                              • Part of subcall function 00007FF73AD402E0: _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF73AD16355,?,?,?,?,?,00007FF73AD1475C), ref: 00007FF73AD40346
                                              • Part of subcall function 00007FF73AD402E0: _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF73AD16355,?,?,?,?,?,00007FF73AD1475C), ref: 00007FF73AD40362
                                              • Part of subcall function 00007FF73AD402E0: _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF73AD16355,?,?,?,?,?,00007FF73AD1475C), ref: 00007FF73AD4037A
                                              • Part of subcall function 00007FF73AD402E0: _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF73AD16355,?,?,?,?,?,00007FF73AD1475C), ref: 00007FF73AD40392
                                              • Part of subcall function 00007FF73AD402E0: _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF73AD16355,?,?,?,?,?,00007FF73AD1475C), ref: 00007FF73AD403AA
                                              • Part of subcall function 00007FF73AD402E0: _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF73AD16355,?,?,?,?,?,00007FF73AD1475C), ref: 00007FF73AD403C2
                                              • Part of subcall function 00007FF73AD402E0: _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF73AD16355,?,?,?,?,?,00007FF73AD1475C), ref: 00007FF73AD403DA
                                              • Part of subcall function 00007FF73AD402E0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF73AD16355,?,?,?,?,?,00007FF73AD1475C), ref: 00007FF73AD403F4
                                            • _strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73AD165B6
                                            • _strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73AD165F9
                                            • strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF73AD1673E
                                            • _strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73AD167BB
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: _strdup$free$callocstrtoul
                                            • String ID: %s://%s$Protocol "%s" not supported or disabled in libcurl$file
                                            • API String ID: 954404409-4150109901
                                            • Opcode ID: 6772e96c6ccc77662937e5d3b728ad8c4f6999f8d66b77373c9182979c59d43f
                                            • Instruction ID: f9cc121e36beb6df672583ba0725e45f5635988b6d27132255ec306569d4f46b
                                            • Opcode Fuzzy Hash: 6772e96c6ccc77662937e5d3b728ad8c4f6999f8d66b77373c9182979c59d43f
                                            • Instruction Fuzzy Hash: 16C1B439B18A82A6FBA9AB35D5423F9A390FB41744F8440B5CB1D4768DEF3CE554E320
                                            Function 00007FF73ACF1E80 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 241COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00007FF73ACF2240: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF2339
                                              • Part of subcall function 00007FF73ACF2240: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF2378
                                              • Part of subcall function 00007FF73ACF50A0: memcpy.VCRUNTIME140(7FFFFFFFFFFFFFFF,https://keyauth.win/api/1.2/,-3333333333333333,00007FF73ACF1A19), ref: 00007FF73ACF50D1
                                              • Part of subcall function 00007FF73ACF4920: memcpy.VCRUNTIME140(?,?,?,?,?,00007FF73ACF1C5B), ref: 00007FF73ACF4966
                                              • Part of subcall function 00007FF73ACF6B50: memcpy.VCRUNTIME140(?,?,?,00007FF73ACF1C8A), ref: 00007FF73ACF6BE1
                                              • Part of subcall function 00007FF73ACF49A0: memcpy.VCRUNTIME140 ref: 00007FF73ACF49F3
                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF1FF1
                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF2041
                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF2092
                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF20D2
                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF2124
                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF2163
                                            • __std_exception_copy.VCRUNTIME140 ref: 00007FF73ACF21B6
                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF2207
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: _invalid_parameter_noinfo_noreturn$memcpy$__std_exception_copy
                                            • String ID: parse error$parse_error
                                            • API String ID: 2484256320-1820534363
                                            • Opcode ID: 79fa430c4efad6a2d76c2d148721811b644a3bc994eb7f1053710d3a8b8b6071
                                            • Instruction ID: 3831e0bc26950ccd3a71e7f1cfc040a9ff8849dcffb0c5603be446146f0170f4
                                            • Opcode Fuzzy Hash: 79fa430c4efad6a2d76c2d148721811b644a3bc994eb7f1053710d3a8b8b6071
                                            • Instruction Fuzzy Hash: F1B1C272E14B4695FB04EB64E4513AD7761EB447A8F904631EAAD03AE9DF7CD0C0E310
                                            Function 00007FF73AD1FF00 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 178COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free$malloc$_time64calloctolower
                                            • String ID: :%u$Shuffling %i addresses
                                            • API String ID: 133842801-338667637
                                            • Opcode ID: 7b8ed0ef4925efe9b6cc4f7d15d6d1533159af19d37a9f432c107f1578ee6360
                                            • Instruction ID: ba31bf69e7cca46be99adf3f2cbf82db128e736f5e28c63064d3c433075e7e05
                                            • Opcode Fuzzy Hash: 7b8ed0ef4925efe9b6cc4f7d15d6d1533159af19d37a9f432c107f1578ee6360
                                            • Instruction Fuzzy Hash: 6871F67AA28B86A1FB55AF11E5017B9B7A1FB48B94F844171CE4E07798EF3CD844D320
                                            Function 00007FF73AD1DB70 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 162COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: _strdupfree
                                            • String ID: GET$HEAD$Issue another request to this URL: '%s'$Maximum (%ld) redirects followed$Switch from POST to GET$Switch to %s
                                            • API String ID: 1865132094-1312055526
                                            • Opcode ID: 8ff86076a6a66d75232e8427d88cb20d6e1d215c91c9a4be1bcb8247b6697f5a
                                            • Instruction ID: f996b8696190adb5f898cfb18e2300c693576a3c7fbe0638a0a0522ce968c11b
                                            • Opcode Fuzzy Hash: 8ff86076a6a66d75232e8427d88cb20d6e1d215c91c9a4be1bcb8247b6697f5a
                                            • Instruction Fuzzy Hash: AA71D769A1878390F7A0AF34D4423BDA7A1EB45B44F9809B1DE8D476ADCF3DD441E320
                                            Function 00007FF73AD12D10 Relevance: 17.6, APIs: 14, Instructions: 106COMMON
                                            Download Yara Rule
                                            APIs
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD13395), ref: 00007FF73AD12D8D
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD13395), ref: 00007FF73AD12DAA
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD13395), ref: 00007FF73AD12DBE
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD13395), ref: 00007FF73AD12DDA
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD13395), ref: 00007FF73AD12DF7
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD13395), ref: 00007FF73AD12E1A
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD13395), ref: 00007FF73AD12E2E
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD13395), ref: 00007FF73AD12E42
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD13395), ref: 00007FF73AD12E68
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD13395), ref: 00007FF73AD12E7C
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD13395), ref: 00007FF73AD12E90
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD13395), ref: 00007FF73AD12EDF
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD13395), ref: 00007FF73AD12EEC
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD13395), ref: 00007FF73AD12F15
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free
                                            • String ID:
                                            • API String ID: 1294909896-0
                                            • Opcode ID: cebf4daa39e9ef3070e5533762b0c45d7f12dae150eb8221eecad598c6e96e4a
                                            • Instruction ID: ad44c9f0fdd2d947db1c788974b0d49ea83d25e2ca0c04158c5f81776c51e84d
                                            • Opcode Fuzzy Hash: cebf4daa39e9ef3070e5533762b0c45d7f12dae150eb8221eecad598c6e96e4a
                                            • Instruction Fuzzy Hash: AB512E39968B8291FB44EF31D4522FDA7A0FF85F84F884071DE5E4B659CE3990859330
                                            Function 00007FF73AD4D420 Relevance: 16.8, APIs: 2, Strings: 9, Instructions: 279COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free
                                            • String ID: CRAM-MD5$DIGEST-MD5$EXTERNAL$GSSAPI$LOGIN$NTLM$OAUTHBEARER$PLAIN$XOAUTH2
                                            • API String ID: 1294909896-1896214517
                                            • Opcode ID: 3aee149c2699db90a2b432282fa80b87111d201466db1c3471af34fe7a16c3ae
                                            • Instruction ID: 842d4a9fff7de4f4a5f9aab62823a13cb771ba50050c4734a899ad6ba4c7f55c
                                            • Opcode Fuzzy Hash: 3aee149c2699db90a2b432282fa80b87111d201466db1c3471af34fe7a16c3ae
                                            • Instruction Fuzzy Hash: C8D17C7A919B9295FB60AF10E4013A9B7A0FB84B58F8502B6DE8D0779CDF3CD445D720
                                            Function 00007FF73AD2F450 Relevance: 16.7, APIs: 5, Strings: 6, Instructions: 223COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free$malloc
                                            • String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_$MAILINDEX$PARTIAL$SECTION$UID$UIDVALIDITY
                                            • API String ID: 2190258309-1670639106
                                            • Opcode ID: aaee8b4824d9325fed52f29a49084a14fde8caec5c456af2adca197dc23dfbc8
                                            • Instruction ID: fab523a7804281b1325647220dff25400f202a6e904e55d7ab29e9632d81967b
                                            • Opcode Fuzzy Hash: aaee8b4824d9325fed52f29a49084a14fde8caec5c456af2adca197dc23dfbc8
                                            • Instruction Fuzzy Hash: B3A1EB1A92878AA5FB50EF21D5023B8A790FF48788F8404B5EA5E4B69DDF3DD491D320
                                            Function 00007FF73AD40F91 Relevance: 16.6, APIs: 9, Strings: 2, Instructions: 140COMMON
                                            Download Yara Rule
                                            APIs
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73AD40E9B
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73AD40F01
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73AD40F0F
                                            • calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73AD4100D
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73AD41076
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73AD4108E
                                              • Part of subcall function 00007FF73AD3FFE0: _strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73AD3FFF0
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73AD410B6
                                            • calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73AD410CD
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73AD410F2
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73AD4113F
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73AD41154
                                              • Part of subcall function 00007FF73AD41290: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF73AD402C2,?,?,00000000,00007FF73AD173CB,?,?,00000000,00007FF73AD12E13,?,?,00000000,00007FF73AD13395), ref: 00007FF73AD4129C
                                              • Part of subcall function 00007FF73AD41290: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF73AD402C2,?,?,00000000,00007FF73AD173CB,?,?,00000000,00007FF73AD12E13,?,?,00000000,00007FF73AD13395), ref: 00007FF73AD412A6
                                              • Part of subcall function 00007FF73AD41290: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF73AD402C2,?,?,00000000,00007FF73AD173CB,?,?,00000000,00007FF73AD12E13,?,?,00000000,00007FF73AD13395), ref: 00007FF73AD412B0
                                              • Part of subcall function 00007FF73AD41290: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF73AD402C2,?,?,00000000,00007FF73AD173CB,?,?,00000000,00007FF73AD12E13,?,?,00000000,00007FF73AD13395), ref: 00007FF73AD412BA
                                              • Part of subcall function 00007FF73AD41290: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF73AD402C2,?,?,00000000,00007FF73AD173CB,?,?,00000000,00007FF73AD12E13,?,?,00000000,00007FF73AD13395), ref: 00007FF73AD412C4
                                              • Part of subcall function 00007FF73AD41290: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF73AD402C2,?,?,00000000,00007FF73AD173CB,?,?,00000000,00007FF73AD12E13,?,?,00000000,00007FF73AD13395), ref: 00007FF73AD412CE
                                              • Part of subcall function 00007FF73AD41290: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF73AD402C2,?,?,00000000,00007FF73AD173CB,?,?,00000000,00007FF73AD12E13,?,?,00000000,00007FF73AD13395), ref: 00007FF73AD412D8
                                              • Part of subcall function 00007FF73AD41290: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF73AD402C2,?,?,00000000,00007FF73AD173CB,?,?,00000000,00007FF73AD12E13,?,?,00000000,00007FF73AD13395), ref: 00007FF73AD412E2
                                              • Part of subcall function 00007FF73AD41290: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF73AD402C2,?,?,00000000,00007FF73AD173CB,?,?,00000000,00007FF73AD12E13,?,?,00000000,00007FF73AD13395), ref: 00007FF73AD412EC
                                              • Part of subcall function 00007FF73AD41290: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF73AD402C2,?,?,00000000,00007FF73AD173CB,?,?,00000000,00007FF73AD12E13,?,?,00000000,00007FF73AD13395), ref: 00007FF73AD412F6
                                              • Part of subcall function 00007FF73AD41290: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF73AD402C2,?,?,00000000,00007FF73AD173CB,?,?,00000000,00007FF73AD12E13,?,?,00000000,00007FF73AD13395), ref: 00007FF73AD41300
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free$calloc$_strdup
                                            • String ID: ,$:
                                            • API String ID: 2460172880-4193410690
                                            • Opcode ID: 434c8d58af6e5700761e0d470ef93e0cf25a3180c57d24ab253308cc3fd4d694
                                            • Instruction ID: 6f8f0dc017b6d7208371ed11ebf6210588c06f27a48992b9bd1c62a665d071fa
                                            • Opcode Fuzzy Hash: 434c8d58af6e5700761e0d470ef93e0cf25a3180c57d24ab253308cc3fd4d694
                                            • Instruction Fuzzy Hash: 4551B616E2CB9653F721EB35A5122B9A350FF55B84F8492B0DF8D0265AEF2CF1C5A310
                                            Function 00007FF73AD402E0 Relevance: 16.6, APIs: 11, Instructions: 89COMMON
                                            Download Yara Rule
                                            APIs
                                            • calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF73AD16355,?,?,?,?,?,00007FF73AD1475C), ref: 00007FF73AD402F5
                                            • _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF73AD16355,?,?,?,?,?,00007FF73AD1475C), ref: 00007FF73AD4030F
                                            • _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF73AD16355,?,?,?,?,?,00007FF73AD1475C), ref: 00007FF73AD4032A
                                            • _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF73AD16355,?,?,?,?,?,00007FF73AD1475C), ref: 00007FF73AD40346
                                            • _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF73AD16355,?,?,?,?,?,00007FF73AD1475C), ref: 00007FF73AD40362
                                            • _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF73AD16355,?,?,?,?,?,00007FF73AD1475C), ref: 00007FF73AD4037A
                                            • _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF73AD16355,?,?,?,?,?,00007FF73AD1475C), ref: 00007FF73AD40392
                                            • _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF73AD16355,?,?,?,?,?,00007FF73AD1475C), ref: 00007FF73AD403AA
                                            • _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF73AD16355,?,?,?,?,?,00007FF73AD1475C), ref: 00007FF73AD403C2
                                            • _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF73AD16355,?,?,?,?,?,00007FF73AD1475C), ref: 00007FF73AD403DA
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF73AD16355,?,?,?,?,?,00007FF73AD1475C), ref: 00007FF73AD403F4
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: _strdup$callocfree
                                            • String ID:
                                            • API String ID: 1183638330-0
                                            • Opcode ID: 884f2448193a9adb7b170b09a06f4957f657c1d6519fdb0ff3282332b281cfaf
                                            • Instruction ID: 8440366a5b619f868f282f5fe460e7d714d1ed9f2c99ac0c672200c98a5905a9
                                            • Opcode Fuzzy Hash: 884f2448193a9adb7b170b09a06f4957f657c1d6519fdb0ff3282332b281cfaf
                                            • Instruction Fuzzy Hash: 02318029A26F02A6FF59EB91F05623867A0FF44B04B8845B5CA0D42758EF3CE564E360
                                            Function 00007FF73AD13A00 Relevance: 16.4, APIs: 13, Instructions: 164stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free$mallocmemcpy$strchr
                                            • String ID:
                                            • API String ID: 1615377186-0
                                            • Opcode ID: 7dfc5812d5a88c4bde41487b62d5c1665578af98dddacaff8cc22133f62a1adc
                                            • Instruction ID: ead35c14e0a8919a5b8864542bb6875684933815afca550f3f1a8455b03b6ba5
                                            • Opcode Fuzzy Hash: 7dfc5812d5a88c4bde41487b62d5c1665578af98dddacaff8cc22133f62a1adc
                                            • Instruction Fuzzy Hash: 6D519F2972DB85A5FEE4AF25E505279E291FB44B80F8840B0DE8D47B48EF3CE405D320
                                            Function 00007FF73AD15920 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            • Couldn't find host %s in the .netrc file; using defaults, xrefs: 00007FF73AD15AA9
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free$_strdup
                                            • String ID: Couldn't find host %s in the .netrc file; using defaults
                                            • API String ID: 2653869212-3983049644
                                            • Opcode ID: 2ffbd0a82cf340faf792485215ff3584dbde2df33107f45736162e578dc8f89a
                                            • Instruction ID: 52a1e4ca43a6da28525e008637d901c56601d028da3c80ef55f12da20679ed1a
                                            • Opcode Fuzzy Hash: 2ffbd0a82cf340faf792485215ff3584dbde2df33107f45736162e578dc8f89a
                                            • Instruction Fuzzy Hash: D2712729A18B82A6FBA4AB35D496379A7A0FB44744F8400B1CB9D47398DF3DF554E320
                                            Function 00007FF73AD36330 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 117COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: %s%s%s$Couldn't set desired mode$Got a %03d response code instead of the assumed 200$LIST$NLST
                                            • API String ID: 0-1262176364
                                            • Opcode ID: 84c53d472fdf5f393aea367dc30ba8a194e8fa93cfe1338e983f53e97e9bdbfd
                                            • Instruction ID: 6ea8957f759431fecb557a89706e32cc87fb670f770c32715710136891d35b1f
                                            • Opcode Fuzzy Hash: 84c53d472fdf5f393aea367dc30ba8a194e8fa93cfe1338e983f53e97e9bdbfd
                                            • Instruction Fuzzy Hash: B841F529F2C652B6FB94AB15E4421BAE360EF41B80FC440B5DA4D0769DEF7DE448E320
                                            Function 00007FF73AD4936E Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 103COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free$_strdup
                                            • String ID: Expire Date: %s$ Public Key Algorithm: %s$Expire Date$FALSE$Public Key Algorithm$TRUE
                                            • API String ID: 2653869212-571364039
                                            • Opcode ID: 2721684524e036b017217f472e7fc305398b3faf96d1030816dad9b2c1d64f58
                                            • Instruction ID: 7dbf32de9880f05f5ac65ef1716c727154cb4bb42a37809fcb26795976b55740
                                            • Opcode Fuzzy Hash: 2721684524e036b017217f472e7fc305398b3faf96d1030816dad9b2c1d64f58
                                            • Instruction Fuzzy Hash: 3441D369B1DB9264FB21AB66A4461F9A760FB05784FC404B2CE4E0775EDF3CE144E320
                                            Function 00007FF73AD043E0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 72stringwindowCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: ErrorLast_errno$FormatMessagestrchr
                                            • String ID: Unknown error %u (0x%08X)
                                            • API String ID: 1897771742-1058733786
                                            • Opcode ID: e96e33a1e5f4e0560df3159e1368d2a383f50685c12c34e08158cc9b204e6fb3
                                            • Instruction ID: 7512898ad7231ae1416156f040ee28d34a02262c8625fb31e80adcbf6f8a0c63
                                            • Opcode Fuzzy Hash: e96e33a1e5f4e0560df3159e1368d2a383f50685c12c34e08158cc9b204e6fb3
                                            • Instruction Fuzzy Hash: 8621A7AAA1C781A2FB11AF21A40562AFAD1FF94BD0F884074DE4E03B5DCF7CD4419722
                                            Function 00007FF73AD03BE2 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 70stringwindowCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: ErrorLast_errno$FormatMessagestrchrstrncpy
                                            • String ID: %s (0x%08X)$%s - %s$SEC_E_BAD_BINDINGS
                                            • API String ID: 600764987-2710416593
                                            • Opcode ID: 144d15412fd5dbb420f3337d8fae68674c69010fd051b7522233ba084ab607b8
                                            • Instruction ID: 946d058e02527d0f267573ac1fd6e880fbef81c38cb004a85d5f11be014c067f
                                            • Opcode Fuzzy Hash: 144d15412fd5dbb420f3337d8fae68674c69010fd051b7522233ba084ab607b8
                                            • Instruction Fuzzy Hash: 99318766A1C6C1A5FA61EB20E4163AEB7A1FB84740FC00075DA8D02A99CF3CD544D721
                                            Function 00007FF73AD03C12 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 70stringwindowCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: ErrorLast_errno$FormatMessagestrchrstrncpy
                                            • String ID: %s (0x%08X)$%s - %s$SEC_E_CANNOT_PACK
                                            • API String ID: 600764987-1502336670
                                            • Opcode ID: 8c50a8c693a37bfe4934866722795b9350daec6cf5273cf935bf0cc0efeb17b6
                                            • Instruction ID: 0251c3b805355d27dfc2760c4b2df38f25215c7c8ceb56e0d4dfdd94f3211f3c
                                            • Opcode Fuzzy Hash: 8c50a8c693a37bfe4934866722795b9350daec6cf5273cf935bf0cc0efeb17b6
                                            • Instruction Fuzzy Hash: 9F3185AAA1C6C1A5FA61EB20E4163AEB7A1FB84740FC00076DA8D02A99CF3CD544D721
                                            Function 00007FF73AD03C06 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 70stringwindowCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: ErrorLast_errno$FormatMessagestrchrstrncpy
                                            • String ID: %s (0x%08X)$%s - %s$SEC_E_CANNOT_INSTALL
                                            • API String ID: 600764987-2628789574
                                            • Opcode ID: d0b436e43d75bf821002b78e2faeb4285766b6ee182af6f66c40bbd49654f42c
                                            • Instruction ID: 35ff4bbbb3fc66eec3432a62228c8e1047b3c83b892739dfc37edd8b4f275b63
                                            • Opcode Fuzzy Hash: d0b436e43d75bf821002b78e2faeb4285766b6ee182af6f66c40bbd49654f42c
                                            • Instruction Fuzzy Hash: 253185AAA1C6C1A5FA61EB20E4163AEB7A1FB84740FC00076DA8D02A99CF3CD544D721
                                            Function 00007FF73AD03BFA Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 70stringwindowCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: ErrorLast_errno$FormatMessagestrchrstrncpy
                                            • String ID: %s (0x%08X)$%s - %s$SEC_E_BUFFER_TOO_SMALL
                                            • API String ID: 600764987-1965992168
                                            • Opcode ID: 24cfbc4bbd55e04eb686c9679fb5b47b238d752fd86eb04b9a038fb2f70f3349
                                            • Instruction ID: abc0bb84eff25deb215737dbffb8bdbbfe9b3df9561d307974d2bc618f8e7ff7
                                            • Opcode Fuzzy Hash: 24cfbc4bbd55e04eb686c9679fb5b47b238d752fd86eb04b9a038fb2f70f3349
                                            • Instruction Fuzzy Hash: 163185AAA1C6C1A5FA61EB20E4163AEB7A1FB84740FC00076DA8D02A99CF3CD544D721
                                            Function 00007FF73AD03C2A Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 70stringwindowCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: ErrorLast_errno$FormatMessagestrchrstrncpy
                                            • String ID: %s (0x%08X)$%s - %s$SEC_E_CERT_UNKNOWN
                                            • API String ID: 600764987-1381340633
                                            • Opcode ID: 67f281f48c0713fb8a407eac5047f533afa47a277d73dc2073de8ec8e3a93a9e
                                            • Instruction ID: 2d54381806a6f042775d48466855fc2c0affc2a6b7cd9d263b40d6debf501b7c
                                            • Opcode Fuzzy Hash: 67f281f48c0713fb8a407eac5047f533afa47a277d73dc2073de8ec8e3a93a9e
                                            • Instruction Fuzzy Hash: 363185AAA1C6C1A5FA61EB20E4163AEB7A1FB84740FC00176DA8D02A99CF3CD544D721
                                            Function 00007FF73AD03C1E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 70stringwindowCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: ErrorLast_errno$FormatMessagestrchrstrncpy
                                            • String ID: %s (0x%08X)$%s - %s$SEC_E_CERT_EXPIRED
                                            • API String ID: 600764987-3862749013
                                            • Opcode ID: b28015ecdf1afb8791396c1b23dbd8ec432626920cf3f296fe1b83e61fb16438
                                            • Instruction ID: cda2475fcbbab67dae8b987352daaec0a949adc5459a4fb7498f7c58155d92ed
                                            • Opcode Fuzzy Hash: b28015ecdf1afb8791396c1b23dbd8ec432626920cf3f296fe1b83e61fb16438
                                            • Instruction Fuzzy Hash: 033185AAA1D6C1A5FA61EB20E4163AEB7A1FB84740FC00076DA8D02A99CF3CD544D721
                                            Function 00007FF73AD03B2E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 69stringwindowCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: ErrorLast_errno$FormatMessagestrchrstrncpy
                                            • String ID: %s (0x%08X)$%s - %s$SEC_E_ALGORITHM_MISMATCH
                                            • API String ID: 600764987-618797061
                                            • Opcode ID: ee7f2f00767fdccae19966825e0293ce2e1ab8c7bb055c1d4858e65ed6542b9d
                                            • Instruction ID: 5d8161ecb75409e91779eda85baca7d1fa13b780f6a8da87ea4aa578f14200e6
                                            • Opcode Fuzzy Hash: ee7f2f00767fdccae19966825e0293ce2e1ab8c7bb055c1d4858e65ed6542b9d
                                            • Instruction Fuzzy Hash: 963194AAA1C7C1A5FB61EB20E4123AEB7A1FB84740F800076DA8D02A99DF3CD544D721
                                            Function 00007FF73AD014D0 Relevance: 15.1, APIs: 10, Instructions: 128COMMON
                                            Download Yara Rule
                                            APIs
                                            • ConvertSidToStringSidA.ADVAPI32 ref: 00007FF73AD01517
                                            • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00000000,?,?,00007FF73AD018EF), ref: 00007FF73AD01599
                                            • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00000000,?,?,00007FF73AD018EF), ref: 00007FF73AD015AC
                                            • memcpy.VCRUNTIME140(?,?,?,?,00000000,?,?,00007FF73AD018EF), ref: 00007FF73AD015C2
                                            • _invalid_parameter_noinfo.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00000000,?,?,00007FF73AD018EF), ref: 00007FF73AD01601
                                            • LocalFree.KERNEL32(?,?,?,?,00000000,?,?,00007FF73AD018EF), ref: 00007FF73AD01629
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: _errno$ConvertFreeLocalString_invalid_parameter_noinfomemcpy
                                            • String ID:
                                            • API String ID: 3026804155-0
                                            • Opcode ID: 5067fa0b729cc3a821af6192570fd25bca47b8d198587100e5ebe5b114bb222c
                                            • Instruction ID: 6ffc53bd5d069bce8879b94014726a5105933fc8a3f8e9e30b2d51f339fb2d4a
                                            • Opcode Fuzzy Hash: 5067fa0b729cc3a821af6192570fd25bca47b8d198587100e5ebe5b114bb222c
                                            • Instruction Fuzzy Hash: DE51C169E29A42A2FA10FB15D94627DA3A0EF44BD0FC441B5EB1E07799CF3CE441A721
                                            Function 00007FF73AD4FFE0 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 230COMMON
                                            Download Yara Rule
                                            APIs
                                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73AD500AA
                                            • calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73AD500F8
                                            • calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73AD5015B
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73AD50299
                                              • Part of subcall function 00007FF73AD44040: strchr.VCRUNTIME140(00000000,?,?,00007FF73AD435FF), ref: 00007FF73AD44086
                                              • Part of subcall function 00007FF73AD44040: strchr.VCRUNTIME140(00000000,?,?,00007FF73AD435FF), ref: 00007FF73AD44096
                                              • Part of subcall function 00007FF73AD44040: _strdup.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,00007FF73AD435FF), ref: 00007FF73AD440C0
                                              • Part of subcall function 00007FF73AD44040: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73AD440F5
                                              • Part of subcall function 00007FF73AD44040: strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73AD4411A
                                              • Part of subcall function 00007FF73AD44040: _strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73AD4413C
                                            • _strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73AD50324
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: _strdup$callocmallocstrchr$freestrncpy
                                            • String ID: GSSAPI$GSSAPI handshake failure (empty challenge message)$Kerberos
                                            • API String ID: 370574955-353107822
                                            • Opcode ID: 06cf65cb48fcc62a73f4519b18ab06edea668728f2c237f4d831486e50d66c64
                                            • Instruction ID: 89f3be29196233aa19a2b2dfcef597ef306164317708fb21454bf40531b2e91e
                                            • Opcode Fuzzy Hash: 06cf65cb48fcc62a73f4519b18ab06edea668728f2c237f4d831486e50d66c64
                                            • Instruction Fuzzy Hash: DDA1CE76A28B459AFB10EF65E4422ADB7A5FB48B88F800075DE4C43B68DF38E405D750
                                            Function 00007FF73ACF8179 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 230COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: invalid number; expected '+', '-', or digit after exponent$invalid number; expected digit after '.'
                                            • API String ID: 0-808606891
                                            • Opcode ID: 2730ef35087c3055d687314332988b2300484bbdf2223a9d955a81849e3a20ae
                                            • Instruction ID: f00ae467dc429c9415c8cd3c4a0cd7fd4d157d1e50b57f56faf278e529eff126
                                            • Opcode Fuzzy Hash: 2730ef35087c3055d687314332988b2300484bbdf2223a9d955a81849e3a20ae
                                            • Instruction Fuzzy Hash: 4BB1C66A90AA42E5FB249F28D46123CB771FB15B48FE44571C64E032D8DF3CE9A5E360
                                            Function 00007FF73AD0AF55 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 206COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: _strdup
                                            • String ID: %s cookie %s="%s" for domain %s, path %s, expire %I64d$Added$FALSE$Replaced
                                            • API String ID: 1169197092-2292467869
                                            • Opcode ID: dc84e155dc241e09814003e24814fc38a355019b45f7879705a367772fe99cf2
                                            • Instruction ID: e18bd953c0ba7cc648be98bb85e50e47192c62c3606a56879c6021e5433767c2
                                            • Opcode Fuzzy Hash: dc84e155dc241e09814003e24814fc38a355019b45f7879705a367772fe99cf2
                                            • Instruction Fuzzy Hash: 6E91B569E2D786A5FF71E721904637DE7E0EF05748F8440B5DA8E026A9DF2CE444E322
                                            Function 00007FF73AD0B063 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 169COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: _strdup
                                            • String ID: %s cookie %s="%s" for domain %s, path %s, expire %I64d$Added$FALSE$Replaced$__Host-$__Secure-
                                            • API String ID: 1169197092-978722393
                                            • Opcode ID: 6a214aede563abdf51c806016b737c4014c2b8ef0741d02c7797d6f2985e48e9
                                            • Instruction ID: c5b5740304ef8cd202a0736826ccf47d723e75cc9789d46c97fd31fb8fb3214c
                                            • Opcode Fuzzy Hash: 6a214aede563abdf51c806016b737c4014c2b8ef0741d02c7797d6f2985e48e9
                                            • Instruction Fuzzy Hash: A5719769E2C786A5FF71EB21D04637DE7A0EF05748F8440B5DA8D026A9DF2CE444E322
                                            Function 00007FF73AD15D90 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 142stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free$strchrstrtol
                                            • String ID: %s%s%s$Connecting to hostname: %s$Connecting to port: %d$anonymous
                                            • API String ID: 137861075-1224060940
                                            • Opcode ID: 7f6fdc57b1334bcb494de6a3b9f7668b16a16b3993ad0d53ae28ca23d5eb346a
                                            • Instruction ID: da5961af4859e863a8af6b49fd5bcc70596f3ea18b2365455fb0ad53a59debe7
                                            • Opcode Fuzzy Hash: 7f6fdc57b1334bcb494de6a3b9f7668b16a16b3993ad0d53ae28ca23d5eb346a
                                            • Instruction Fuzzy Hash: 1551E46AA18BC2A4FBB1AB25A4017A9A790FB41B98FC44175DE9C07B98CF3CE145D310
                                            Function 00007FF73AD32440 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 135stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: _strdupfreestrpbrk
                                            • String ID: SMTPUTF8$%s %s%s$EXPN$HELP$VRFY %s%s%s%s
                                            • API String ID: 1812939018-2300960079
                                            • Opcode ID: 566584c11fa187fd2401cab74c7bb7e6a8bdb988c7b5281e1456010e8ba665c5
                                            • Instruction ID: a0265a4bea8e1f972cd2a5c3f1c40c5e84bae765f68f81975cab93ddab5b8d23
                                            • Opcode Fuzzy Hash: 566584c11fa187fd2401cab74c7bb7e6a8bdb988c7b5281e1456010e8ba665c5
                                            • Instruction Fuzzy Hash: 9E51016AE2CB81A1FB15EB11E4117B9B7A0EBA6B80FC441B1DA5D037D9DF2DE940D310
                                            Function 00007FF73AD05E07 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 109COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free
                                            • String ID: ALL$FLUSH$RELOAD$SESS$Set-Cookie:
                                            • API String ID: 1294909896-1147549499
                                            • Opcode ID: a650a8fe3cf8e73c1d907564eaf4a8554080a90537af4c2029c0f7119efed06d
                                            • Instruction ID: 03d2ecb49c33392aedf172221efb115ffeea15363d030b073fb189f906f51e5f
                                            • Opcode Fuzzy Hash: a650a8fe3cf8e73c1d907564eaf4a8554080a90537af4c2029c0f7119efed06d
                                            • Instruction Fuzzy Hash: FA41C329B3C60261FA54FB2595532B9E391EF84BC0FC840B1CD1E4769ADF6CE441B361
                                            Function 00007FF73AD38111 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: _strdup$callocfreestrrchr
                                            • String ID: Wildcard - Parsing started
                                            • API String ID: 2641349667-2274641867
                                            • Opcode ID: bd563e7eaca9d91348b2c8c617b805c8482c6179d8a3fccd36fc338857a39012
                                            • Instruction ID: e87030515edbecb303a50739bb26ad73e2271b4d8d3ba5894cb053973382698a
                                            • Opcode Fuzzy Hash: bd563e7eaca9d91348b2c8c617b805c8482c6179d8a3fccd36fc338857a39012
                                            • Instruction Fuzzy Hash: 01517A3AE18F42A1FB14EB51E4451BCB7A1FB84B40F8984B5CA4D0B398EF39E444E320
                                            Function 00007FF73AD0B440 Relevance: 13.8, APIs: 11, Instructions: 52COMMON
                                            Download Yara Rule
                                            APIs
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,00000000,00007FF73AD12E59,?,?,00000000,00007FF73AD13395), ref: 00007FF73AD0B46D
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,00000000,00007FF73AD12E59,?,?,00000000,00007FF73AD13395), ref: 00007FF73AD0B497
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,00000000,00007FF73AD12E59,?,?,00000000,00007FF73AD13395), ref: 00007FF73AD0B4A1
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,00000000,00007FF73AD12E59,?,?,00000000,00007FF73AD13395), ref: 00007FF73AD0B4AB
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,00000000,00007FF73AD12E59,?,?,00000000,00007FF73AD13395), ref: 00007FF73AD0B4B5
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,00000000,00007FF73AD12E59,?,?,00000000,00007FF73AD13395), ref: 00007FF73AD0B4BF
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,00000000,00007FF73AD12E59,?,?,00000000,00007FF73AD13395), ref: 00007FF73AD0B4C9
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,00000000,00007FF73AD12E59,?,?,00000000,00007FF73AD13395), ref: 00007FF73AD0B4D3
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,00000000,00007FF73AD12E59,?,?,00000000,00007FF73AD13395), ref: 00007FF73AD0B4DD
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,00000000,00007FF73AD12E59,?,?,00000000,00007FF73AD13395), ref: 00007FF73AD0B4E6
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,00000000,00007FF73AD12E59,?,?,00000000,00007FF73AD13395), ref: 00007FF73AD0B501
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free
                                            • String ID:
                                            • API String ID: 1294909896-0
                                            • Opcode ID: 98fb8155c5919fcb2b8347195ab805f8991de630cad49c66134ebc09135a7350
                                            • Instruction ID: a7763268a9bf4e5ee05a70ad6f555de1cb458502db7ced136276d6c2259fae8f
                                            • Opcode Fuzzy Hash: 98fb8155c5919fcb2b8347195ab805f8991de630cad49c66134ebc09135a7350
                                            • Instruction Fuzzy Hash: 2921E93AA68F4192EB10AF22E855139A770FB89F95F845071DE9E43728CF3CD8899710
                                            Function 00007FF73AD4C2A0 Relevance: 13.7, APIs: 5, Strings: 4, Instructions: 211COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: memcpy$freemalloc
                                            • String ID: 8$Excessive server response line length received, %zd bytes. Stripping$cached response data too big to handle$response reading failed
                                            • API String ID: 3313557100-1003742340
                                            • Opcode ID: 4e359e170ab32e800d0ccb3f5392e78954b0e8754758fc0311aa994245ec9f95
                                            • Instruction ID: 0c59c31a4e7ab08e97a2f008073f17910c282b98ad51abfbf09aca75faf077dd
                                            • Opcode Fuzzy Hash: 4e359e170ab32e800d0ccb3f5392e78954b0e8754758fc0311aa994245ec9f95
                                            • Instruction Fuzzy Hash: 5281D66A628B91A2FB54AB26D0453BEA7A0FB457C0F8444B2DF4E47749DF3CE490D360
                                            Function 00007FF73AD48B76 Relevance: 13.7, APIs: 5, Strings: 4, Instructions: 169COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free$mallocmemcpy
                                            • String ID: Serial Number: %s$ Signature Algorithm: %s$Serial Number$Signature Algorithm
                                            • API String ID: 3401966785-517259162
                                            • Opcode ID: a13194ffae0eb89d6ad2ea92297a342947c16202ee97818982dd7a7039e8ed22
                                            • Instruction ID: b53213c8d062c6ce0d3f8a5825f4f70404dc331bb8e49c24dc4ee5f7517c4358
                                            • Opcode Fuzzy Hash: a13194ffae0eb89d6ad2ea92297a342947c16202ee97818982dd7a7039e8ed22
                                            • Instruction Fuzzy Hash: BB613659A2EBA265FB18A72180162BDA791EF127C4F8845F5CE4F0779DDF3CA044A320
                                            Function 00007FF73AD42C20 Relevance: 13.6, APIs: 5, Strings: 4, Instructions: 148COMMON
                                            Download Yara Rule
                                            APIs
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00000000,?,00000000,?,NTLM,?,00007FF73AD26288), ref: 00007FF73AD42DB0
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00000000,?,00000000,?,NTLM,?,00007FF73AD26288), ref: 00007FF73AD42DE7
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00000000,?,00000000,?,NTLM,?,00007FF73AD26288), ref: 00007FF73AD42E0E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free
                                            • String ID: %sAuthorization: NTLM %s$HTTP$NTLM$Proxy-
                                            • API String ID: 1294909896-3948863929
                                            • Opcode ID: d95155901938bb7511f70225ec7af3e83e3a8d69d7789567dbbbfd7e2de18010
                                            • Instruction ID: 06d2ff9e35264de2df3ce0ae2e154a7f9cff6cfc541cfaa3c4f6321fb4be30cc
                                            • Opcode Fuzzy Hash: d95155901938bb7511f70225ec7af3e83e3a8d69d7789567dbbbfd7e2de18010
                                            • Instruction Fuzzy Hash: D0618D3AA18F8191FB64EF05E8493AAB7A8FB44B84F8040B6DA8D47768DF3CD545D710
                                            Function 00007FF73AD3832E Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 261COMMON
                                            Download Yara Rule
                                            APIs
                                            • _fstat64.API-MS-WIN-CRT-FILESYSTEM-L1-1-0 ref: 00007FF73AD383B7
                                              • Part of subcall function 00007FF73AD38960: strchr.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF73AD38996
                                              • Part of subcall function 00007FF73AD38960: _open.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF73AD389EB
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: _fstat64_openstrchr
                                            • String ID: Accept-ranges: bytes$Can't get the size of file.$Content-Length: %I64d$Last-Modified: %s, %02d %s %4d %02d:%02d:%02d GMT%s$failed to resume file:// transfer
                                            • API String ID: 3410096895-1509146019
                                            • Opcode ID: c609bc26b9459c105d47de048388bc637963765226ad3c1a17c91b0aba2a2ea8
                                            • Instruction ID: 74edd9c46ab4ca137fde3c81ef8c8d773d0157a688dee502a885145c3acdc1c3
                                            • Opcode Fuzzy Hash: c609bc26b9459c105d47de048388bc637963765226ad3c1a17c91b0aba2a2ea8
                                            • Instruction Fuzzy Hash: E6B1B47AE28682A5FB60AB25D4023BEA391FB847C4F944071DE4D4779DEF3DE401A760
                                            Function 00007FF73AD4D9C0 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 252stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: strchr$mallocrealloc
                                            • String ID: 0123456789-$<DIR>$APM0123456789:
                                            • API String ID: 359134164-4291660576
                                            • Opcode ID: 3737657a1a96ca69f642d9da4703c11575f635bf74fd63f22841ddb1ceb300bd
                                            • Instruction ID: 3e729a2c804adc907bd708fcfccef5cf6055c7753a54b29b09938422494fc11f
                                            • Opcode Fuzzy Hash: 3737657a1a96ca69f642d9da4703c11575f635bf74fd63f22841ddb1ceb300bd
                                            • Instruction Fuzzy Hash: 6AB1833AA18B51AAFB24AF25D052379A7A0FB44B48F5541B5CB8E0739CDF7CE440E760
                                            Function 00007FF73AD1F110 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 227networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: malloc$Ioctlsetsockopt
                                            • String ID: Failed to alloc scratch buffer!$We are completely uploaded and fine
                                            • API String ID: 3352517165-607151321
                                            • Opcode ID: 35d748f3144527b4fac2f6cb60dbb7eda79c5931ef00ef931f4b0b9e98d19bba
                                            • Instruction ID: fd100545d59ed3f4f8822dc55b73e8a0a2ff0aa2d0cadf355b9c9f7be966fc77
                                            • Opcode Fuzzy Hash: 35d748f3144527b4fac2f6cb60dbb7eda79c5931ef00ef931f4b0b9e98d19bba
                                            • Instruction Fuzzy Hash: 3EB18436A18BC291FBA5AF34D0053F96390EB48B58F884176CE4D4A79EDF3C9495D320
                                            Function 00007FF73AD3FC90 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 170COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free$_strdupmalloc
                                            • String ID: %s?%s$Failed sending Gopher request
                                            • API String ID: 111713529-132698833
                                            • Opcode ID: 820173812c7a69f04b9f641ad3ecca06867c4ba109d629a424f597f913a138a2
                                            • Instruction ID: ad342637a336af45aba368b975a3146064e80eb2f5b4638f21a972ab1a63b318
                                            • Opcode Fuzzy Hash: 820173812c7a69f04b9f641ad3ecca06867c4ba109d629a424f597f913a138a2
                                            • Instruction Fuzzy Hash: 3851D829E28B8691F750AB29A4021BAE390FF49BE4F840271DE6D4B7EDDF3CD4419710
                                            Function 00007FF73AD38960 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 145stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • strchr.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF73AD38996
                                            • _open.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF73AD389EB
                                            • _fstat64.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF73AD38A5C
                                            • _close.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF73AD38A69
                                            • _close.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF73AD38B7B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: _close$_fstat64_openstrchr
                                            • String ID: Can't get the size of %s$Can't open %s for writing
                                            • API String ID: 423814720-3544860555
                                            • Opcode ID: 5ca74dbb9ed0fb52d929849601a3ce6bbc36ca070a3e16c07a3dd9386ec84f54
                                            • Instruction ID: e2e07fd3a3812bd9acd279c39d2665606c293cc4197b84b4321ac3d9db238e50
                                            • Opcode Fuzzy Hash: 5ca74dbb9ed0fb52d929849601a3ce6bbc36ca070a3e16c07a3dd9386ec84f54
                                            • Instruction Fuzzy Hash: FB51E66AB28A82A1FF18AB25D4123BDA391FF84BD0F844075DA4E477D9DF3DE445A310
                                            Function 00007FF73AD40BD0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: freemalloc$_strdupstrtol
                                            • String ID: %%%02x
                                            • API String ID: 2999891020-4020994737
                                            • Opcode ID: 77bd54700a3c8aabd0dd977745ab72a3ce850616908835048469eb695edd24aa
                                            • Instruction ID: 940b9cf4dd1d61ec53d1a395f393a68657997e4c33405c88db0dd2899cd6343b
                                            • Opcode Fuzzy Hash: 77bd54700a3c8aabd0dd977745ab72a3ce850616908835048469eb695edd24aa
                                            • Instruction Fuzzy Hash: C051181D92D7A265FB61AB21B011379AB91DF42B80F8801F1DE9E077C9DE2DF449E320
                                            Function 00007FF73AD40BA6 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 123COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free$malloc$_strdup
                                            • String ID: %%%02x
                                            • API String ID: 1496848336-4020994737
                                            • Opcode ID: 971357583ab86598d8bbbadc777bbb4f2e558671ca3c2c86ee842f367469145c
                                            • Instruction ID: 8faca5c59e7a4adfc44c309f33c2f2cbae3e6e733c518da004126c8c76890ba8
                                            • Opcode Fuzzy Hash: 971357583ab86598d8bbbadc777bbb4f2e558671ca3c2c86ee842f367469145c
                                            • Instruction Fuzzy Hash: AE41F51D92D7A265FB62AB217012379AB91DF46B50F8801F1CEDE077C9DE2DF449A320
                                            Function 00007FF73AD3C440 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 113networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: ErrorLasthtonssend
                                            • String ID: Sending data failed (%d)
                                            • API String ID: 2027122571-2319402659
                                            • Opcode ID: 132091cfaa1fa980ce3cd912a0750d1ac0ca4a0013ac6898047b3f892f610244
                                            • Instruction ID: 36403780318e3e1eab63dd0e2bc17447c9832950bd60253669ff588c83ec7fce
                                            • Opcode Fuzzy Hash: 132091cfaa1fa980ce3cd912a0750d1ac0ca4a0013ac6898047b3f892f610244
                                            • Instruction Fuzzy Hash: 3741D23BB18A85A1FB00AF35D4156A8B720F750F89F844972DB9903798DF7DE00AD320
                                            Function 00007FF73AD4945E Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 82COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free$_strdupmalloc
                                            • String ID: Expire Date: %s$ Public Key Algorithm: %s$Expire Date$Public Key Algorithm
                                            • API String ID: 111713529-2901970132
                                            • Opcode ID: 885e964eaa3e5b5c8ad5449d8412af57d3f4c941fef73c9629f6b4fff520151f
                                            • Instruction ID: 10497043addbbcf91921006c7ddb7f33e95183549c4ab44dea9f7d5e5e3b5905
                                            • Opcode Fuzzy Hash: 885e964eaa3e5b5c8ad5449d8412af57d3f4c941fef73c9629f6b4fff520151f
                                            • Instruction Fuzzy Hash: 1E31B16DA1DB9265FB10AB6694020F9A7A1FF45784FC448B5CE4E077AEDF3CE004A320
                                            Function 00007FF73ACF1A70 Relevance: 12.3, APIs: 8, Instructions: 277COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: _invalid_parameter_noinfo_noreturn$memcpy
                                            • String ID:
                                            • API String ID: 3063020102-0
                                            • Opcode ID: e342187c8cd1f161ef373432542ac71534a2e68551c2f7cf2310fbd6c26b5289
                                            • Instruction ID: 1d84492cd4f0709832207e92c3b0e6592cee0c2697f44f64549767f13b5cd3f1
                                            • Opcode Fuzzy Hash: e342187c8cd1f161ef373432542ac71534a2e68551c2f7cf2310fbd6c26b5289
                                            • Instruction Fuzzy Hash: 11B1026AB19B4295FB00EB64E4113ADA361EB447A8F804670DF6C17BDADF3CE095E350
                                            Function 00007FF73AD489FD Relevance: 12.2, APIs: 2, Strings: 6, Instructions: 165COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free
                                            • String ID: Serial Number: %s$ Signature Algorithm: %s$ GMT$%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s$Serial Number$Signature Algorithm
                                            • API String ID: 1294909896-599393795
                                            • Opcode ID: 35fd25f4752ff7cd04d77df3f9f99e62ef18a235aca9cebc2ac59021716ab536
                                            • Instruction ID: e9019e2673f387eb4ed6e51f55d970520a3fd06d8ebea2f1b7fd6d4b0ebd98d4
                                            • Opcode Fuzzy Hash: 35fd25f4752ff7cd04d77df3f9f99e62ef18a235aca9cebc2ac59021716ab536
                                            • Instruction Fuzzy Hash: 6161D369A29BA264FB10AB6594061BCA7A0FB017C4FC844F6CA4D17B5DCF7CE544E320
                                            Function 00007FF73AD49CF5 Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 146COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free$malloc$memcpy
                                            • String ID: Signature: %s$Signature
                                            • API String ID: 901724546-1663925961
                                            • Opcode ID: f88e71eb1214b260cc3688f4f29c23b61b26d1e5c691a59e4fe9907adf74fe9f
                                            • Instruction ID: ac6361257cd19a9b0b0bb356dc9576350335693a856b295b4fd040aa96eb8f21
                                            • Opcode Fuzzy Hash: f88e71eb1214b260cc3688f4f29c23b61b26d1e5c691a59e4fe9907adf74fe9f
                                            • Instruction Fuzzy Hash: 1B518A29B1DAD251FF28A71690162B9AB90FB45BD0F8441B6CA5F077DDEF3CD005A320
                                            Function 00007FF73AD01E30 Relevance: 12.1, APIs: 8, Instructions: 144COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetTokenInformation.ADVAPI32(?,?,?,?,?,?,?,?,?,00007FF73AD018DE), ref: 00007FF73AD01E7A
                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF73AD018DE), ref: 00007FF73AD01E80
                                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF73AD018DE), ref: 00007FF73AD01EDF
                                            • GetTokenInformation.ADVAPI32(?,?,?,?,?,?,?,?,?,00007FF73AD018DE), ref: 00007FF73AD01F1F
                                            • IsValidSid.ADVAPI32(?,?,?,?,?,?,?,?,?,00007FF73AD018DE), ref: 00007FF73AD01F6D
                                            • GetLengthSid.ADVAPI32(?,?,?,?,?,?,?,?,?,00007FF73AD018DE), ref: 00007FF73AD01F7A
                                            • CopySid.ADVAPI32(?,?,?,?,?,?,?,?,?,00007FF73AD018DE), ref: 00007FF73AD01F92
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF73AD018DE), ref: 00007FF73AD01FB6
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: InformationToken$CopyErrorLastLengthValidfreemalloc
                                            • String ID:
                                            • API String ID: 2357097940-0
                                            • Opcode ID: a2034901629b5a59706147417ca7dd00e2cfc9c934a5c144acf82cc918b244d0
                                            • Instruction ID: f6547a467c02bde39ecb6becf865e1ecfae4aff6f9676e4e35e7b4863ca1db57
                                            • Opcode Fuzzy Hash: a2034901629b5a59706147417ca7dd00e2cfc9c934a5c144acf82cc918b244d0
                                            • Instruction Fuzzy Hash: 6051A12AA28682A6FB14FF31C4112ACA790FB44B94FC445B4FA1D47BC9DF3CE515A321
                                            Function 00007FF73AD49494 Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 130COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free
                                            • String ID: Expire Date: %s$ Public Key Algorithm: %s$%u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s$Expire Date$GMT$Public Key Algorithm
                                            • API String ID: 1294909896-1642401773
                                            • Opcode ID: 8adae43b5498fac82874378023eb0ba67fd859b21670b4a2a3a49f57112b7f90
                                            • Instruction ID: 5a5ea32cfc752ba0712c9db7b42cb9970056cf5e58fab2e3544008f18153fa51
                                            • Opcode Fuzzy Hash: 8adae43b5498fac82874378023eb0ba67fd859b21670b4a2a3a49f57112b7f90
                                            • Instruction Fuzzy Hash: 5851D569A2DB9264FB10AB65D4021F9A761FB05784FC844F6CA4E1779EDF3CE104E320
                                            Function 00007FF73AD10C40 Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: _strdup
                                            • String ID:
                                            • API String ID: 1169197092-0
                                            • Opcode ID: 4a2ea08fc3b1671cc0284ef113618cb274ebf2c0dc882fb53bdbd85c52bc4aa3
                                            • Instruction ID: 4e09a886f7faa77c898bb25100bef67a7d709bd68e343090fe562d4541d07054
                                            • Opcode Fuzzy Hash: 4a2ea08fc3b1671cc0284ef113618cb274ebf2c0dc882fb53bdbd85c52bc4aa3
                                            • Instruction Fuzzy Hash: 2951932AA2AB4091FB95DF66F041128B7A0FB48F84B481575EF5E03B5CDF38E4E19750
                                            Function 00007FF73AD48937 Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 123COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free
                                            • String ID: Serial Number: %s$ Signature Algorithm: %s$%u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s$GMT$Serial Number$Signature Algorithm
                                            • API String ID: 1294909896-3876350232
                                            • Opcode ID: 001a1f094c72a99abfd70e5170dcf2c1ef20d368d05bcdafc3cfb13358300591
                                            • Instruction ID: 98e94a685a4868bd93e61281785b67055c88f74a258596e41980ad16c09634de
                                            • Opcode Fuzzy Hash: 001a1f094c72a99abfd70e5170dcf2c1ef20d368d05bcdafc3cfb13358300591
                                            • Instruction Fuzzy Hash: BC51B269A2DB92A4FB10AB6194421FDA7A1FB05BC4FC844B2CA4E1735DCF3CE504E321
                                            Function 00007FF73AD45440 Relevance: 10.9, APIs: 5, Strings: 2, Instructions: 424stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • strchr.VCRUNTIME140(?,?,?,?,?,?,?,?,00000000,?,00007FF73AD44853), ref: 00007FF73AD454E8
                                            • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,00000000,?,00007FF73AD44853), ref: 00007FF73AD4552A
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,?,00007FF73AD44853), ref: 00007FF73AD455CF
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,?,00007FF73AD44853), ref: 00007FF73AD455E2
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73AD45AC7
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free$memcpystrchr
                                            • String ID: %s?dns=%s$Failed to encode DOH packet [%d]
                                            • API String ID: 1438451818-3030351490
                                            • Opcode ID: b06c9a6cfe1491c243e93c60a718ad3b283934f75040aaf234fb7884b306a887
                                            • Instruction ID: 330098a304c78682e6e5aa747f70b3365105e08c66485ff328de2d1b424491a3
                                            • Opcode Fuzzy Hash: b06c9a6cfe1491c243e93c60a718ad3b283934f75040aaf234fb7884b306a887
                                            • Instruction Fuzzy Hash: 9002E55AB28BD3A6F710EB6194423B9A7D6EF45788F8440F1DE0D4778ADE68DC44A320
                                            Function 00007FF73AD45CC0 Relevance: 10.7, APIs: 7, Instructions: 242COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free$mallocmemcpymemset
                                            • String ID:
                                            • API String ID: 1579693990-0
                                            • Opcode ID: 7e475e322eddb99df151d630e5f87abef7c9661a52240266933bb5358584fedb
                                            • Instruction ID: 88ee0bb525f03ee558da3f48403b4e6893d834aadb6d238a1c68229ac726887a
                                            • Opcode Fuzzy Hash: 7e475e322eddb99df151d630e5f87abef7c9661a52240266933bb5358584fedb
                                            • Instruction Fuzzy Hash: 4591B529B29B9262FA54FA1694563799390FF44BC0FC844F4DE4D4BB89DF2CE811A321
                                            Function 00007FF73AD1AD80 Relevance: 10.7, APIs: 4, Strings: 3, Instructions: 217stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,00007FF73AD1AD48), ref: 00007FF73AD1AE95
                                            • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,00007FF73AD1AD48), ref: 00007FF73AD1AEAF
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: strncmp
                                            • String ID: I32$I64$Internal error removing splay node = %d
                                            • API String ID: 1114863663-13178787
                                            • Opcode ID: bcb9afba8b02ce2e90d2221cddd3025082d5648365cfb6c57962aad3975302a6
                                            • Instruction ID: 3f5aab29a606960afd572223bef0111ebdda05b1ad0be5711e1ea079fbc15314
                                            • Opcode Fuzzy Hash: bcb9afba8b02ce2e90d2221cddd3025082d5648365cfb6c57962aad3975302a6
                                            • Instruction Fuzzy Hash: D9A1183BA18A4296FB20AF24E45177DBBA4FB48B58F854175CA9D43269DF3CD208D720
                                            Function 00007FF73AD2AC50 Relevance: 10.7, APIs: 4, Strings: 3, Instructions: 184COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free
                                            • String ID: schannel: ApplyControlToken failure: %s$schannel: failed to send close msg: %s (bytes written: %zd)$schannel: shutting down SSL/TLS connection with %s port %hu
                                            • API String ID: 1294909896-116363806
                                            • Opcode ID: e07f30e6e911af03d6728ef26db86dfc36681ec76705de0f768b2dfeeadd1410
                                            • Instruction ID: e6841ea785926ef79de0f93ca0940a5baeca8aa809328afae8a6d908d6ea02da
                                            • Opcode Fuzzy Hash: e07f30e6e911af03d6728ef26db86dfc36681ec76705de0f768b2dfeeadd1410
                                            • Instruction Fuzzy Hash: B7918A3A618F8596FB10EF25E8416AEB7A4FB84B88F840175DE4C477A8DF38D445DB10
                                            Function 00007FF73AD0AF1C Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 154COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: _strdup
                                            • String ID: %s cookie %s="%s" for domain %s, path %s, expire %I64d$Added$FALSE$Replaced
                                            • API String ID: 1169197092-2292467869
                                            • Opcode ID: 90f2f023cdc8a42e1b97df494a0f67eb88b29e38e58e4ee7ae2bfcc5365c8488
                                            • Instruction ID: 66f67d21cab6e2c122fc0f6d990e3d51a934776deec17bf2b5c1f884f4cb5784
                                            • Opcode Fuzzy Hash: 90f2f023cdc8a42e1b97df494a0f67eb88b29e38e58e4ee7ae2bfcc5365c8488
                                            • Instruction Fuzzy Hash: 6C618469E2C786A5FF71EB25D04637DA7E0EF05748F8400B5CA8D066A9DF2CE445E322
                                            Function 00007FF73AD4B3CA Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 154COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: isupper$free
                                            • String ID: GMT$%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s$TRUE
                                            • API String ID: 573759493-910067264
                                            • Opcode ID: 76f7e2f7a542dd5e178dc2e147491f4daaec7db6251286cccd6da4263d1f286c
                                            • Instruction ID: b6447d62b036a7bbf1b6e169aa341c764fb71b038de3e5300d5e40f9abdff8d3
                                            • Opcode Fuzzy Hash: 76f7e2f7a542dd5e178dc2e147491f4daaec7db6251286cccd6da4263d1f286c
                                            • Instruction Fuzzy Hash: E8611869E2CAF664FB11AB249506279FBA4EB21784FD441F1C68D02A9CCF3CE545E320
                                            Function 00007FF73AD0B0B9 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 153COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: _strdup$strchr
                                            • String ID: %s cookie %s="%s" for domain %s, path %s, expire %I64d$Added$FALSE$Replaced
                                            • API String ID: 3404610657-2292467869
                                            • Opcode ID: 77c179985ae447a57cbc94f77982c5170b4ea6271e23b75ded7eff817584a596
                                            • Instruction ID: 71d3d2f76aa7e965e0d6ad4560dcb97869b8d98c2ab5d468243cb60d85f05297
                                            • Opcode Fuzzy Hash: 77c179985ae447a57cbc94f77982c5170b4ea6271e23b75ded7eff817584a596
                                            • Instruction Fuzzy Hash: 0E619769E2C786A5FF71EB25D04637DA7E0EF05748F8400B5CA8D066A9DF2CE445E321
                                            Function 00007FF73ACF6B50 Relevance: 10.6, APIs: 7, Instructions: 147COMMON
                                            Download Yara Rule
                                            APIs
                                            • memcpy.VCRUNTIME140(?,?,?,00007FF73ACF1C8A), ref: 00007FF73ACF6BE1
                                            • memcpy.VCRUNTIME140(?,?,?,00007FF73ACF1C8A), ref: 00007FF73ACF6C25
                                            • memcpy.VCRUNTIME140(?,?,?,00007FF73ACF1C8A), ref: 00007FF73ACF6C3D
                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FF73ACF1C8A), ref: 00007FF73ACF6CC2
                                              • Part of subcall function 00007FF73AD50FD4: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,-3333333333333333,00007FF73ACF517E,7FFFFFFFFFFFFFFF,https://keyauth.win/api/1.2/,-3333333333333333,00007FF73ACF1A19), ref: 00007FF73AD50FEE
                                            • memcpy.VCRUNTIME140(?,?,?,00007FF73ACF1C8A), ref: 00007FF73ACF6CF4
                                            • memcpy.VCRUNTIME140(?,?,?,00007FF73ACF1C8A), ref: 00007FF73ACF6D0F
                                            • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF73ACF6D2C
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
                                            • String ID:
                                            • API String ID: 1155477157-0
                                            • Opcode ID: c7dc035757dcf0361bdb054ed86f9bf99010773e0e1c5867e139e1e8151fa7c3
                                            • Instruction ID: 969aaa69db987c6a9d5122cd93a3bdd8bf621103adc32c1d51bcd4606b158660
                                            • Opcode Fuzzy Hash: c7dc035757dcf0361bdb054ed86f9bf99010773e0e1c5867e139e1e8151fa7c3
                                            • Instruction Fuzzy Hash: B6510F26A0ABC2A2FA04EF25D516268A360FB14BD4F940A31CF6D173C6CF7CE195E350
                                            Function 00007FF73AD32060 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 146COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: freememcpy$malloc
                                            • String ID: Failed to alloc scratch buffer!
                                            • API String ID: 169112436-1446904845
                                            • Opcode ID: 47cdbe7cfbe3fcc66ff5ac541bccbd226539920edc277e813766e8a85038453f
                                            • Instruction ID: 31858a71e4d44ce664fa9c0d39eb89e63b7962a2659ffc57740ec5e5daeaab9d
                                            • Opcode Fuzzy Hash: 47cdbe7cfbe3fcc66ff5ac541bccbd226539920edc277e813766e8a85038453f
                                            • Instruction Fuzzy Hash: C951C07AA29781A6FB28DF65E5012AAB7A0FB19784F840075DF8D03799DF3CE154D320
                                            Function 00007FF73AD351A0 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 146stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: strstr
                                            • String ID: $ bytes$Data conn was not available immediately$Getting file with size: %I64d$Maxdownload = %I64d$RETR response: %03d
                                            • API String ID: 1392478783-2096918210
                                            • Opcode ID: 98b2d3edbda60c63995f711dd09914671eb63e825f28722de7741b0afe97d6d0
                                            • Instruction ID: c56b6e7a784e908cca82e3159176a6ee9690619ceb8b1c48b52df025c0704b17
                                            • Opcode Fuzzy Hash: 98b2d3edbda60c63995f711dd09914671eb63e825f28722de7741b0afe97d6d0
                                            • Instruction Fuzzy Hash: DE515B6BE1C78269FB25A724A4462B8E390FB45370FC442B1DE5C02AD9DF7DD486E310
                                            Function 00007FF73AD49B6B Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 145COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free$malloc
                                            • String ID: Signature: %s$ GMT$%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s$Signature
                                            • API String ID: 2190258309-3231818857
                                            • Opcode ID: f85c9e28b2b5febf6cebab1dd90ad1df248e9e9a6124e94aabf58f745a77f415
                                            • Instruction ID: 7d63153381b2d14fe882e408054f53032bc0a081a5abe7541bb37c2692d80b2d
                                            • Opcode Fuzzy Hash: f85c9e28b2b5febf6cebab1dd90ad1df248e9e9a6124e94aabf58f745a77f415
                                            • Instruction Fuzzy Hash: C751D669A2CAD2A5FB219B26A4451B9E7A4FB45B90FC444B2CA8E03B5CCF3CD145D710
                                            Function 00007FF73AD34F70 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 145networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: ErrorLastfreememcpy
                                            • String ID: *$FTP response aborted due to select/poll error: %d$FTP response timeout$QUOT string not accepted: %s$We got a 421 - timeout!
                                            • API String ID: 1248052217-2335292235
                                            • Opcode ID: bcf282b738d7f34674c234a60b2517492483dc6bde4c0b00df4c61de9bc63897
                                            • Instruction ID: 66a83824a58f8ce4c0b49cac7839f58ead8b22fd2fb764f6c96e81c08c68778e
                                            • Opcode Fuzzy Hash: bcf282b738d7f34674c234a60b2517492483dc6bde4c0b00df4c61de9bc63897
                                            • Instruction Fuzzy Hash: D751F769F28683A9FB65BA25D8023B9A390EF45784F8441B1DE0D872DDEF2DE445E310
                                            Function 00007FF73AD1A1C0 Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 144COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free
                                            • String ID: Digest$stale$true
                                            • API String ID: 1294909896-2487968700
                                            • Opcode ID: 6f0475974efa24e8fbc3d73b36d4f1d25cadbdca7060c5874d9ab79cb964ce76
                                            • Instruction ID: 8866955d854c6045d6bccccc875ab4d49510e9543788119bb382f7c6161801c0
                                            • Opcode Fuzzy Hash: 6f0475974efa24e8fbc3d73b36d4f1d25cadbdca7060c5874d9ab79cb964ce76
                                            • Instruction Fuzzy Hash: AF51C529A2CA9261FF20AF25E4523B9B3A0FF44B84FC441B1EA9D476C9DF2CD515D720
                                            Function 00007FF73AD3DD50 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 139COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: memchrmemcpyrecvfrom
                                            • String ID: Internal error: Unexpected packet$Received too short packet$TFTP error: %s
                                            • API String ID: 3107918033-477593554
                                            • Opcode ID: a39ce3c30d563b271151488736fa91590d51a6ba364d5fb86d046a907728c25b
                                            • Instruction ID: 3e93cb0b670d4c0965761024e01ad2ec9b10b56df0ab9e83bd695d166c97f517
                                            • Opcode Fuzzy Hash: a39ce3c30d563b271151488736fa91590d51a6ba364d5fb86d046a907728c25b
                                            • Instruction Fuzzy Hash: 225105B9A186C295FB64AF24C4523BDA790FB45B84F884271DA8D4778CDE3DE405EB20
                                            Function 00007FF73AD40C27 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 126COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: freemalloc$_strdup
                                            • String ID: %%%02x
                                            • API String ID: 1941130848-4020994737
                                            • Opcode ID: fed69df65176b25d433b0a66ea512be180adda36587a7fabe9ca90d33ea6589c
                                            • Instruction ID: 9fe630ef461c92b25c4f5f8a91dc172fe00f2cb4009b2a7ef39877e9b00378fd
                                            • Opcode Fuzzy Hash: fed69df65176b25d433b0a66ea512be180adda36587a7fabe9ca90d33ea6589c
                                            • Instruction Fuzzy Hash: F941261D92D6A165FB62AB217012379AB90EF42B44F8805F1CEDE077C9DF2DE449E320
                                            Function 00007FF73AD40C17 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 121COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: freemalloc$_strdup
                                            • String ID: %%%02x
                                            • API String ID: 1941130848-4020994737
                                            • Opcode ID: cfb5b72897b3640e3ddf32e1117a6d838b57e4d7e7d215cf4dd607628183e546
                                            • Instruction ID: f5743ca6d7f5118d5c5eb2ac67f3f5a8e5cad14c0bdd99b0a326a4ec28f6201c
                                            • Opcode Fuzzy Hash: cfb5b72897b3640e3ddf32e1117a6d838b57e4d7e7d215cf4dd607628183e546
                                            • Instruction Fuzzy Hash: 7C41F51D92D6A265FB62AB217012378AB91DF46B50F8801F1CEDE077C9DE2DF448A320
                                            Function 00007FF73AD40BC2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: freemalloc$_strdup
                                            • String ID: %%%02x
                                            • API String ID: 1941130848-4020994737
                                            • Opcode ID: 2747d6bb2743ca7f1ca5ad6f99292fd065f44510c212ab333fd5ec055fbfad6d
                                            • Instruction ID: 38efa3cd2271e1d80549a0914158a86db6670d85e82b0bc34e831365c9b755cf
                                            • Opcode Fuzzy Hash: 2747d6bb2743ca7f1ca5ad6f99292fd065f44510c212ab333fd5ec055fbfad6d
                                            • Instruction Fuzzy Hash: 3741F61D92D6A265FB62AB217012378AB91DF46B50F8801F1CE9E077C9DE2DE445A320
                                            Function 00007FF73AD40B98 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: freemalloc$_strdup
                                            • String ID: %%%02x
                                            • API String ID: 1941130848-4020994737
                                            • Opcode ID: f0a5dec7a6829da9e658e8a9fe293304ca0b81dfb7ceab350bc5f67ffcca4bfb
                                            • Instruction ID: 8b9c92da384153d788de2911f53eadc1a50beddd9c2de02539f73bfed2d35bf5
                                            • Opcode Fuzzy Hash: f0a5dec7a6829da9e658e8a9fe293304ca0b81dfb7ceab350bc5f67ffcca4bfb
                                            • Instruction Fuzzy Hash: CB41F61D92D6A265FB62AB217012378AB91DF46B50F8801F1CE9E077C9DE2DE445A320
                                            Function 00007FF73AD40B7C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: freemalloc$_strdup
                                            • String ID: %%%02x
                                            • API String ID: 1941130848-4020994737
                                            • Opcode ID: 186fee5687931d40b4c2ef807a5696b0b782695a1db0f7de82079c91e4d66bf2
                                            • Instruction ID: 8bdf50871449e3d8d34b75692c4968d12f0386c415d6fd72be266023ec3a8b82
                                            • Opcode Fuzzy Hash: 186fee5687931d40b4c2ef807a5696b0b782695a1db0f7de82079c91e4d66bf2
                                            • Instruction Fuzzy Hash: 7241F71D92D7A265FB62AB217012378AB91DF46B50F8801F1CEDE077C9DE2DF445A320
                                            Function 00007FF73AD40B8A Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: freemalloc$_strdup
                                            • String ID: %%%02x
                                            • API String ID: 1941130848-4020994737
                                            • Opcode ID: afb2ffb4746d36919b7f1e0b29476894b60c45c25966f89c212e037f0804b22e
                                            • Instruction ID: 4cd4879b86ae0e992d3ea8cb013adf6f27c322bc777d07c311cec05e1dbbe90f
                                            • Opcode Fuzzy Hash: afb2ffb4746d36919b7f1e0b29476894b60c45c25966f89c212e037f0804b22e
                                            • Instruction Fuzzy Hash: 4E41F61D92D7A265FB62AB217012378AB91DF46B50F8805F1CE9E077C9DE2DE445A320
                                            Function 00007FF73AD40C4D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 119COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: freemalloc$_strdup
                                            • String ID: %%%02x
                                            • API String ID: 1941130848-4020994737
                                            • Opcode ID: 7527fdf159f91d98e67d27b3f59d83357e3df51c920be20e9954b610b0e9a087
                                            • Instruction ID: 8163bc35536f3d443cdac4be7a3d3296984d1221db90b184c0223b813ae694b3
                                            • Opcode Fuzzy Hash: 7527fdf159f91d98e67d27b3f59d83357e3df51c920be20e9954b610b0e9a087
                                            • Instruction Fuzzy Hash: 0941E51D92D7A265FB62AB217012378AB91DF46B50F8801F1DEDE077C9DE2DE449A320
                                            Function 00007FF73AD25D30 Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 109stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: strchr
                                            • String ID: 100-continue$Expect$Expect:$Expect: 100-continue
                                            • API String ID: 2830005266-711804848
                                            • Opcode ID: 949646363b574d71c49e1552ae6e1dfe917057c9dc396973c77786bab85b85c1
                                            • Instruction ID: 376d236877d90ab32e05afc6e3ca655e64f168f5513046f14250ce5635da6dd8
                                            • Opcode Fuzzy Hash: 949646363b574d71c49e1552ae6e1dfe917057c9dc396973c77786bab85b85c1
                                            • Instruction Fuzzy Hash: 6241D93DB2D68691FE54BB1AA4025B9E791EF45784FC800B4DA4D0778EEE2CE441E720
                                            Function 00007FF73AD1E100 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 106COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: fseek
                                            • String ID: Cannot rewind mime/post data$ioctl callback returned error %d$necessary data rewind wasn't possible$seek callback returned error %d$the ioctl callback returned %d
                                            • API String ID: 623662203-959247533
                                            • Opcode ID: 50bd09d713134e0da44288561a765d96ac21585d93d49751b534ea4254a34593
                                            • Instruction ID: 8c1e8163a97010ec91f8f1d4314c44683834e86487866df59622d6f004b5bfdf
                                            • Opcode Fuzzy Hash: 50bd09d713134e0da44288561a765d96ac21585d93d49751b534ea4254a34593
                                            • Instruction Fuzzy Hash: 8441C66AB24A4251FB94EB3594523B96392FF85B84F882071DD0E4B39DDF3DD480D720
                                            Function 00007FF73AD493B0 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 106COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free
                                            • String ID: Expire Date: %s$ Public Key Algorithm: %s$%s%lx$Expire Date$Public Key Algorithm
                                            • API String ID: 1294909896-3155708153
                                            • Opcode ID: e435ceb1295a207ca531d4d1bd71585a74677e19f70f4eccf9ff7b7bb0609de3
                                            • Instruction ID: 0b8f2d3245e66b28811a2ce33a3d1c53c90e86231eb8a77bfdd30469d636291b
                                            • Opcode Fuzzy Hash: e435ceb1295a207ca531d4d1bd71585a74677e19f70f4eccf9ff7b7bb0609de3
                                            • Instruction Fuzzy Hash: 93419369A2DBA264FB20AB6694461F9A761FB05784FC444F5CE4E0779EDF3CE104A320
                                            Function 00007FF73AD49AAE Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 102COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free$malloc
                                            • String ID: Signature: %s$%u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s$GMT$Signature
                                            • API String ID: 2190258309-3662781045
                                            • Opcode ID: 1d8a3240ce61001dc99aa1db0dcfac25c8b2628c6441f6d53234acd081df675b
                                            • Instruction ID: 0d76eb6dfb8e09bfb0908b6f677781480ff67fcbabb44c5430c3d2173bb8cea6
                                            • Opcode Fuzzy Hash: 1d8a3240ce61001dc99aa1db0dcfac25c8b2628c6441f6d53234acd081df675b
                                            • Instruction Fuzzy Hash: 0241B72AA1CB96A1FB20EB26E4461E9E3A0FB45B84FC840B2DA4E0775DDF3CD545D710
                                            Function 00007FF73AD31BB0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 96COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: _strdupfree
                                            • String ID: .
                                            • API String ID: 1865132094-916926321
                                            • Opcode ID: f1ab1ca59cd73ae94121d53b2a3f43b2756969529a46232909368021d89237a3
                                            • Instruction ID: 5d291e21c5375ba5e2a8d6b26dae3b4bee500e590c80d49f9665337fb1ffeb04
                                            • Opcode Fuzzy Hash: f1ab1ca59cd73ae94121d53b2a3f43b2756969529a46232909368021d89237a3
                                            • Instruction Fuzzy Hash: F441B526E18B86A2FB50EF21E401279F7A0FB49F80F854071EA4D47698DF7DE491D760
                                            Function 00007FF73AD48B7E Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 95COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free$mallocmemcpy
                                            • String ID: Serial Number: %s$ Signature Algorithm: %s$Serial Number$Signature Algorithm
                                            • API String ID: 3401966785-517259162
                                            • Opcode ID: 68a868a3f9c436f8e85ff2fda507b46bd44467c89c647bf6f96657e5d5d78264
                                            • Instruction ID: 50bd40cfcc503f44d55924f2071aa0cd1f62bd0a1602a7e5849a6639174e5bcb
                                            • Opcode Fuzzy Hash: 68a868a3f9c436f8e85ff2fda507b46bd44467c89c647bf6f96657e5d5d78264
                                            • Instruction Fuzzy Hash: DC41D35DB2AB9265FB10AB6294061F8A791FF55BC4FC844B5CD0E1775DDF3CA4049320
                                            Function 00007FF73AD421D0 Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 83COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00007FF73AD2DCE0: realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF73AD12259,?,?,?,?,00007FF73AD115FB), ref: 00007FF73AD2DD08
                                              • Part of subcall function 00007FF73AD2DCE0: GetEnvironmentVariableA.KERNEL32(?,?,?,00007FF73AD12259,?,?,?,?,00007FF73AD115FB), ref: 00007FF73AD2DD2E
                                              • Part of subcall function 00007FF73AD2DCE0: realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF73AD12259,?,?,?,?,00007FF73AD115FB), ref: 00007FF73AD2DD4F
                                              • Part of subcall function 00007FF73AD2DCE0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF73AD12259,?,?,?,?,00007FF73AD115FB), ref: 00007FF73AD2DD60
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73AD4226F
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73AD422B8
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73AD422C1
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free$realloc$EnvironmentVariable
                                            • String ID: %s%s.netrc$%s%s_netrc$HOME
                                            • API String ID: 4174189579-3384076093
                                            • Opcode ID: 1b35adc42e643c2407c75afb52d1076ad4e106ff5b4138c3a2336353e2ca422f
                                            • Instruction ID: 1e68a903a597b88938e5e185baa2568ad2b47b768b9ace275e05a3bcc3f38599
                                            • Opcode Fuzzy Hash: 1b35adc42e643c2407c75afb52d1076ad4e106ff5b4138c3a2336353e2ca422f
                                            • Instruction Fuzzy Hash: 9B31C629A18B51A1FA14FB12B8421AAE7A0FF84BD0FC444B5DD8D0776CDF3CE005A724
                                            Function 00007FF73AD49CFD Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 82COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: freemalloc$memcpy
                                            • String ID: Signature: %s$Signature
                                            • API String ID: 3519880569-1663925961
                                            • Opcode ID: e023c3ad630c6134aeb32b7d011cf589474a6336939163e49ac3f316fd1cec93
                                            • Instruction ID: 2c4e65bf7fadce5b3ffb02e8ed10da64dd8f41ecbd23c07f44433028a6b480f7
                                            • Opcode Fuzzy Hash: e023c3ad630c6134aeb32b7d011cf589474a6336939163e49ac3f316fd1cec93
                                            • Instruction Fuzzy Hash: 5531C629B19B8251FE24EB16A4052B9A390FF85BD4F8445B2CD5E077A9EF3CD0059310
                                            Function 00007FF73AD024B0 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                            Download Yara Rule
                                            APIs
                                            • ??0_Lockit@std@@QEAA@H@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF73AD024DD
                                            • ??Bid@locale@std@@QEAA_KXZ.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF73AD024F7
                                            • ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF73AD02529
                                            • ?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF73AD02553
                                            • std::_Facet_Register.LIBCPMT ref: 00007FF73AD0256C
                                            • ??1_Lockit@std@@QEAA@XZ.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF73AD0258B
                                            • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF73AD025B6
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: Lockit@std@@$??0_??1_Bid@locale@std@@Concurrency::cancel_current_taskD@std@@Facet_Getcat@?$ctype@Getgloballocale@locale@std@@Locimp@12@RegisterV42@@Vfacet@locale@2@std::_
                                            • String ID:
                                            • API String ID: 3790006010-0
                                            • Opcode ID: 3d4c21c179987fecba757e9d1ddbb6a5e06c291919011fb33e3d343bb1df7a16
                                            • Instruction ID: 3ee1e1a8f5109a69c847991c04d91959f36e99b78ca3b0a14ca2ad00953865a8
                                            • Opcode Fuzzy Hash: 3d4c21c179987fecba757e9d1ddbb6a5e06c291919011fb33e3d343bb1df7a16
                                            • Instruction Fuzzy Hash: 4D31D229619B42A1FF14EF11E455169B360FB88B94F880671EB8D07BACCF3CE440D710
                                            Function 00007FF73AD48E08 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 55COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: _strdupfree
                                            • String ID: Start Date: %s$FALSE$Start Date$TRUE
                                            • API String ID: 1865132094-176635895
                                            • Opcode ID: 2562c43ade72985ab40276ff8f07cfc0aa0dc1fb67b228d8f09af814158ce288
                                            • Instruction ID: 4cd646c873e45d7f446c689f75ac3a4d7f1d34ab0a7e5d3ab83e87385cff6a1c
                                            • Opcode Fuzzy Hash: 2562c43ade72985ab40276ff8f07cfc0aa0dc1fb67b228d8f09af814158ce288
                                            • Instruction Fuzzy Hash: E921F569B1DBD265FB21AB25A4852F9B750FB06788FC840B2CA4E0776DCF2CE145D320
                                            Function 00007FF73AD49A85 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: freemalloc$_strdup
                                            • String ID: Signature: %s$Signature
                                            • API String ID: 1941130848-1663925961
                                            • Opcode ID: 6f8954757622b8ea05fe5c6ec76894bbbf769488daecf0bd9159efc2cf47188e
                                            • Instruction ID: a8a4e2e336f6c51bcad395bd6fcdae31988f3f85a92b6aad3cc7cffb10c25865
                                            • Opcode Fuzzy Hash: 6f8954757622b8ea05fe5c6ec76894bbbf769488daecf0bd9159efc2cf47188e
                                            • Instruction Fuzzy Hash: CB21656AA19B82A1FB60EB56E4452F9A390FF85784F840472DE4E0772DDF3CD045D710
                                            Function 00007FF73AD173E0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF73AD1475C), ref: 00007FF73AD17415
                                            • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF73AD1475C), ref: 00007FF73AD17441
                                            • strerror.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF73AD1475C), ref: 00007FF73AD17449
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF73AD1475C), ref: 00007FF73AD1746B
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF73AD1475C), ref: 00007FF73AD17482
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free$_errnostrerrorstrtoul
                                            • String ID: Invalid zoneid: %s; %s
                                            • API String ID: 439826447-2159854051
                                            • Opcode ID: 1f3b9447c6035e11cc22b055810892dee074b698cac5a45710cf028bc5c21e0c
                                            • Instruction ID: 7298d4979d2016c27e69f7fa00899d3324f6e2018c98be18853b56cc54f0d06c
                                            • Opcode Fuzzy Hash: 1f3b9447c6035e11cc22b055810892dee074b698cac5a45710cf028bc5c21e0c
                                            • Instruction Fuzzy Hash: DA11867AB28A42A2FF50EB61E451178A7B0EF86B84FD44071DA5D43678DF2CD845DB20
                                            Function 00007FF73AD17310 Relevance: 10.0, APIs: 8, Instructions: 36COMMON
                                            Download Yara Rule
                                            APIs
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD12E13,?,?,00000000,00007FF73AD13395), ref: 00007FF73AD17324
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD12E13,?,?,00000000,00007FF73AD13395), ref: 00007FF73AD1733A
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD12E13,?,?,00000000,00007FF73AD13395), ref: 00007FF73AD1734E
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD12E13,?,?,00000000,00007FF73AD13395), ref: 00007FF73AD17362
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD12E13,?,?,00000000,00007FF73AD13395), ref: 00007FF73AD17376
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD12E13,?,?,00000000,00007FF73AD13395), ref: 00007FF73AD1738A
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD12E13,?,?,00000000,00007FF73AD13395), ref: 00007FF73AD1739E
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD12E13,?,?,00000000,00007FF73AD13395), ref: 00007FF73AD173B2
                                              • Part of subcall function 00007FF73AD402B0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD173CB,?,?,00000000,00007FF73AD12E13,?,?,00000000,00007FF73AD13395), ref: 00007FF73AD402C5
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free
                                            • String ID:
                                            • API String ID: 1294909896-0
                                            • Opcode ID: 688671a343e0bd118dc6fd9af653c32ff16310287b6f5f93e47a1f593174d7cb
                                            • Instruction ID: 8bcbbb4f9eda879a26e6e322816c7d368a812eec1c445f0bda5e705b740e0a68
                                            • Opcode Fuzzy Hash: 688671a343e0bd118dc6fd9af653c32ff16310287b6f5f93e47a1f593174d7cb
                                            • Instruction Fuzzy Hash: C811943A518F81D1E700AF21E9950EC73A4FBC9FDAB984075DE9E4F768DF3880958220
                                            Function 00007FF73AD10DF0 Relevance: 10.0, APIs: 8, Instructions: 33COMMON
                                            Download Yara Rule
                                            APIs
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD145F6), ref: 00007FF73AD10E01
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD145F6), ref: 00007FF73AD10E11
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD145F6), ref: 00007FF73AD10E1F
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD145F6), ref: 00007FF73AD10E2D
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD145F6), ref: 00007FF73AD10E3B
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD145F6), ref: 00007FF73AD10E49
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD145F6), ref: 00007FF73AD10E57
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD145F6), ref: 00007FF73AD10E65
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free
                                            • String ID:
                                            • API String ID: 1294909896-0
                                            • Opcode ID: f21c44d06512a6ebe019ce33eb4fb3121d333ff9d31fc09cbc773e96172c0f0f
                                            • Instruction ID: 701f9b9ee231ee9e5290186657a395a3bac041099c5916807129b149fabf557d
                                            • Opcode Fuzzy Hash: f21c44d06512a6ebe019ce33eb4fb3121d333ff9d31fc09cbc773e96172c0f0f
                                            • Instruction Fuzzy Hash: 9A01B33A518F01D2E700AF21E58503CB7B4FB89F987905165CE9E42728CF38C4A9C250
                                            Function 00007FF73AD13EC0 Relevance: 9.2, APIs: 6, Instructions: 161COMMON
                                            Download Yara Rule
                                            APIs
                                            • calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00007FF73AD1473B), ref: 00007FF73AD13ED7
                                            • calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00007FF73AD1473B), ref: 00007FF73AD13F08
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: calloc
                                            • String ID:
                                            • API String ID: 2635317215-0
                                            • Opcode ID: e693126a3825e5ead405ff9acfc9aa64935a849bb492540464474959ba8c6496
                                            • Instruction ID: 004806caae70127dfa4a054fb80d4f70d945717ae07448ea3374ac1b201e7e6e
                                            • Opcode Fuzzy Hash: e693126a3825e5ead405ff9acfc9aa64935a849bb492540464474959ba8c6496
                                            • Instruction Fuzzy Hash: 0391BF2A609BC199E7459F3894403ED7BA0F755B28F484276CFBC0B3DADF2991A4C721
                                            Function 00007FF73AD4917C Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 126COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free$mallocmemcpy
                                            • String ID: Start Date: %s$Start Date
                                            • API String ID: 3401966785-2389359183
                                            • Opcode ID: 193f476417fba50e8a6c1ffd11df03c09d75bc8203ed1090ad101fba35108fd6
                                            • Instruction ID: 25ff96aed5a3ca7597c500cbee1c9bb2b14c8f576c14e114878b4d2d6bad8dcc
                                            • Opcode Fuzzy Hash: 193f476417fba50e8a6c1ffd11df03c09d75bc8203ed1090ad101fba35108fd6
                                            • Instruction Fuzzy Hash: 90417F59A1D6E226FF18A722405A2B8B791FF06790FC442F5C66F077DDDE2CA045A320
                                            Function 00007FF73ACFD380 Relevance: 9.1, APIs: 6, Instructions: 116COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                            • String ID:
                                            • API String ID: 1775671525-0
                                            • Opcode ID: 5475502e648e30785465817cdc5c6ee60d669828067962c10bf7b12e21fccadb
                                            • Instruction ID: ab566f47ef5874b6042e81746aacc1413e8036d9ae26d55cacb8f5029b301f5b
                                            • Opcode Fuzzy Hash: 5475502e648e30785465817cdc5c6ee60d669828067962c10bf7b12e21fccadb
                                            • Instruction Fuzzy Hash: C131F26671A642A5FE15BB16A4261A8E361EB44BE4F840B71DE6D07BC9DF3CE081D320
                                            Function 00007FF73ACF5C30 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                            Download Yara Rule
                                            APIs
                                            • memcpy.VCRUNTIME140(?,?,00000000,?,?,0000000F,00007FF73ACF4995,?,?,?,?,?,00007FF73ACF1C5B), ref: 00007FF73ACF5D23
                                            • memcpy.VCRUNTIME140(?,?,00000000,?,?,0000000F,00007FF73ACF4995,?,?,?,?,?,00007FF73ACF1C5B), ref: 00007FF73ACF5D31
                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,?,?,0000000F,00007FF73ACF4995,?,?,?,?,?,00007FF73ACF1C5B), ref: 00007FF73ACF5D6A
                                            • memcpy.VCRUNTIME140(?,?,00000000,?,?,0000000F,00007FF73ACF4995,?,?,?,?,?,00007FF73ACF1C5B), ref: 00007FF73ACF5D74
                                            • memcpy.VCRUNTIME140(?,?,00000000,?,?,0000000F,00007FF73ACF4995,?,?,?,?,?,00007FF73ACF1C5B), ref: 00007FF73ACF5D82
                                            • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF73ACF5DB1
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                            • String ID:
                                            • API String ID: 1775671525-0
                                            • Opcode ID: a9eb11d8d8117c9354b0a377b7a1f2999a274e88e93302033774ebc5ecbeed83
                                            • Instruction ID: 42f31f00556734f72a7716734eea2d0c61d6f8d711a48aa77c2c7f507a26f427
                                            • Opcode Fuzzy Hash: a9eb11d8d8117c9354b0a377b7a1f2999a274e88e93302033774ebc5ecbeed83
                                            • Instruction Fuzzy Hash: 54412A6571B646A5FE24EB15A51526DE390FB04BD0F840630DFAD0BBCADF3CD041A320
                                            Function 00007FF73AD44040 Relevance: 9.1, APIs: 6, Instructions: 93stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: _strdupstrchr$mallocstrncpy
                                            • String ID:
                                            • API String ID: 2121287944-0
                                            • Opcode ID: 5d62b3837f066d61397288db362985870f9119d87ca65c280d65034f9eb39680
                                            • Instruction ID: 94c6892ba8ca1396c0dfafb1491c9c90112cd5f37bd6071adf1bbcfc04061026
                                            • Opcode Fuzzy Hash: 5d62b3837f066d61397288db362985870f9119d87ca65c280d65034f9eb39680
                                            • Instruction Fuzzy Hash: EF311765A19B9197FA54FF21A841236BBA0EF95B90F8846B4DE4D03799EF3CE0809310
                                            Function 00007FF73AD48B3F Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 91COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free
                                            • String ID: Serial Number: %s$ Signature Algorithm: %s$Serial Number$Signature Algorithm
                                            • API String ID: 1294909896-517259162
                                            • Opcode ID: b00ff19d728a505862d6724352d6f8a54f5636cb91fc230e2f50254375608459
                                            • Instruction ID: 8c20421969e5fd8b6b1aac96306e38f41fba662ee0b71a439948ddeb6f578092
                                            • Opcode Fuzzy Hash: b00ff19d728a505862d6724352d6f8a54f5636cb91fc230e2f50254375608459
                                            • Instruction Fuzzy Hash: FA41B469B19B9269FB10AB6194451F9A7A1FF05BC8F8844B6CE0E0779EDF3CE144D320
                                            Function 00007FF73AD49425 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 88COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free
                                            • String ID: Expire Date: %s$ Public Key Algorithm: %s$Expire Date$Public Key Algorithm
                                            • API String ID: 1294909896-2901970132
                                            • Opcode ID: 6e052a58277e0f9d47c0b405635fcb18a605dfa7d0efdbe0dbbedaa4faf728e6
                                            • Instruction ID: d73be420ae9cf2261325c9d998792c3bef9df1c6fc447d51401a79188f9476e1
                                            • Opcode Fuzzy Hash: 6e052a58277e0f9d47c0b405635fcb18a605dfa7d0efdbe0dbbedaa4faf728e6
                                            • Instruction Fuzzy Hash: C1318269A1DB9265FB10AB6694021F9A761FF45788FC444B5CE4E0779EDF3CE104A320
                                            Function 00007FF73AD49476 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 84COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: freemalloc
                                            • String ID: Expire Date: %s$ Public Key Algorithm: %s$Expire Date$Public Key Algorithm
                                            • API String ID: 3061335427-2901970132
                                            • Opcode ID: 820a20d9b48d801fa2c1390dc93463265361c239ee7e788a834818dde5867bad
                                            • Instruction ID: 5469fe6b7c36e4aec3a5e9545002a0eaa8366304b9fc408282da1cfe518a64b2
                                            • Opcode Fuzzy Hash: 820a20d9b48d801fa2c1390dc93463265361c239ee7e788a834818dde5867bad
                                            • Instruction Fuzzy Hash: A931A26DA1DB9265FB10AB6694021F9A7A1FF45784FC444B5CE4E0B79EDF3CE104A320
                                            Function 00007FF73AD49443 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 83COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: freemalloc
                                            • String ID: Expire Date: %s$ Public Key Algorithm: %s$Expire Date$Public Key Algorithm
                                            • API String ID: 3061335427-2901970132
                                            • Opcode ID: d949e5b4fa27f26d256aa9e5f72a9fa30b3c1d8486262602a9927bfb222196b8
                                            • Instruction ID: 060f849f736b35f00787a840177ee07a35360f6cd7577aa5e96abd81f4009971
                                            • Opcode Fuzzy Hash: d949e5b4fa27f26d256aa9e5f72a9fa30b3c1d8486262602a9927bfb222196b8
                                            • Instruction Fuzzy Hash: 3F31A269A1DB9265FB10AB6694021F9A7A1FF45784FC444B6CE4E0775EDF3CE104A320
                                            Function 00007FF73AD499E0 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 81COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free$malloc
                                            • String ID: Signature: %s$%s%lx$Signature
                                            • API String ID: 2190258309-1406629954
                                            • Opcode ID: a046c591825318778792a4adfb20fcc05dff740a8c7684e1a187925fe64dd097
                                            • Instruction ID: bc704a0985ddcc1282c0c7121b18cc77480de1d471b6969b89352f2a5577ce6b
                                            • Opcode Fuzzy Hash: a046c591825318778792a4adfb20fcc05dff740a8c7684e1a187925fe64dd097
                                            • Instruction Fuzzy Hash: FE31B42AB2DA92A5FE20AB26E4452B9A790FB45B84FC444B2DE4E0775DDF3DD004D710
                                            Function 00007FF73AD39A70 Relevance: 9.1, APIs: 6, Instructions: 80COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: _strdupcallocfree
                                            • String ID:
                                            • API String ID: 1236595397-0
                                            • Opcode ID: 9798b4b2a5b5475cb8602e5a64c27a5e9ffe36cbfe2458f6a8f8a1688298187f
                                            • Instruction ID: 7d6e83ac9999b3faab3899c394a3bd1fbde46d9ee0828052eab7f1587eadaa06
                                            • Opcode Fuzzy Hash: 9798b4b2a5b5475cb8602e5a64c27a5e9ffe36cbfe2458f6a8f8a1688298187f
                                            • Instruction Fuzzy Hash: A031E636E18B8581FB40DB24D0653B9B7A0EB86B84F984070DE8D077D9DF3DD5859720
                                            Function 00007FF73AD4891F Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 76COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: freemalloc
                                            • String ID: Serial Number: %s$ Signature Algorithm: %s$Serial Number$Signature Algorithm
                                            • API String ID: 3061335427-517259162
                                            • Opcode ID: 69f5010e2cb87970ea5665302aa2f7c673abecca91bc384bf6bebc297968b28b
                                            • Instruction ID: c2e81b8c1257843daefdc52535565e5f009b711d990431728d57e9fa09ea1dc2
                                            • Opcode Fuzzy Hash: 69f5010e2cb87970ea5665302aa2f7c673abecca91bc384bf6bebc297968b28b
                                            • Instruction Fuzzy Hash: B331815DA2AB9269FB10AB6194421F9A7A0FF457C8FC844B5CE0E0775EDF3CE044A320
                                            Function 00007FF73AD0CE10 Relevance: 9.1, APIs: 6, Instructions: 52COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: CriticalSectionfree$CloseEnterHandleLeaveclosesocket
                                            • String ID:
                                            • API String ID: 469868127-0
                                            • Opcode ID: 42f99849b81ca2be3f30952e93cd363fd26a264c66b46ccd71e9ad8e9b1e78f6
                                            • Instruction ID: d8d3b789c707abfcf97ba8c8ecb1cba4b824ec0015313cd5c441a3e4ba613dcb
                                            • Opcode Fuzzy Hash: 42f99849b81ca2be3f30952e93cd363fd26a264c66b46ccd71e9ad8e9b1e78f6
                                            • Instruction Fuzzy Hash: 46213B7EA28A41A6F720EF12E555269B370FB89B90F844171CF8D03B59DF38E4A5D720
                                            Function 00007FF73AD0B048 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 155COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: _errno_strdup
                                            • String ID: %s cookie %s="%s" for domain %s, path %s, expire %I64d$Added$FALSE$Replaced
                                            • API String ID: 2151398962-2292467869
                                            • Opcode ID: 471d100a441eb6db1a28c6e59c3c9224cb732e29a85ac6f64c24d6eb38c3bb07
                                            • Instruction ID: e993dd1c360c83d3a52bf775209feb7225d02dcd7be8284a9bb698f8d6c8947c
                                            • Opcode Fuzzy Hash: 471d100a441eb6db1a28c6e59c3c9224cb732e29a85ac6f64c24d6eb38c3bb07
                                            • Instruction Fuzzy Hash: 9F618669E2C786A5FF71EB25D04637DA7E0EF05748F8840B5CA8D066A9DF2CE444E321
                                            Function 00007FF73AD0AF3D Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 153COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: _strdupstrchr
                                            • String ID: %s cookie %s="%s" for domain %s, path %s, expire %I64d$Added$FALSE$Replaced
                                            • API String ID: 3727083984-2292467869
                                            • Opcode ID: 024716cdd2d984dc349697e1390d9c0640e3d967f017065c5a1dd4ee63caead3
                                            • Instruction ID: 667ee8fb6746a793c226409079e01d5cabe45bb7bc80328f03b9493615c8a1a4
                                            • Opcode Fuzzy Hash: 024716cdd2d984dc349697e1390d9c0640e3d967f017065c5a1dd4ee63caead3
                                            • Instruction Fuzzy Hash: 5D619869E2C786A5FF71EB25D04637DA7E0EF05748F8400B5CA8D066A9DF2CE445E321
                                            Function 00007FF73AD23F40 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 134COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: _strdupfree
                                            • String ID: Forcing HTTP/1.1 for NTLM$The requested URL returned error: %d
                                            • API String ID: 1865132094-1204028548
                                            • Opcode ID: 7c819a251becc5ad5d8b3fbbaf430680beabe1210d47572a46917de0d1242923
                                            • Instruction ID: 7425fb6aa2cb58e7fe5fc4a466dbb37138439061a600899d1e574b7362bedd2c
                                            • Opcode Fuzzy Hash: 7c819a251becc5ad5d8b3fbbaf430680beabe1210d47572a46917de0d1242923
                                            • Instruction Fuzzy Hash: 2E512A79A1CAC660FB61AB2491423F9B7A1EB65784F8800B5DE4D4B68DCF3DE490D331
                                            Function 00007FF73ACF24E0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 124COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00007FF73ACF50A0: memcpy.VCRUNTIME140(7FFFFFFFFFFFFFFF,https://keyauth.win/api/1.2/,-3333333333333333,00007FF73ACF1A19), ref: 00007FF73ACF50D1
                                              • Part of subcall function 00007FF73ACF49A0: memcpy.VCRUNTIME140 ref: 00007FF73ACF49F3
                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF25B2
                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF2600
                                            • __std_exception_copy.VCRUNTIME140 ref: 00007FF73ACF2650
                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACF269D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: _invalid_parameter_noinfo_noreturn$memcpy$__std_exception_copy
                                            • String ID: out_of_range
                                            • API String ID: 2484256320-3053435996
                                            • Opcode ID: dee526ac08bdab1460d569e6e652dcb860ad7ea9f790511ede79b1eca54f5b30
                                            • Instruction ID: 8657ded1c011b3c94ae6f35a2ac6bff4744e563ec304867605abba654bb9f5eb
                                            • Opcode Fuzzy Hash: dee526ac08bdab1460d569e6e652dcb860ad7ea9f790511ede79b1eca54f5b30
                                            • Instruction Fuzzy Hash: 9151E076B29B42A9FB04EF64D8513AC7361FB54798F808271EA6C03AD9DF38D1A4D310
                                            Function 00007FF73AD41320 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 116stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: _errno_strdupstrcspnstrncmpstrspn
                                            • String ID: 0123456789abcdefABCDEF:.
                                            • API String ID: 2191890455-446397347
                                            • Opcode ID: 1e38809e60a69ff38fc37f0eaf8c27f698d50976a376e211414230216df9dd2c
                                            • Instruction ID: e7faa7a401f8b421467786b1fd165b3b8a7669e988a391f274dae5c2748e0499
                                            • Opcode Fuzzy Hash: 1e38809e60a69ff38fc37f0eaf8c27f698d50976a376e211414230216df9dd2c
                                            • Instruction Fuzzy Hash: 2F415959A1CAD561FF21AB119406379BB90EB06794FC801F1EB9D03ACDDF2CE405E721
                                            Function 00007FF73AD4B308 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 111COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: isupper$free
                                            • String ID: %u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s$GMT
                                            • API String ID: 573759493-632690687
                                            • Opcode ID: 5d67476c0909cb3ba9a7f66691065ecbf708e0c157686aeaccf5758ef385bb49
                                            • Instruction ID: 336d77a0f240f72262e8c54a61a80abda948134b93e2553e6f41de8bd652eac3
                                            • Opcode Fuzzy Hash: 5d67476c0909cb3ba9a7f66691065ecbf708e0c157686aeaccf5758ef385bb49
                                            • Instruction Fuzzy Hash: 76412D2991CAE5A5FB11EB25914637CFBA1EB21780FC841F1C68E02A9CDF3CE541D320
                                            Function 00007FF73AD20CF0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: tolower$_time64
                                            • String ID: :%u$Hostname in DNS cache was stale, zapped
                                            • API String ID: 4068448496-2924501231
                                            • Opcode ID: aceda1046b60fa3e87b21c86f3e7c6855103a29c9fc3418c8ff459f9ceabfc60
                                            • Instruction ID: 5a71974f412592b71173cab16af6a0e1c4c77521db47fb74a79bbc9b3fbaffc8
                                            • Opcode Fuzzy Hash: aceda1046b60fa3e87b21c86f3e7c6855103a29c9fc3418c8ff459f9ceabfc60
                                            • Instruction Fuzzy Hash: 8941F76A629686A5FB20EB11F4013F9E760FB49B94F844272DE4D07B99DF3CE805D310
                                            Function 00007FF73ACF50A0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 109COMMON
                                            Download Yara Rule
                                            APIs
                                            • memcpy.VCRUNTIME140(7FFFFFFFFFFFFFFF,https://keyauth.win/api/1.2/,-3333333333333333,00007FF73ACF1A19), ref: 00007FF73ACF50D1
                                            • memcpy.VCRUNTIME140(7FFFFFFFFFFFFFFF,https://keyauth.win/api/1.2/,-3333333333333333,00007FF73ACF1A19), ref: 00007FF73ACF5196
                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(7FFFFFFFFFFFFFFF,https://keyauth.win/api/1.2/,-3333333333333333,00007FF73ACF1A19), ref: 00007FF73ACF51EA
                                            • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF73ACF51F1
                                              • Part of subcall function 00007FF73AD50FD4: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,-3333333333333333,00007FF73ACF517E,7FFFFFFFFFFFFFFF,https://keyauth.win/api/1.2/,-3333333333333333,00007FF73ACF1A19), ref: 00007FF73AD50FEE
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
                                            • String ID: https://keyauth.win/api/1.2/
                                            • API String ID: 1155477157-3933380396
                                            • Opcode ID: a57a7afd730a427e2a8d015c7a2f57c355332821ffa3fb098b26d42bbb551727
                                            • Instruction ID: 6771f1dce3aeaaf11178426b89ee1d5934fbdfe7fcf161b150ee3d070747d588
                                            • Opcode Fuzzy Hash: a57a7afd730a427e2a8d015c7a2f57c355332821ffa3fb098b26d42bbb551727
                                            • Instruction Fuzzy Hash: 07311766B0668A69FE19EB5599252789391DB00FE4F884670DF2D07BC6DE7CF0829310
                                            Function 00007FF73AD02350 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101COMMON
                                            Download Yara Rule
                                            APIs
                                            • memcpy.VCRUNTIME140(?,?,?,?,?,?,0000006E00000006,?,FFFFFFFF,00007FF73ACF11FC), ref: 00007FF73AD0242F
                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,0000006E00000006,?,FFFFFFFF,00007FF73ACF11FC), ref: 00007FF73AD0246C
                                            • memcpy.VCRUNTIME140(?,?,?,?,?,?,0000006E00000006,?,FFFFFFFF,00007FF73ACF11FC), ref: 00007FF73AD02476
                                            • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF73AD024A9
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                            • String ID: https://keyauth.win/api/1.2/
                                            • API String ID: 1775671525-3933380396
                                            • Opcode ID: 7631a62d654057ec0b1cf769a7e0d366874ef7107a71ab9249c563aa71255ac2
                                            • Instruction ID: a9feb3044b44745c15d0df7d8af5b6abef30e74d074f405f214bdef709365ab9
                                            • Opcode Fuzzy Hash: 7631a62d654057ec0b1cf769a7e0d366874ef7107a71ab9249c563aa71255ac2
                                            • Instruction Fuzzy Hash: CA314266B1A741A4FE18EB11A4413ACE291EB04BD0F880675DF5D0BBC9CF3CE090E321
                                            Function 00007FF73AD17B20 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: ErrorLast$_errnofreememcpyrecv
                                            • String ID: Recv failure: %s
                                            • API String ID: 267823591-4276829032
                                            • Opcode ID: b08348e961448b9a3b25bd2a5120d124dc907a97bec9f7df7f02126b8e2fe5d8
                                            • Instruction ID: f0671eaf2d66e0b6974e326159aedaacd7af6724f738d0581883482b4afa7b19
                                            • Opcode Fuzzy Hash: b08348e961448b9a3b25bd2a5120d124dc907a97bec9f7df7f02126b8e2fe5d8
                                            • Instruction Fuzzy Hash: DE31237AB15B4591FB50AF21E8822AAA3A0FB49FD8F804071DE1D07798DF3CD116D710
                                            Function 00007FF73AD1C2B0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 92COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: _strdupfreemalloc
                                            • String ID: Unrecognized content encoding type. libcurl understands %s content encodings.$identity
                                            • API String ID: 3985033223-1703240927
                                            • Opcode ID: e74867a4b311d7321d6114bf66a983aca4c1b1ab487fe1a341befa565e3e5ac3
                                            • Instruction ID: a1a1f8aec064d9eaf4d27d97dd9f29bf3c7f36975389d154f87998b40a12d557
                                            • Opcode Fuzzy Hash: e74867a4b311d7321d6114bf66a983aca4c1b1ab487fe1a341befa565e3e5ac3
                                            • Instruction Fuzzy Hash: FA41E169A18A46A1FF41AB21E406379E7A0EF45BE4FC842B1CE2D037DCDF2CE5019320
                                            Function 00007FF73AD4B1F9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: isupper$_strdupfree
                                            • String ID: FALSE
                                            • API String ID: 3359907120-3701058176
                                            • Opcode ID: dffe9c9edb1adfef6e34665ef29496d48f25e2344bd9925a93246a32197c5706
                                            • Instruction ID: 21352e97bfc4c99f6eea43817a39ee947fd6339c84887954fdc5554b5566a6f7
                                            • Opcode Fuzzy Hash: dffe9c9edb1adfef6e34665ef29496d48f25e2344bd9925a93246a32197c5706
                                            • Instruction Fuzzy Hash: E531085AE2C6B264FB12EB249456338AF90DB217A4FC446F1C59A05AD8DF2CD182E330
                                            Function 00007FF73AD32B70 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: _strdupfreestrpbrk
                                            • String ID: RCPT TO:<%s>$RCPT TO:<%s@%s>
                                            • API String ID: 1812939018-579818044
                                            • Opcode ID: bce391041d351114edf8f033b369b5d46eb8cacd26457ba0b0394aa6cd5b35a2
                                            • Instruction ID: 972bd59c38a0d116b8a9f8c8bb6d5b2442e45119cadfca6d76de9868a1893f07
                                            • Opcode Fuzzy Hash: bce391041d351114edf8f033b369b5d46eb8cacd26457ba0b0394aa6cd5b35a2
                                            • Instruction Fuzzy Hash: 0731E36AE28BC191FB05EB25E4412B9E3A0FB94B90F888271DA5E037D9DF7CD541D310
                                            Function 00007FF73AD4AAA0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 41COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: _strdupfree
                                            • String ID: %s: %s$FALSE$TRUE
                                            • API String ID: 1865132094-3430445539
                                            • Opcode ID: eb7b13f9c99c73700b12856a73483d0661b95b3686ff9859e1780b88561ebb8f
                                            • Instruction ID: 0e45addc03b26d04a88ff85df3e1fee1a703634ea4ef5646e3d2a5e268d9b7e0
                                            • Opcode Fuzzy Hash: eb7b13f9c99c73700b12856a73483d0661b95b3686ff9859e1780b88561ebb8f
                                            • Instruction Fuzzy Hash: CF010499A1D792A5FF65AB15A4023B99390EB01B80FC840B1DE4D03369CF2CD185E320
                                            Function 00007FF73AD460D0 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 146COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00007FF73AD46030: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD42AC5), ref: 00007FF73AD46056
                                              • Part of subcall function 00007FF73AD46030: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD42AC5), ref: 00007FF73AD46077
                                              • Part of subcall function 00007FF73AD46030: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD42AC5), ref: 00007FF73AD46092
                                              • Part of subcall function 00007FF73AD46030: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD42AC5), ref: 00007FF73AD460A0
                                              • Part of subcall function 00007FF73AD46030: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD42AC5), ref: 00007FF73AD460B2
                                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73AD46156
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free$malloc
                                            • String ID: HTTP$NTLM
                                            • API String ID: 2190258309-4188377180
                                            • Opcode ID: aca89d71a1719aef2e7f177aa6a16ae667089ba8158daa7c0a326498ccca1476
                                            • Instruction ID: 19fb09e86805db0e09707b376bd88e8c1aff4dd34a4b3925d93dcc5fd283b096
                                            • Opcode Fuzzy Hash: aca89d71a1719aef2e7f177aa6a16ae667089ba8158daa7c0a326498ccca1476
                                            • Instruction Fuzzy Hash: 42616C3A628B8592EB60AF15E44126EB7A4FB88B84F944075DE8E43B6CDF3CD445DB10
                                            Function 00007FF73AD4BAD5 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 133COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free$mallocmemcpy
                                            • String ID: TRUE
                                            • API String ID: 3401966785-3412697401
                                            • Opcode ID: 503df20941894dd05817090ea6110ecb8c0015b96493430b6075ddb7b97a7345
                                            • Instruction ID: 7ad8bee4b5f8503086c311603b7bade77978b378e9f952bad29f74779614162a
                                            • Opcode Fuzzy Hash: 503df20941894dd05817090ea6110ecb8c0015b96493430b6075ddb7b97a7345
                                            • Instruction Fuzzy Hash: CF419D29B2D6B111FF099A258556334AB52EB217E0F8446F1CA7E473CDDD6CD085E320
                                            Function 00007FF73AD4F380 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 129stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • strchr.VCRUNTIME140(?,?,?,?,?,?,00000000,00000000,00000000,00007FF73AD4F340), ref: 00007FF73AD4F3EF
                                              • Part of subcall function 00007FF73AD296A0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF73AD0C6CA,?,?,?,?,?,?,?,00007FF73AD0C497), ref: 00007FF73AD296B1
                                              • Part of subcall function 00007FF73AD296A0: strchr.VCRUNTIME140(?,?,?,00000000,TRUE,?,00000000,00000000,00000000,?), ref: 00007FF73AD29853
                                              • Part of subcall function 00007FF73AD296A0: strchr.VCRUNTIME140(?,?,?,00000000,TRUE,?,00000000,00000000,00000000,?), ref: 00007FF73AD29870
                                            • strchr.VCRUNTIME140(?,?,?,?,?,?,00000000,00000000,00000000,00007FF73AD4F340), ref: 00007FF73AD4F45E
                                            • strchr.VCRUNTIME140(?,?,?,?,?,?,00000000,00000000,00000000,00007FF73AD4F340), ref: 00007FF73AD4F478
                                            • strchr.VCRUNTIME140(?,?,?,?,?,?,00000000,00000000,00000000,00007FF73AD4F340), ref: 00007FF73AD4F4AE
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: strchr$_errno
                                            • String ID: xn--
                                            • API String ID: 2644425738-2826155999
                                            • Opcode ID: c79b631c925c8fed7e64f0654754f54019a6642498fb5314199a77bfbbff4ebe
                                            • Instruction ID: b8eb9d21a0f3412eefcd1fdd67ea11c308112bfd785de3fba82a7469530fcfd2
                                            • Opcode Fuzzy Hash: c79b631c925c8fed7e64f0654754f54019a6642498fb5314199a77bfbbff4ebe
                                            • Instruction Fuzzy Hash: A941B569B2D69265FA54BB259616379D281DF49FC0FC881B0DE0D8B7D9EE2CE0069320
                                            Function 00007FF73AD1D470 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 127COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: callocfreememset
                                            • String ID: CONNECT phase completed!$allocate connect buffer!
                                            • API String ID: 3505321882-591125384
                                            • Opcode ID: 02122fb670f95e4680fa0b8412fc1b979c5b91a7cbdbfcd238f2d9e750053ce3
                                            • Instruction ID: 88173df69621501f4400b479802bd5443d7616acc9f9fe58f4ec136d0f9273d5
                                            • Opcode Fuzzy Hash: 02122fb670f95e4680fa0b8412fc1b979c5b91a7cbdbfcd238f2d9e750053ce3
                                            • Instruction Fuzzy Hash: A651F176B18A82A2FB98AB31D5453B9B790FB44B88F844175CB9C07298CF38E5A5D310
                                            Function 00007FF73AD48FF3 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 125COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free
                                            • String ID: Start Date: %s$ GMT$%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s$Start Date
                                            • API String ID: 1294909896-619256714
                                            • Opcode ID: eacb30e3594ebde5f6590ea5a488e59deb89f246858472ac5d47ec3a8222ecce
                                            • Instruction ID: 423aad3155d53da07e3dc7f513f981a7fed36d4b1513581a545a232e11e27efa
                                            • Opcode Fuzzy Hash: eacb30e3594ebde5f6590ea5a488e59deb89f246858472ac5d47ec3a8222ecce
                                            • Instruction Fuzzy Hash: 74510A69A2D6E265FB20AB6695051B8FB95FB01780FC444F1CA8E07B9CCF3CE545D310
                                            Function 00007FF73AD4ADE9 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 125COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free$mallocmemcpy
                                            • String ID: %s: %s
                                            • API String ID: 3401966785-1451338302
                                            • Opcode ID: 33fe3cd53c052a8f52918f313d5978767c9ff85833e7f2896b176aac414e2e04
                                            • Instruction ID: d09155d4c19135c38ccf13ae0e09d0aace801c868fef4ac8e836e5677d8904fd
                                            • Opcode Fuzzy Hash: 33fe3cd53c052a8f52918f313d5978767c9ff85833e7f2896b176aac414e2e04
                                            • Instruction Fuzzy Hash: B5418059B1A2E115FB686A0550173B5E781EB01BE0F8442F9DE6F077EDDE1CD045A320
                                            Function 00007FF73AD301F0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 118COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: _errnofreememcpy
                                            • String ID: Failed to parse FETCH response.$Found %I64d bytes to download$Written %zu bytes, %I64u bytes are left for transfer
                                            • API String ID: 738009125-4268564757
                                            • Opcode ID: 4ae53719eda81be3619a15e5971cd4c86f31f99aa1279c2f122383002890b1e8
                                            • Instruction ID: 3d5110e970573126f36be395c9b6dd512a31ce0682c3e53de2007294c2c8ccf6
                                            • Opcode Fuzzy Hash: 4ae53719eda81be3619a15e5971cd4c86f31f99aa1279c2f122383002890b1e8
                                            • Instruction Fuzzy Hash: 1851036AA1CBC6A2FB14AF65E0012B9E390FB45B90F8480B1DB9C03A89DF7DE105D310
                                            Function 00007FF73AD48F30 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 81COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free
                                            • String ID: Start Date: %s$%u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s$GMT$Start Date
                                            • API String ID: 1294909896-2752585153
                                            • Opcode ID: 7536c33d4b664c36956b7512549dbe7af3e0457de8c3688253e52be0a1d78b24
                                            • Instruction ID: a4e94f204e21ef41febb3a1cf20bd4035b7c204ea0833657eae22f052c4927f4
                                            • Opcode Fuzzy Hash: 7536c33d4b664c36956b7512549dbe7af3e0457de8c3688253e52be0a1d78b24
                                            • Instruction Fuzzy Hash: AC318469A2DBD2A5FB20AB2194421F9F751FB01784FC844F2C64E166ADCF3CE545E320
                                            Function 00007FF73AD49CBE Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 69COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free$malloc
                                            • String ID: Signature: %s$Signature
                                            • API String ID: 2190258309-1663925961
                                            • Opcode ID: 0ae7bc32dfde1e44976f247f69b262b3651234647b7ad7448afd5ca34fc4c152
                                            • Instruction ID: a40c135ed7bbaf2b9aeb5eb7492cea1759e7a80eef0aaf7406a42f51ca684e0c
                                            • Opcode Fuzzy Hash: 0ae7bc32dfde1e44976f247f69b262b3651234647b7ad7448afd5ca34fc4c152
                                            • Instruction Fuzzy Hash: 0221D42AB19AC295FB20DB26E4452E9B790FB49BD4F880172DE5D03799DF3CD101C710
                                            Function 00007FF73AD33D30 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 68COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free
                                            • String ID: Failure sending QUIT command: %s$QUIT
                                            • API String ID: 1294909896-1162443993
                                            • Opcode ID: a2dc73e1f7e223c13207ce6256c376ad950f39672d62e1f961c22585476f092a
                                            • Instruction ID: ba18663c0fd285b18321d2c9c8f57e83a3b20798b6e0fa511c4b9907cb39702f
                                            • Opcode Fuzzy Hash: a2dc73e1f7e223c13207ce6256c376ad950f39672d62e1f961c22585476f092a
                                            • Instruction Fuzzy Hash: 32319039B28782A1FB50EF25E5462B9B7A0FF45F84F8840B1DA4D07A99DF2CD045D321
                                            Function 00007FF73AD2A930 Relevance: 7.6, APIs: 6, Instructions: 64COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free$calloc$memcpy
                                            • String ID:
                                            • API String ID: 3478730034-0
                                            • Opcode ID: 0e05d63f43bc4aabd14c096ffe02587e52b5dd76bdd45876307a715eab033dfd
                                            • Instruction ID: fbf3ace9a02f6ec42476358bd41f34acefe1789ae6b4499b318852bdbb94b85f
                                            • Opcode Fuzzy Hash: 0e05d63f43bc4aabd14c096ffe02587e52b5dd76bdd45876307a715eab033dfd
                                            • Instruction Fuzzy Hash: 15210275A18B8696F710EF129411239B7A0FF49B90FC48271CA9D173A8EF3CD444D310
                                            Function 00007FF73AD39BA0 Relevance: 7.6, APIs: 5, Instructions: 62stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: strchr$_strdupmalloc
                                            • String ID:
                                            • API String ID: 4236146995-0
                                            • Opcode ID: 2fc5cf7da16eeb57b8c5a1c92921b51f7a5f6d48bfe00402c3925fb617c9476e
                                            • Instruction ID: ca761c4724801502e88f7519f2f8c643bb3782742ff9c2a31825fd424e6c5f02
                                            • Opcode Fuzzy Hash: 2fc5cf7da16eeb57b8c5a1c92921b51f7a5f6d48bfe00402c3925fb617c9476e
                                            • Instruction Fuzzy Hash: 27219D66A26B8581FF85DB2590523A9A3E0EB89B84F4C0174DE4E0B78CEF3DD490D320
                                            Function 00007FF73AD49184 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 62COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: freemallocmemcpy
                                            • String ID: Start Date: %s$Start Date
                                            • API String ID: 3056473165-2389359183
                                            • Opcode ID: 74d982c46b0fb71d9b9944cac7731b98f4219aa97643b58c5056d5cbc2121cbf
                                            • Instruction ID: 60863af05f9180fb57745cdaed73b0ca8192d64d90335ae41581c3df24019777
                                            • Opcode Fuzzy Hash: 74d982c46b0fb71d9b9944cac7731b98f4219aa97643b58c5056d5cbc2121cbf
                                            • Instruction Fuzzy Hash: 5921F49CA1D79225FE25AB2295052B4A791FF16BD4FC845B2CD1E077EDDF3CA0059320
                                            Function 00007FF73AD49A58 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 60COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free$malloc
                                            • String ID: Signature: %s$Signature
                                            • API String ID: 2190258309-1663925961
                                            • Opcode ID: 9c76cbae48e3cc96b7d64792a01c02ff53c849fef6793e5b78573a6e3cb627b0
                                            • Instruction ID: 457553cbc4258754c95f886294703dec6b5854886bb185e0dadb84990a740611
                                            • Opcode Fuzzy Hash: 9c76cbae48e3cc96b7d64792a01c02ff53c849fef6793e5b78573a6e3cb627b0
                                            • Instruction Fuzzy Hash: 8921836AA1DA92A5FB60EB66E4452EAA350FB85784F8404B2DE4E0772DDF3CD041D710
                                            Function 00007FF73AD49A96 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 56COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: malloc$free
                                            • String ID: Signature: %s$Signature
                                            • API String ID: 1480856625-1663925961
                                            • Opcode ID: 01447bc762b5f057cc8802f27067c044a5880ce2bce5529b4648f1e552d4b95b
                                            • Instruction ID: d70c0118eb6f32d62a19e269a6d5acc13ae7c2f9eeedcf1640fdebf1261169d1
                                            • Opcode Fuzzy Hash: 01447bc762b5f057cc8802f27067c044a5880ce2bce5529b4648f1e552d4b95b
                                            • Instruction Fuzzy Hash: 9621566AA19A82A6FB60EB66E4452EAA350FF85784F840472DE4E0772DDF3CD045D710
                                            Function 00007FF73AD49A70 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 55COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: malloc$free
                                            • String ID: Signature: %s$Signature
                                            • API String ID: 1480856625-1663925961
                                            • Opcode ID: a7f44e3e96a7ad5015016feabe955c0d7dcfd0faaee6b7e82b2b5648de3ccba8
                                            • Instruction ID: 1dc6ddfd57cd4c8b64b123ab1c3b414da5513b336faa0a8206fe6f4e55d4e1ad
                                            • Opcode Fuzzy Hash: a7f44e3e96a7ad5015016feabe955c0d7dcfd0faaee6b7e82b2b5648de3ccba8
                                            • Instruction Fuzzy Hash: E621986AA19B82A5FB60EB66E4452EAA350FF857C4F840472DE4E0772DDF3CD005D710
                                            Function 00007FF73AD049E0 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 46stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF73AD04319), ref: 00007FF73AD04C7F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: strncpy
                                            • String ID: Host not found$Host not found, try again$No data record of requested type$Unrecoverable error in call to nameserver
                                            • API String ID: 3301158039-3625861382
                                            • Opcode ID: fc3e0d2a966c5590e554ce929c9b04165eebd2722ea8005c66163da69181b5bf
                                            • Instruction ID: 822b110f39c3cb526b62ff52d85039ad07bb2c7a34990cf6b4480e3a7401a842
                                            • Opcode Fuzzy Hash: fc3e0d2a966c5590e554ce929c9b04165eebd2722ea8005c66163da69181b5bf
                                            • Instruction Fuzzy Hash: A7113AD9A2C24272FE5CE759E555678A250EF25740FCB80B0C60E07A5CCF6CE480A32A
                                            Function 00007FF73AD0C9A0 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: CriticalSectionfree$CloseEnterHandleLeaveclosesocket
                                            • String ID:
                                            • API String ID: 469868127-0
                                            • Opcode ID: 0c4de6103340c91aa5d79bf8c93c5b545b6861024ef3979e422a4b0b05426bbc
                                            • Instruction ID: e3a8e5fd707f92cfd0c496d0643a9f1167df7d281b7758d6510a9892181fdf52
                                            • Opcode Fuzzy Hash: 0c4de6103340c91aa5d79bf8c93c5b545b6861024ef3979e422a4b0b05426bbc
                                            • Instruction Fuzzy Hash: 96116A7EA18A41A6F720EF12E155229B370FB89B90F444075CF8E03B48CF39E4A4A720
                                            Function 00007FF73AD4B50F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: isupper$free
                                            • String ID: TRUE
                                            • API String ID: 573759493-3412697401
                                            • Opcode ID: ed558bd1317cd0217e9bf3e3aad0d43463dc720fdae0ee89c423ade7e9118a03
                                            • Instruction ID: 8840c42432ca6efd7f640c6d44e39acdb95bdd6b17b8c04809254e7cb39f917c
                                            • Opcode Fuzzy Hash: ed558bd1317cd0217e9bf3e3aad0d43463dc720fdae0ee89c423ade7e9118a03
                                            • Instruction Fuzzy Hash: 6A314A69A1C6A254FB01DB248455378BFA1EB21B94FC842F1CA9A42ACDDF2CD141D320
                                            Function 00007FF73AD34330 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 73networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: acceptgetsocknameioctlsocket
                                            • String ID: Connection accepted from server$Error accept()ing server connect
                                            • API String ID: 36920154-2331703088
                                            • Opcode ID: 62de29c2e25f6ebae38a3eaa55f6f9f7aab595138637e61e55fe0c510996d5b3
                                            • Instruction ID: 004d13c16bb8c0c54f1d4f30d9bb483667d0cbdd8c7919c4a69edc00ca7afdbf
                                            • Opcode Fuzzy Hash: 62de29c2e25f6ebae38a3eaa55f6f9f7aab595138637e61e55fe0c510996d5b3
                                            • Instruction Fuzzy Hash: D031D665A28A81A2FB54EB21E4453AEB390FB48BE4F844271DE6D077C9CF7DE105D710
                                            Function 00007FF73AD25ED0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON
                                            Download Yara Rule
                                            APIs
                                            • realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF73AD25909), ref: 00007FF73AD25F5D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: realloc
                                            • String ID: Failed to alloc memory for big header!$Rejected %zu bytes header (max is %d)!
                                            • API String ID: 471065373-1365219457
                                            • Opcode ID: 9e01f8961ef5be40a1890896d528835c6e623e1d0a7c956b559c6d0c19572698
                                            • Instruction ID: 58b0b912c2c74a0cad7b31a47ccbdbb1da7e239b32a38bc1484f13cbcecd679a
                                            • Opcode Fuzzy Hash: 9e01f8961ef5be40a1890896d528835c6e623e1d0a7c956b559c6d0c19572698
                                            • Instruction Fuzzy Hash: BB218D36B18A8496EB04AB25E4412ADB7A1FB49FC4F844032EF4D07B59DF3CD4A1D700
                                            Function 00007FF73AD060B3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free$_strdup
                                            • String ID: :
                                            • API String ID: 2653869212-336475711
                                            • Opcode ID: 27f373e76fe487eacdaf8c9d00deb372ed2a2e53d0d3cf8282777c8af0880508
                                            • Instruction ID: dca8ba4e31e5bcda2a8fe68cbc7bdf6378926012e49555279aa880f1c324218b
                                            • Opcode Fuzzy Hash: 27f373e76fe487eacdaf8c9d00deb372ed2a2e53d0d3cf8282777c8af0880508
                                            • Instruction Fuzzy Hash: 8E21AE3A608B8295FB61EF14A5413A9B7A0EB44B90FC84171CF9C43799EF3CD414A721
                                            Function 00007FF73AD2FC80 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: %s%s$LIST "%s" *
                                            • API String ID: 0-1744359683
                                            • Opcode ID: 948bbce8d14dfe89a09e90d542d3459616c12cbb4065bce92b9a4f3ea9b72cb0
                                            • Instruction ID: c53205bc5f2e9a1869192e6836aa9fded5d6066558ab291fba8688e4ee1866dd
                                            • Opcode Fuzzy Hash: 948bbce8d14dfe89a09e90d542d3459616c12cbb4065bce92b9a4f3ea9b72cb0
                                            • Instruction Fuzzy Hash: 9E11A229B28A46A1FB14EB55E4421B8A350EF48FC4FC84475DE0D0B75DDF2CE595E360
                                            Function 00007FF73AD48F01 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: _strdupfreemalloc
                                            • String ID: Start Date: %s$Start Date
                                            • API String ID: 3985033223-2389359183
                                            • Opcode ID: 136e47e71169975f25c81fd149021705cba020a777d3ccb449e7d5a5ace93594
                                            • Instruction ID: 8618a039d4aa4a34edec7349e2eb663c6190b720bb3f5aaa3daf759384fdcc00
                                            • Opcode Fuzzy Hash: 136e47e71169975f25c81fd149021705cba020a777d3ccb449e7d5a5ace93594
                                            • Instruction Fuzzy Hash: 7501285DA1D7D235FB10A72254451F8B751EF02784FC844F1C50F0666ECF2CA044E321
                                            Function 00007FF73AD23E30 Relevance: 6.3, APIs: 5, Instructions: 82stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: strchr$mallocmemcpy
                                            • String ID:
                                            • API String ID: 320687583-0
                                            • Opcode ID: d9754526e8ec7729d08537bfd0fec0a7a66dea100b8898ab23bfcf2811e09562
                                            • Instruction ID: 7a10d799543ac218a056048726627187042ddaf126bd3573dcf9b4d2f30c40c7
                                            • Opcode Fuzzy Hash: d9754526e8ec7729d08537bfd0fec0a7a66dea100b8898ab23bfcf2811e09562
                                            • Instruction Fuzzy Hash: 30214819A2D69550FE49A71651122B8E7C1DF04BC4F8C41B1EE9C0BBCAEF1CD409D730
                                            Function 00007FF73AD23340 Relevance: 6.3, APIs: 5, Instructions: 77COMMON
                                            Download Yara Rule
                                            APIs
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD23755), ref: 00007FF73AD23378
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD23755), ref: 00007FF73AD23381
                                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD23755), ref: 00007FF73AD233FA
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD23755), ref: 00007FF73AD2340B
                                            • memcpy.VCRUNTIME140(?,?,00000000,00007FF73AD23755), ref: 00007FF73AD23434
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free$mallocmemcpy
                                            • String ID:
                                            • API String ID: 3401966785-0
                                            • Opcode ID: 079045454393bd4436d714cab6de9035883289fe841c5bd94baab3580fbb733b
                                            • Instruction ID: 073e213d72a80cb2c32537e8c22363121c4305a1fb82c8bb463ce3c0ab4b16ed
                                            • Opcode Fuzzy Hash: 079045454393bd4436d714cab6de9035883289fe841c5bd94baab3580fbb733b
                                            • Instruction Fuzzy Hash: 8A317E3AA18B4991FB20AF12E441269E790EB45FE4F8452B1DE6D47BD8DF3CE541D310
                                            Function 00007FF73AD46030 Relevance: 6.3, APIs: 5, Instructions: 38COMMON
                                            Download Yara Rule
                                            APIs
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD42AC5), ref: 00007FF73AD46056
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD42AC5), ref: 00007FF73AD46077
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD42AC5), ref: 00007FF73AD46092
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD42AC5), ref: 00007FF73AD460A0
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD42AC5), ref: 00007FF73AD460B2
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free
                                            • String ID:
                                            • API String ID: 1294909896-0
                                            • Opcode ID: 918dd943ff8532622e0b077ffe73aa97a1a12716735c3b20e00f1d8ce67ee5b4
                                            • Instruction ID: 29cc7ed76ef02d37373de89d1b8fbc130ac114f272dd903d09c6dd526b9cc291
                                            • Opcode Fuzzy Hash: 918dd943ff8532622e0b077ffe73aa97a1a12716735c3b20e00f1d8ce67ee5b4
                                            • Instruction Fuzzy Hash: 7D11D33A628F4592EB04AF25E99113CB7A4FF94F88B8440B5CE9E07728CF38D895D350
                                            Function 00007FF73AD4B94F Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 132COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free
                                            • String ID: GMT$%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s$TRUE
                                            • API String ID: 1294909896-910067264
                                            • Opcode ID: d706ce3eee7725947a570d34d782daa4728fafa7d37f5553dccaacf76f26a133
                                            • Instruction ID: 7187471da2aedd424143a415ee92cbc499044fdaf3485f6b3c3426c4f56f8955
                                            • Opcode Fuzzy Hash: d706ce3eee7725947a570d34d782daa4728fafa7d37f5553dccaacf76f26a133
                                            • Instruction Fuzzy Hash: FA512969B2C6A664FB119B24A506279FBA5EB21790FC480F2CA4D0379CCF3CE541D310
                                            Function 00007FF73AD01C80 Relevance: 6.1, APIs: 4, Instructions: 131COMMON
                                            Download Yara Rule
                                            APIs
                                            • memcpy.VCRUNTIME140(?,?,?,?,?,?,0000000100000000,00007FF73AD01581,?,?,?,?,00000000,?,?,00007FF73AD018EF), ref: 00007FF73AD01DB5
                                            • memset.VCRUNTIME140(?,?,?,?,?,?,0000000100000000,00007FF73AD01581,?,?,?,?,00000000,?,?,00007FF73AD018EF), ref: 00007FF73AD01DBE
                                            • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,0000000100000000,00007FF73AD01581,?,?,?,?,00000000,?,?,00007FF73AD018EF), ref: 00007FF73AD01DC3
                                            • _invalid_parameter_noinfo.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,0000000100000000,00007FF73AD01581,?,?,?,?,00000000,?,?,00007FF73AD018EF), ref: 00007FF73AD01DCF
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: _errno_invalid_parameter_noinfomemcpymemset
                                            • String ID:
                                            • API String ID: 187659361-0
                                            • Opcode ID: 1bc60ed9cbc554ddcf13200f1c4322be4e085bd72ef8049019ff1378857b2d41
                                            • Instruction ID: 8e783dd7a8fb80833e21a74d5eee40904778457c6a8e667e9d8dc973c39243fb
                                            • Opcode Fuzzy Hash: 1bc60ed9cbc554ddcf13200f1c4322be4e085bd72ef8049019ff1378857b2d41
                                            • Instruction Fuzzy Hash: 0A41157AB29A5192EB14EB1AA40557CF3A1FB84F80F958035EE1C83B88CF3DD4819721
                                            Function 00007FF73AD4AC60 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free
                                            • String ID: %s: %s$ GMT$%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s
                                            • API String ID: 1294909896-2632828617
                                            • Opcode ID: 13908b3e50d49d2d69390df7b3cbeadc92813e3a12137ca8b9e2b70f6f334e4b
                                            • Instruction ID: d927f35258afdd747c1b2d63043944549e077df7e81b96c708fa32c43931eefb
                                            • Opcode Fuzzy Hash: 13908b3e50d49d2d69390df7b3cbeadc92813e3a12137ca8b9e2b70f6f334e4b
                                            • Instruction Fuzzy Hash: D941D869A2CAA265FA619B11A5072B9E794FB41B90FC480F1DE8C0376CDF3CE445D710
                                            Function 00007FF73ACFFBA0 Relevance: 6.1, APIs: 4, Instructions: 112COMMON
                                            Download Yara Rule
                                            APIs
                                            • memcpy.VCRUNTIME140 ref: 00007FF73ACFFCAF
                                              • Part of subcall function 00007FF73AD50FD4: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,-3333333333333333,00007FF73ACF517E,7FFFFFFFFFFFFFFF,https://keyauth.win/api/1.2/,-3333333333333333,00007FF73ACF1A19), ref: 00007FF73AD50FEE
                                            • memcpy.VCRUNTIME140 ref: 00007FF73ACFFC9C
                                            • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF73ACFFD1D
                                            • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF73ACFFD2A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
                                            • String ID:
                                            • API String ID: 1155477157-0
                                            • Opcode ID: f0e0b6e57dc9044e1787cda88c30a1aaab9991b858eb677f98df076c66d70e5f
                                            • Instruction ID: 4ba5608ec342fd4a93875404873b6fa147781a57c31d2c4f562ad71ccb444512
                                            • Opcode Fuzzy Hash: f0e0b6e57dc9044e1787cda88c30a1aaab9991b858eb677f98df076c66d70e5f
                                            • Instruction Fuzzy Hash: 6441DF66B16A8AA1FE14EF26D4552A8A360EB04BE0F948631DE6D077C8DF3CE091D350
                                            Function 00007FF73AD4CA10 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 103COMMON
                                            Download Yara Rule
                                            APIs
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00000000,?,00007FF73AD2FFC0,?,?,?,?,?,?,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_,?), ref: 00007FF73AD4CA63
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73AD4CAEC
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free
                                            • String ID: %s
                                            • API String ID: 1294909896-3043279178
                                            • Opcode ID: db79e29e0a8a6addec1acd2cfd9679d3c72370d78614f4c82530095888520be1
                                            • Instruction ID: d5785f709e5dbfd1039387fcec4ea9035cfae8b3c7fd1a2433cf57d474815a36
                                            • Opcode Fuzzy Hash: db79e29e0a8a6addec1acd2cfd9679d3c72370d78614f4c82530095888520be1
                                            • Instruction Fuzzy Hash: 5B41A436618B8592FB51DB2AF5451AAF3A0FB45B94F444174DF9E03BA9DF3CE0819310
                                            Function 00007FF73ACF5AD0 Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                            • String ID:
                                            • API String ID: 1775671525-0
                                            • Opcode ID: 8cf4b4e336199e342cea90b092cf6a23320c781039690d49b146c6c16dc89e24
                                            • Instruction ID: 24bf94d748eb6df800508666e96cac52e8d4ff05091e1c7398a668ab5bd77289
                                            • Opcode Fuzzy Hash: 8cf4b4e336199e342cea90b092cf6a23320c781039690d49b146c6c16dc89e24
                                            • Instruction Fuzzy Hash: 0831086670A78A65FD14AB15A51526CE351FB04BE0F980770DF6D0B7CACF7CE051A310
                                            Function 00007FF73AD37F6D Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 84COMMON
                                            Download Yara Rule
                                            APIs
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73AD37FA4
                                              • Part of subcall function 00007FF73AD17890: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73AD179B5
                                              • Part of subcall function 00007FF73AD17890: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF73AD179D0
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: fwrite$free
                                            • String ID: %s%s$Wildcard - "%s" skipped by user$Wildcard - START of "%s"
                                            • API String ID: 3468156532-1133524294
                                            • Opcode ID: 23f949e1bac83c3977c68f5f7698d4e318435f3dbbb8aa99a60b1d5f21adfdac
                                            • Instruction ID: 5909ae6d08fd42da5fde9b70538ec112c633c07402dfbb002535849cf850b72d
                                            • Opcode Fuzzy Hash: 23f949e1bac83c3977c68f5f7698d4e318435f3dbbb8aa99a60b1d5f21adfdac
                                            • Instruction Fuzzy Hash: D041817AA18E82D0F710EF26E4451ADB3A0FB84B85F854072DE4D4B399DE3AD445D320
                                            Function 00007FF73AD4ABA5 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 78COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free
                                            • String ID: %s: %s$%u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s$GMT
                                            • API String ID: 1294909896-1153420294
                                            • Opcode ID: acba063d456fd53cfbb1bc12989434ce91aea9a9303b6133fdc54564046a48c0
                                            • Instruction ID: ab37e6741f71fdc58b00443cb288c9751a35ff513554db03b779fcc032d54863
                                            • Opcode Fuzzy Hash: acba063d456fd53cfbb1bc12989434ce91aea9a9303b6133fdc54564046a48c0
                                            • Instruction Fuzzy Hash: 3331046AA1DB92A4FB60AB50E0066E9B3A1FB05780FC440F2DE4D0326DCF7CE549E310
                                            Function 00007FF73AD4BADD Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: freemallocmemcpy
                                            • String ID: TRUE
                                            • API String ID: 3056473165-3412697401
                                            • Opcode ID: a6be11678876d8a0775db988cc1d43a9510aa85ed541163c077362283927d48a
                                            • Instruction ID: e208b11fc2f36ba6c317a1ff044cd18434862e44e273dd9f5441024a20a245b8
                                            • Opcode Fuzzy Hash: a6be11678876d8a0775db988cc1d43a9510aa85ed541163c077362283927d48a
                                            • Instruction Fuzzy Hash: 3821216AB1976610FF069B269515374A752FB25BE0F8885F2CD2D037CCEE3CE0819320
                                            Function 00007FF73AD11FE0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                            Download Yara Rule
                                            APIs
                                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73AD12032
                                            • memcpy.VCRUNTIME140 ref: 00007FF73AD1206D
                                              • Part of subcall function 00007FF73AD073C0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73AD073D5
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73AD120A2
                                              • Part of subcall function 00007FF73AD074D0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD11AD0,?,?,?,?,?,?,?,?,?,?,00000000,00007FF73AD03901), ref: 00007FF73AD074F7
                                              • Part of subcall function 00007FF73AD074D0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD11AD0,?,?,?,?,?,?,?,?,?,?,00000000,00007FF73AD03901), ref: 00007FF73AD07503
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free$malloc$memcpy
                                            • String ID: %s:
                                            • API String ID: 901724546-64597662
                                            • Opcode ID: 6048c71ea6257bdc43a0bba89fc31871b9d5a1fd88ea2959e310517747b66f0b
                                            • Instruction ID: f91e6cc9a274f220024ebd845a1ab94b57a12ab607eee89099c272e455d2eb19
                                            • Opcode Fuzzy Hash: 6048c71ea6257bdc43a0bba89fc31871b9d5a1fd88ea2959e310517747b66f0b
                                            • Instruction Fuzzy Hash: CE21072AA18B85A1EB04DF12E84116AF3A4FB54FE4F880672DEAD073A9DF3CD441C350
                                            Function 00007FF73AD4B2DA Relevance: 6.1, APIs: 4, Instructions: 62COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: isupper$_strdupfree
                                            • String ID:
                                            • API String ID: 3359907120-0
                                            • Opcode ID: 0aae88a8b418aa0f19e41eaa1b69d34950181fec64235eaf72de8941643402e2
                                            • Instruction ID: 351444a2eb8cd996abdb0f8e49964d3c0c893bab57c20e261de4393b1c42417d
                                            • Opcode Fuzzy Hash: 0aae88a8b418aa0f19e41eaa1b69d34950181fec64235eaf72de8941643402e2
                                            • Instruction Fuzzy Hash: F221F759D2DAF265FB16EB248456338EFA0DB31B80FC845F1C58A05A99DF2C9541E330
                                            Function 00007FF73AD4ADF1 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: freemallocmemcpy
                                            • String ID: %s: %s
                                            • API String ID: 3056473165-1451338302
                                            • Opcode ID: 58132a24d1db3b81fcdb7ee983368b60f5907245edec6adad14252c18534d2c4
                                            • Instruction ID: 0cd2d4253f538f15cd3160e8b95718905eadfbe72af39747164c060415a9cd82
                                            • Opcode Fuzzy Hash: 58132a24d1db3b81fcdb7ee983368b60f5907245edec6adad14252c18534d2c4
                                            • Instruction Fuzzy Hash: 31212699B1A79251FA65AB02A4023B5D391FF41FE0F8441B1DE6D03BE9EF3CD0459310
                                            Function 00007FF73AD48E4A Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 60COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free
                                            • String ID: Start Date: %s$%s%lx$Start Date
                                            • API String ID: 1294909896-3519493645
                                            • Opcode ID: a5497cacc0ead59f75fb1d1f7df1ac04cce61eb46eeb04d54d005a90402780e0
                                            • Instruction ID: 6c7ea458e6796344606db00df0d1bcd5cfa9d6044988d44a6b7784113e7b3afb
                                            • Opcode Fuzzy Hash: a5497cacc0ead59f75fb1d1f7df1ac04cce61eb46eeb04d54d005a90402780e0
                                            • Instruction Fuzzy Hash: C621B85DB2D6A265FE20B72594552B9B752EF067C4FC484F1CA0E0769EDF2DE004E320
                                            Function 00007FF73AD1B07D Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 56stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,00007FF73AD1AD48), ref: 00007FF73AD1AE95
                                            • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,00007FF73AD1AD48), ref: 00007FF73AD1AEAF
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: strncmp
                                            • String ID: I32$I64
                                            • API String ID: 1114863663-3980630743
                                            • Opcode ID: 5ac4aff93cd9173e0b3c8dc82fc01bb30f4ddb3efa4cc0dcc3832ea56ba46bb6
                                            • Instruction ID: 7f76d1e075e32b5908076b11f0b1447c384931844fd388edf0744867d7c5a6f3
                                            • Opcode Fuzzy Hash: 5ac4aff93cd9173e0b3c8dc82fc01bb30f4ddb3efa4cc0dcc3832ea56ba46bb6
                                            • Instruction Fuzzy Hash: 7C21262AA1C55261FB65AB30D4517B8BF94DB09F88F8981B0DE69422D9DF1CE604E370
                                            Function 00007FF73AD44ED0 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                            Download Yara Rule
                                            APIs
                                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF73AD45C39,00000000,?,?,00007FF73AD451F6), ref: 00007FF73AD44EF9
                                            • realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF73AD45C39,00000000,?,?,00007FF73AD451F6), ref: 00007FF73AD44F30
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF73AD45C39,00000000,?,?,00007FF73AD451F6), ref: 00007FF73AD44F42
                                            • memcpy.VCRUNTIME140(?,?,?,00007FF73AD45C39,00000000,?,?,00007FF73AD451F6), ref: 00007FF73AD44F6A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: freemallocmemcpyrealloc
                                            • String ID:
                                            • API String ID: 3881842442-0
                                            • Opcode ID: 409fb63f1dbabc7059c14c7ad51cbb97c6bd1d57c9e6da3c0836238f48eb24ee
                                            • Instruction ID: 5986fd8975da59c37bd0ffd2b490e9f4746d5dba335abf2fa9298a9fd6b92c7b
                                            • Opcode Fuzzy Hash: 409fb63f1dbabc7059c14c7ad51cbb97c6bd1d57c9e6da3c0836238f48eb24ee
                                            • Instruction Fuzzy Hash: 45215E7661AF8182EB44DF15E051229A3A0FB98FD8B888471EE5E4775DEF3CD492C710
                                            Function 00007FF73AD2DCE0 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                            Download Yara Rule
                                            APIs
                                            • realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF73AD12259,?,?,?,?,00007FF73AD115FB), ref: 00007FF73AD2DD08
                                            • GetEnvironmentVariableA.KERNEL32(?,?,?,00007FF73AD12259,?,?,?,?,00007FF73AD115FB), ref: 00007FF73AD2DD2E
                                            • realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF73AD12259,?,?,?,?,00007FF73AD115FB), ref: 00007FF73AD2DD4F
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF73AD12259,?,?,?,?,00007FF73AD115FB), ref: 00007FF73AD2DD60
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: realloc$EnvironmentVariablefree
                                            • String ID:
                                            • API String ID: 2828309815-0
                                            • Opcode ID: 2f21f6e09c1fe2ecdb4125b404c2cd2583ae5b5b32c867e8dc97f938a78dfa98
                                            • Instruction ID: 592ac80c2b72e4489ee6ba8fb0fb34d19be32f438f528e63c15731dcd74fb423
                                            • Opcode Fuzzy Hash: 2f21f6e09c1fe2ecdb4125b404c2cd2583ae5b5b32c867e8dc97f938a78dfa98
                                            • Instruction Fuzzy Hash: 60110624B2CF4652FB21AB12684123AE291FF48FC0F984174DD8D43B5CDE3CE441A750
                                            Function 00007FF73AD4F0C0 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: ByteCharMultiWide$freemalloc
                                            • String ID:
                                            • API String ID: 2605342592-0
                                            • Opcode ID: 576d94c567ea143205d5456bfd911414481cb44b69333d7e16038638280f938f
                                            • Instruction ID: 30d220c4131d3d7b8e5e51233c1c97b08c130d313b542608458b05a4774e16d7
                                            • Opcode Fuzzy Hash: 576d94c567ea143205d5456bfd911414481cb44b69333d7e16038638280f938f
                                            • Instruction Fuzzy Hash: EE115B39B19B4196F710AF66F801139BBA1FB88FC0B888078DB4D47B28DF38E5419750
                                            Function 00007FF73AD4F2F0 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: _strdupfree$strchr
                                            • String ID:
                                            • API String ID: 1739957132-0
                                            • Opcode ID: 8f8c9b388968d59187acbf13e01ce192fc2d1f278f42d39f6c3032117d50db66
                                            • Instruction ID: af142cb17d4f30a4fe9c09c8df29977cd7aac6bd396b99aa7af07ee398925ebc
                                            • Opcode Fuzzy Hash: 8f8c9b388968d59187acbf13e01ce192fc2d1f278f42d39f6c3032117d50db66
                                            • Instruction Fuzzy Hash: 4A01C059B2DB9152FF6DAB16614A03C9390EF48FC0F8C40B0D95E4ABACDE1CD8899324
                                            Function 00007FF73AD0CED0 Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free$CriticalDeleteSectionclosesocket
                                            • String ID:
                                            • API String ID: 3086658127-0
                                            • Opcode ID: 9317843b204cf3aa27de858c7ce3ba9428558499e938221aca4af4a76e8cca6e
                                            • Instruction ID: 85864b063378980c118816c7393b1098a7f78e36b4dc34d83a82687c641d7b99
                                            • Opcode Fuzzy Hash: 9317843b204cf3aa27de858c7ce3ba9428558499e938221aca4af4a76e8cca6e
                                            • Instruction Fuzzy Hash: 7A015E16D29B8293FB04EF31C8251786320FFE9F2CB416375EE6D011E99F68A5D48211
                                            Function 00007FF73AD1AF6A Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 24stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: strncmp
                                            • String ID: I32$I64
                                            • API String ID: 1114863663-3980630743
                                            • Opcode ID: bfd9abe20c2194c7a547db7db60806149fd282d46a3ca008b148d2aa09f63ad8
                                            • Instruction ID: cb58c083f9b4a81c7363ffd6acebc75428e1948cccd80015d80d1cde307d88c8
                                            • Opcode Fuzzy Hash: bfd9abe20c2194c7a547db7db60806149fd282d46a3ca008b148d2aa09f63ad8
                                            • Instruction Fuzzy Hash: 12F0E91D72C54261FA15A735D891A74AF94DF05BA4F884175CD19412A8CF1CE200E330
                                            Function 00007FF73AD1AF72 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 24stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: strncmp
                                            • String ID: I32$I64
                                            • API String ID: 1114863663-3980630743
                                            • Opcode ID: a20af989950f38f715416b43359656774cb27ca6125a4bd3b80a2c9c98538dc9
                                            • Instruction ID: e5d74ec8ab0a067569cf129b0d8b3a35f9fe9cdfe2af018ebd175d8d0147fdf0
                                            • Opcode Fuzzy Hash: a20af989950f38f715416b43359656774cb27ca6125a4bd3b80a2c9c98538dc9
                                            • Instruction Fuzzy Hash: 70F0E91D72854261FB15A735D891A75AF95DF05BA4F884175CD29412A8CF1CE200E330
                                            Function 00007FF73AD42F60 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 227COMMON
                                            Download Yara Rule
                                            APIs
                                            • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF73AD18316), ref: 00007FF73AD42F74
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: _errno
                                            • String ID: %lx
                                            • API String ID: 2918714741-1448181948
                                            • Opcode ID: b3576095e6cbe19f00c1db53c3d3bf63dcd0032912793789c90c2e776903a214
                                            • Instruction ID: 37774deb4b53135c7853558b79d1541700458029a554c15767ab9ef76b2aa314
                                            • Opcode Fuzzy Hash: b3576095e6cbe19f00c1db53c3d3bf63dcd0032912793789c90c2e776903a214
                                            • Instruction Fuzzy Hash: 5F81BF26A2C1E155FB689728945123DFBD0FB85350FD442B6EAAF42AC8DE3CD440DB20
                                            Function 00007FF73AD2EC80 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104COMMON
                                            Download Yara Rule
                                            APIs
                                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_,?,00000000,00007FF73AD2E663), ref: 00007FF73AD2ED52
                                            • _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_,?,00000000,00007FF73AD2E663), ref: 00007FF73AD2EDA3
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: _strdupmalloc
                                            • String ID: (){ %*]
                                            • API String ID: 3515966317-731572209
                                            • Opcode ID: 2c64296991aafd75ce64477886228899d052147cf239b4c66f338c7503e8426a
                                            • Instruction ID: 0a3a0dbe0378e838208701342ac3a3dbbddb46faeac7cff90238577bc79976d2
                                            • Opcode Fuzzy Hash: 2c64296991aafd75ce64477886228899d052147cf239b4c66f338c7503e8426a
                                            • Instruction Fuzzy Hash: 5831581992C68EA4FF616B159052378AFC1DF9AF54FC841F1D98E033CECE2DA905E220
                                            Function 00007FF73AD404FF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: _strdupfree
                                            • String ID: %ld
                                            • API String ID: 1865132094-1112595699
                                            • Opcode ID: 6fb6ba93543ac036398a7cf10b57c335e5774396d2bb3bf3bb3699da90a5cc20
                                            • Instruction ID: 2a19f13816ca5b8b54235dddcda504c2dfd00344ce22162c1590b59c036d80e8
                                            • Opcode Fuzzy Hash: 6fb6ba93543ac036398a7cf10b57c335e5774396d2bb3bf3bb3699da90a5cc20
                                            • Instruction Fuzzy Hash: D531C82AA1DA5252FB65EB54B162379A3A0EF84754F8800F1DE4E03699EF3CE445E720
                                            Function 00007FF73AD1C420 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: _strdupmalloc
                                            • String ID: identity
                                            • API String ID: 3515966317-1788209604
                                            • Opcode ID: e3f824e5db481aaec559bdcc1b8a4c7e670b803b2b684f634ec680f15ffb3f4f
                                            • Instruction ID: 64e3ac55f6bdd1d8256094467c728da07171cd3e77e2afa490dd2cf2012fec8f
                                            • Opcode Fuzzy Hash: e3f824e5db481aaec559bdcc1b8a4c7e670b803b2b684f634ec680f15ffb3f4f
                                            • Instruction Fuzzy Hash: 1F31D269F19A46A1FB41AB25D446379E7A0EF45BE8F8852B1CE2D0339CDF2CE4419320
                                            Function 00007FF73AD1AA90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: mallocrealloc
                                            • String ID:
                                            • API String ID: 948496778-3916222277
                                            • Opcode ID: 99e95ef9c0d79bada1b492d3325eacd8281b78ea4f026bfdb2577ecddf15ecfd
                                            • Instruction ID: ab886d71723197b39f3b1e1d33c4da46ef22c97ca45e86538c0034c13f2f5813
                                            • Opcode Fuzzy Hash: 99e95ef9c0d79bada1b492d3325eacd8281b78ea4f026bfdb2577ecddf15ecfd
                                            • Instruction Fuzzy Hash: 3511B176619B8181EB849F25F15022DB7A1FB08FD4F889176DA5E0779CEF38D990C350
                                            Function 00007FF73AD18DB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: getsockoptsetsockopt
                                            • String ID: @
                                            • API String ID: 194641219-2726393805
                                            • Opcode ID: 43af713e43ee33898e78cbb97f9ead40aeb9bb65a7c03a8105035dbe704cbb1e
                                            • Instruction ID: ca102d3379323458ca96ee203222dd8de1638340e270568fd643acc48e5d4790
                                            • Opcode Fuzzy Hash: 43af713e43ee33898e78cbb97f9ead40aeb9bb65a7c03a8105035dbe704cbb1e
                                            • Instruction Fuzzy Hash: 0F11AB7961864296F750DF10E44666AF7A0FB80348FD404B0DA4947B98DB7ED548DB10
                                            Function 00007FF73AD0A2C0 Relevance: 5.3, APIs: 4, Instructions: 287COMMON
                                            Download Yara Rule
                                            APIs
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73AD0A58A
                                            • memcpy.VCRUNTIME140 ref: 00007FF73AD0A6BC
                                            • memcpy.VCRUNTIME140 ref: 00007FF73AD0A6D8
                                              • Part of subcall function 00007FF73AD1FB70: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD08493,?,?,00000000,00007FF73AD12D62,?,?,00000000,00007FF73AD13395), ref: 00007FF73AD1FBAC
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: freememcpy
                                            • String ID:
                                            • API String ID: 3223336191-0
                                            • Opcode ID: e28d7ab1a66bd1c441e12a284493ed169fd3e96c034aafa9e4a13bcc798a2788
                                            • Instruction ID: 39b442b3883c37d9864e5a2155cd3c41425536439dd8df3e0f300aac45d3e767
                                            • Opcode Fuzzy Hash: e28d7ab1a66bd1c441e12a284493ed169fd3e96c034aafa9e4a13bcc798a2788
                                            • Instruction Fuzzy Hash: 7CC18D7AB24A029AFB14EB65D0012AC73B1FB49BA8F804275CE2D577D8DF38D40AD351
                                            Function 00007FF73AD4AB78 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: _strdupfreemalloc
                                            • String ID: %s: %s
                                            • API String ID: 3985033223-1451338302
                                            • Opcode ID: 4fdb4a16937e58a4216fd58d0ba080712087579a3b19316dd641c9686de44ad4
                                            • Instruction ID: ad1b782bd70d98a9a83db3733746531881a4f80e154a1b368f02d1c632297e10
                                            • Opcode Fuzzy Hash: 4fdb4a16937e58a4216fd58d0ba080712087579a3b19316dd641c9686de44ad4
                                            • Instruction Fuzzy Hash: 82F08199A1DB9161FA65A712B4027E59350EB45BD0FC844B1DE4D0376A9F2CD185A320
                                            Function 00007FF73AD4F010 Relevance: 5.0, APIs: 4, Instructions: 47COMMON
                                            Download Yara Rule
                                            APIs
                                            • MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF73AD42148), ref: 00007FF73AD4F041
                                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00007FF73AD42148), ref: 00007FF73AD4F054
                                            • MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF73AD42148), ref: 00007FF73AD4F07B
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00007FF73AD42148), ref: 00007FF73AD4F088
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: ByteCharMultiWide$freemalloc
                                            • String ID:
                                            • API String ID: 2605342592-0
                                            • Opcode ID: 183133224f0a0fd6c7434f8f6492c773fce796329d67c77eef161969da384f5b
                                            • Instruction ID: 71f586246fd182a326b50d70d1da5dd11125bd1ff3efbf37216304e255a00dd3
                                            • Opcode Fuzzy Hash: 183133224f0a0fd6c7434f8f6492c773fce796329d67c77eef161969da384f5b
                                            • Instruction Fuzzy Hash: 3E119136B28B5293FB209B1AF41112AABA0FF89B94B884275DB5C47B68DF3CD4409710
                                            Function 00007FF73AD0D9A0 Relevance: 5.0, APIs: 4, Instructions: 45COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00007FF73AD074D0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD11AD0,?,?,?,?,?,?,?,?,?,?,00000000,00007FF73AD03901), ref: 00007FF73AD074F7
                                              • Part of subcall function 00007FF73AD074D0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD11AD0,?,?,?,?,?,?,?,?,?,?,00000000,00007FF73AD03901), ref: 00007FF73AD07503
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73AD0D9D6
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73AD0D9E6
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF73AD0D9F4
                                            • memset.VCRUNTIME140 ref: 00007FF73AD0DA2F
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free$memset
                                            • String ID:
                                            • API String ID: 2717317152-0
                                            • Opcode ID: 999e9f889ad85bc3c8658c339eaac5db47bbd93aea279649c0d8283c2b411533
                                            • Instruction ID: 14fef5e02aba62ae47ba9bfeb511dae7d84d3718d1fc7e4ab97f203dd7ddb10d
                                            • Opcode Fuzzy Hash: 999e9f889ad85bc3c8658c339eaac5db47bbd93aea279649c0d8283c2b411533
                                            • Instruction Fuzzy Hash: 16210C36E28B81A3E704DB22D6412A8A760F799744F519236EB9C43A65DF74F1F5C300
                                            Function 00007FF73AD4CBB0 Relevance: 5.0, APIs: 4, Instructions: 44COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free
                                            • String ID:
                                            • API String ID: 1294909896-0
                                            • Opcode ID: 2a76ef7fa5bd881fc1f4ad6f33c99be355a1e82a0e01096d0ea61af40f1052e5
                                            • Instruction ID: eebb9334a430f5a42b793ea563d66e52a9893e3150690ab0ca24d8cf96fdcce3
                                            • Opcode Fuzzy Hash: 2a76ef7fa5bd881fc1f4ad6f33c99be355a1e82a0e01096d0ea61af40f1052e5
                                            • Instruction Fuzzy Hash: 1A11283AA28B4192FB14AF25E89523CA7A4FF94F84F9440B1CA5E03768CE3CD894D311
                                            Function 00007FF73AD349A0 Relevance: 5.0, APIs: 4, Instructions: 40COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free
                                            • String ID:
                                            • API String ID: 1294909896-0
                                            • Opcode ID: 93d07097a9f8805a64ec638d08541beec57b625efa615f68170694a84fdea58f
                                            • Instruction ID: 5663e2eeb55d04c324055e42c24bda2941223346a865fca68494968f657e236d
                                            • Opcode Fuzzy Hash: 93d07097a9f8805a64ec638d08541beec57b625efa615f68170694a84fdea58f
                                            • Instruction Fuzzy Hash: 17113D3A614B40D6E7409F25E580268B3A4F784F44F884075DF8E57328CF38E895D360
                                            Function 00007FF73AD43F80 Relevance: 5.0, APIs: 4, Instructions: 27COMMON
                                            Download Yara Rule
                                            APIs
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD1A1A5,?,?,00000000,00007FF73AD12E61,?,?,00000000,00007FF73AD13395), ref: 00007FF73AD43F90
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD1A1A5,?,?,00000000,00007FF73AD12E61,?,?,00000000,00007FF73AD13395), ref: 00007FF73AD43FB6
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD1A1A5,?,?,00000000,00007FF73AD12E61,?,?,00000000,00007FF73AD13395), ref: 00007FF73AD43FC4
                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF73AD1A1A5,?,?,00000000,00007FF73AD12E61,?,?,00000000,00007FF73AD13395), ref: 00007FF73AD43FD2
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1590038465.00007FF73ACF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73ACF0000, based on PE: true
                                            • Associated: 00000000.00000002.1589989121.00007FF73ACF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590075559.00007FF73AD53000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590098816.00007FF73AD6B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1590156032.00007FF73AD6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff73acf0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: free
                                            • String ID:
                                            • API String ID: 1294909896-0
                                            • Opcode ID: 4c9238fcdfe54545355688457451ffa8a4c98b9a5698b4f9ff7576b26b05f1e3
                                            • Instruction ID: 154769a317c8f24285568ccc7be9a77c4f65e0d5fea11fb5a77f33258330cf72
                                            • Opcode Fuzzy Hash: 4c9238fcdfe54545355688457451ffa8a4c98b9a5698b4f9ff7576b26b05f1e3
                                            • Instruction Fuzzy Hash: 14F0EC3A614F0192EB04AF25E995028B7B4FF98F887954171CE9D43778CF38C4A5C350